Jump to content
FormerYooper

MBAM flags WordPad.exe with Trojan.Pass.... malware

Recommended Posts

I ran a complete scan this morning with MBAM premium.  I have attached a screenshot of the settings I used for the Custom Scan.  The results of the scan flagged malware in Wordpad.exe.  I have attached a screenshot of these results.  The results did not list the entire name of the Trojan, but only listed Trojan.Pass....  I did a search and find that this might be a password stealer.  I quarantined the file.  Before doing so however, I uploaded the file to Virus Total and every AV, including MBAM, said it was clean!  I have attached the Virus Total report in PDF format.   Could some kind soul please advise me as to whether or not this is a false positive?  Thanks in advance for your expert help. 

MBAMScanSettings.PNG

MBAMResults.PNG

VirusTotal.pdf

Share this post


Link to post
Share on other sites

Same thing is happening on two of our computers running Malwarebytes Endpoint Protection. 

Share this post


Link to post
Share on other sites

Hello dear Chloe!

If it detects as a trojan its probably false positive.

Or it might be a trojan if you haven't downloaded that program from official site of the creators.

Share this post


Link to post
Share on other sites

I don't know about the topic starter, but I haven't downloaded it from anywhere. There computers scanned fine yesterday and earlier this morning. 

Share this post


Link to post
Share on other sites
22 minutes ago, Bosworth said:

Hello dear Chloe!

If it detects as a trojan its probably false positive.

Or it might be a trojan if you haven't downloaded that program from official site of the creators.

I am the original poster/topic starter.  I did not DL WordPad from anywhere else.  The last time I did a full scan, this malware flag did not show up.  I have not added WordPad to my system since then.  Guess this is a false positive.  However, I wanted to post here so MBAM will know that this issue exists & to possibly assist others who might have encountered the same. 

Share this post


Link to post
Share on other sites
Just now, Bosworth said:

So are you trying to say it just downloaded by itself?

Absolutely not!  I am just saying that since my last full MBAM scan in which this trojan did not show up , I have not downloaded WordPad.  It has always been on my device.  This morning, I did a full MBAM scan & this trojan showed up. 

Share this post


Link to post
Share on other sites

It appears to be a false positive. Today we got nine detections during the daily scan on our endpoints. Interesting that the detection of wordpad.exe as "Trojan.PasswordStealer" by Malwarebytes involved endpoints having different versions of Windows 10 (it was detected on 1703, 1709, and 1803). The version of the file seems to be same in all three versions, same date stamp. I checked file consistency with both DISM and SFC and the tools found no corruption. Scanning the files with Bitdefender, Zemana, and Hitman Pro didn't result in any detection. As well, we checked the files with various sandboxes and malware analysis tools and most didn't find anything malicious. To note that both ViCheck and one hash from MBA detection copied to VT found the entry suspicious and malicious respectively.

 

Spoiler

wordpaddetection2.thumb.png.67617e0745a123b1d8045246934eda3c.png

wordpaddetection.png.3b5a80438d8730c7edd369524a2b5650.png

wordpaddetection3.thumb.png.ac227f2484bb1381ee03c2a2585df95f.png

 

 

 

Share this post


Link to post
Share on other sites

Hey All,

This was indeed a false positive and has been fixed since 2:25pm EST today.

Sorry for the inconvenience.

 

Share this post


Link to post
Share on other sites
14 minutes ago, Atribune said:

Hey All,

This was indeed a false positive and has been fixed since 2:25pm EST today.

Sorry for the inconvenience.

 

Thanks ever so much for confirming this is a FP and also for the fix! 

Share this post


Link to post
Share on other sites
23 minutes ago, Atribune said:

Hey All,

This was indeed a false positive and has been fixed since 2:25pm EST today.

Sorry for the inconvenience.

 

Good to know it was a FP, thanks for the fix.

