Jump to content

Recommended Posts

I ran a complete scan this morning with MBAM premium.  I have attached a screenshot of the settings I used for the Custom Scan.  The results of the scan flagged malware in Wordpad.exe.  I have attached a screenshot of these results.  The results did not list the entire name of the Trojan, but only listed Trojan.Pass....  I did a search and find that this might be a password stealer.  I quarantined the file.  Before doing so however, I uploaded the file to Virus Total and every AV, including MBAM, said it was clean!  I have attached the Virus Total report in PDF format.   Could some kind soul please advise me as to whether or not this is a false positive?  Thanks in advance for your expert help. 

MBAMScanSettings.PNG

MBAMResults.PNG

VirusTotal.pdf

Link to post
Share on other sites

22 minutes ago, Bosworth said:

Hello dear Chloe!

If it detects as a trojan its probably false positive.

Or it might be a trojan if you haven't downloaded that program from official site of the creators.

I am the original poster/topic starter.  I did not DL WordPad from anywhere else.  The last time I did a full scan, this malware flag did not show up.  I have not added WordPad to my system since then.  Guess this is a false positive.  However, I wanted to post here so MBAM will know that this issue exists & to possibly assist others who might have encountered the same. 

Link to post
Share on other sites

Just now, Bosworth said:

So are you trying to say it just downloaded by itself?

Absolutely not!  I am just saying that since my last full MBAM scan in which this trojan did not show up , I have not downloaded WordPad.  It has always been on my device.  This morning, I did a full MBAM scan & this trojan showed up. 

Link to post
Share on other sites

It appears to be a false positive. Today we got nine detections during the daily scan on our endpoints. Interesting that the detection of wordpad.exe as "Trojan.PasswordStealer" by Malwarebytes involved endpoints having different versions of Windows 10 (it was detected on 1703, 1709, and 1803). The version of the file seems to be same in all three versions, same date stamp. I checked file consistency with both DISM and SFC and the tools found no corruption. Scanning the files with Bitdefender, Zemana, and Hitman Pro didn't result in any detection. As well, we checked the files with various sandboxes and malware analysis tools and most didn't find anything malicious. To note that both ViCheck and one hash from MBA detection copied to VT found the entry suspicious and malicious respectively.

 

Spoiler

wordpaddetection2.thumb.png.67617e0745a123b1d8045246934eda3c.png

wordpaddetection.png.3b5a80438d8730c7edd369524a2b5650.png

wordpaddetection3.thumb.png.ac227f2484bb1381ee03c2a2585df95f.png

 

 

 

Link to post
Share on other sites

23 minutes ago, Atribune said:

Hey All,

This was indeed a false positive and has been fixed since 2:25pm EST today.

Sorry for the inconvenience.

 

Good to know it was a FP, thanks for the fix.

MBAM Premium also detected a Wordpad.exe located in C:\Windows in addition to the one in C:\Program Files as the same type of virus. Trojan.Password.Stealer. Was this also a FP as well? I accidentally deleted it from my quarantine and wasn't able to scan it with VirusTotal or other AVs, so am just a little worried about that.

Link to post
Share on other sites

1 minute ago, Atribune said:

I would think yes but if you could scan the file at Virustotal and share the url with me I will gladly look to be sure.

Unfortunately I deleted it from the quarantine last night (not restored) so I don't have the file to check anymore. :( Was just wondering if this was something also detected as a FP, seeing as my previous scan from yesterday didn't detect anything, but the C:\Windows one was detected with the C:\Program Files one at the same time.

Link to post
Share on other sites

17 minutes ago, exile360 said:

What version of Windows do you have?  I do recall the some older versions like XP did keep wordpad.exe in C:\Windows, but I don't believe that's the case in newer Windows versions (for example, I don't have it here on my 7 x64 system).

I have Windows 10 Pro 64-Bit. Sorry for the double post, please refer to my post below. I couldn't find where to delete a previous comment, sorry again.

Edited by MotoHello
Link to post
Share on other sites

53 minutes ago, Atribune said:

I would think yes but if you could scan the file at Virustotal and share the url with me I will gladly look to be sure.

I apologize for the double post. I'm almost sure I deleted instead of restored the file from quarantine, but I checked the scan logs and it said it was replaced? I searched where the file was located and found that it was indeed in there (even though I'm almost sure I deleted it completely). I uploaded it to Virus Total, the url is below. Please take a look for me, thanks!

https://www.virustotal.com/#/file/c7255a338b130fc245ec1b86b952f76c379b374296f7d6759a3c0501de8fc426/detection

Edited by MotoHello
Link to post
Share on other sites

OK, good, so you still have the file.  It's likely that Windows File Protection replaced it with a new copy after it was removed by Malwarebytes (a nifty feature in most Windows versions that protects critical system files located in C:\Windows and some of its sub-folders like System32).

As long as Wordpad is still working then you should be fine.  Test it out by opening a file that is supposed to open with Wordpad such as an RTF (Rich Text Format) document, assuming you have those files associated with Wordpad and haven't installed something else to do so such as MS Office Word.

Link to post
Share on other sites

Thanks again for all your work! I right clicked my desktop and created a new RTF and opened it. Seems to be okay. Going to run MBAM again to check everything.

Does the Virus Total look okay? GData and Symantec report it as Win.32.Application.Packed.J@dam and Bloodhound.MalPE respectively.

Edited by MotoHello
Link to post
Share on other sites

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now
  • Recently Browsing   0 members

    • No registered users viewing this page.
Back to top
×
×
  • Create New...

Important Information

This site uses cookies - We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.