MBAM Premium also detected a Wordpad.exe located in C:\Windows in addition to the one in C:\Program Files as the same type of virus. Trojan.Password.Stealer. Was this also a FP as well? I accidentally deleted it from my quarantine and wasn't able to scan it with VirusTotal or other AVs, so am just a little worried about that.

Share this post


Link to post
Share on other sites

I would think yes but if you could scan the file at Virustotal and share the url with me I will gladly look to be sure.

Edited by Atribune
wording

Share this post


Link to post
Share on other sites
1 minute ago, Atribune said:

I would think yes but if you could scan the file at Virustotal and share the url with me I will gladly look to be sure.

Unfortunately I deleted it from the quarantine last night (not restored) so I don't have the file to check anymore. :( Was just wondering if this was something also detected as a FP, seeing as my previous scan from yesterday didn't detect anything, but the C:\Windows one was detected with the C:\Program Files one at the same time.

Share this post


Link to post
Share on other sites

What version of Windows do you have?  I do recall the some older versions like XP did keep wordpad.exe in C:\Windows, but I don't believe that's the case in newer Windows versions (for example, I don't have it here on my 7 x64 system).

Share this post


Link to post
Share on other sites
17 minutes ago, exile360 said:

What version of Windows do you have?  I do recall the some older versions like XP did keep wordpad.exe in C:\Windows, but I don't believe that's the case in newer Windows versions (for example, I don't have it here on my 7 x64 system).

I have Windows 10 Pro 64-Bit. Sorry for the double post, please refer to my post below. I couldn't find where to delete a previous comment, sorry again.

Edited by MotoHello

Share this post


Link to post
Share on other sites
53 minutes ago, Atribune said:

I would think yes but if you could scan the file at Virustotal and share the url with me I will gladly look to be sure.

I apologize for the double post. I'm almost sure I deleted instead of restored the file from quarantine, but I checked the scan logs and it said it was replaced? I searched where the file was located and found that it was indeed in there (even though I'm almost sure I deleted it completely). I uploaded it to Virus Total, the url is below. Please take a look for me, thanks!

https://www.virustotal.com/#/file/c7255a338b130fc245ec1b86b952f76c379b374296f7d6759a3c0501de8fc426/detection

Edited by MotoHello

Share this post


Link to post
Share on other sites

OK, good, so you still have the file.  It's likely that Windows File Protection replaced it with a new copy after it was removed by Malwarebytes (a nifty feature in most Windows versions that protects critical system files located in C:\Windows and some of its sub-folders like System32).

As long as Wordpad is still working then you should be fine.  Test it out by opening a file that is supposed to open with Wordpad such as an RTF (Rich Text Format) document, assuming you have those files associated with Wordpad and haven't installed something else to do so such as MS Office Word.

Share this post


Link to post
Share on other sites
51 minutes ago, Neptune said:

Thanks for addressing the issue promptly.

When FP's occur we try to fix them as soon as we possibly can.

We really appreciate our amazing customers who understand that from time to time FP's can and do happen.

Share this post


Link to post
Share on other sites
1 hour ago, FormerYooper said:

Thanks ever so much for confirming this is a FP and also for the fix! 

You're quite welcome :)

Share this post


Link to post
Share on other sites

Thanks again for all your work! I right clicked my desktop and created a new RTF and opened it. Seems to be okay. Going to run MBAM again to check everything.

Does the Virus Total look okay? GData and Symantec report it as Win.32.Application.Packed.J@dam and Bloodhound.MalPE respectively.

Edited by MotoHello

Share this post


Link to post
Share on other sites

Excellent, so at least Wordpad is working/isn't broken so that's good news.

We'll have to wait to hear back from Dave (Atribune) on the VT check, but at least we know that nothing is broken in the meantime.

Share this post


Link to post
Share on other sites

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now

  • Recently Browsing   0 members

    No registered users viewing this page.

×
×
  • Create New...

Important Information

This site uses cookies - We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.