Jump to content

TOJAN.EMOTET erroneously identified?


HardDriveWhiner

Recommended Posts

Recent signature files identified 2 files on my computer as EMOTET.  These files were in a dormant c:\ drive directory that were installed from a Sybex Book's CD called Mastering Database Programming in VB6.  This directory hasn't been visited for years and just travels as a directory from one computer to another.  The directory contains files that are dated from 1998. 

I know that the files have not been altered because I dug out the old CD and scanned it.  The same two files are identified as Trojan.EMOTET.  The C:\ directory has never come up with any flags for as long as I have been scanning with antivirus.  Probably greater than 10 years.  I can't actually see the file size because they are in quarantine.  However, a set of these two files located on another logical HD show that the file size and dates from that location are the same as the ones on the CD.

Before I restore them, can you please confirm that they are false positives.

I can submit the actual files if you need them.

________________________________________________________________

HERE"S THE LOG FILE FROM THE C:\ DRIVE SCAN:

Malwarebytes
www.malwarebytes.com

-Log Details-
Scan Date: 12/21/18
Scan Time: 5:38 PM
Log File: 24c542c2-0571-11e9-b9cf-0026b900b27c.json

-Software Information-
Version: 3.6.1.2711
Components Version: 1.0.482
Update Package Version: 1.0.8431
License: Free

-System Information-
OS: Windows 10 (Build 17134.407)
CPU: x64
File System: NTFS
User: XPS1640\Robert

-Scan Summary-
Scan Type: Custom Scan
Scan Initiated By: Manual
Result: Completed
Objects Scanned: 499417
Threats Detected: 2
Threats Quarantined: 2
Time Elapsed: 2 hr, 6 min, 38 sec

-Scan Options-
Memory: Enabled
Startup: Enabled
Filesystem: Enabled
Archives: Enabled
Rootkits: Enabled
Heuristics: Enabled
PUP: Detect
PUM: Detect

-Scan Details-
Process: 0
(No malicious items detected)

Module: 0
(No malicious items detected)

Registry Key: 0
(No malicious items detected)

Registry Value: 0
(No malicious items detected)

Registry Data: 0
(No malicious items detected)

Data Stream: 0
(No malicious items detected)

Folder: 0
(No malicious items detected)

File: 2
Trojan.Emotet, C:\VB 6 MASTERING AND DATABASE PROGRAMMING\MASTDPVB (G)\ALPHA\SETUP\DS32A.DLL, Quarantined, [5854], [614685],1.0.8431
Trojan.Emotet, C:\VB 6 MASTERING AND DATABASE PROGRAMMING\MASTDPVB (G)\X86\SETUP\DS32.DLL, Quarantined, [5854], [614685],1.0.8431

Physical Sector: 0
(No malicious items detected)

WMI: 0
(No malicious items detected)


(end)

______________________________________________

Here's the log file from the CD:

Malwarebytes
www.malwarebytes.com

-Log Details-
Scan Date: 12/21/18
Scan Time: 8:27 PM
Log File: c2d58b9a-0588-11e9-ba29-0026b900b27c.json

-Software Information-
Version: 3.6.1.2711
Components Version: 1.0.482
Update Package Version: 1.0.8435
License: Free

-System Information-
OS: Windows 10 (Build 17134.472)
CPU: x64
File System: NTFS
User: XPS1640\Robert

-Scan Summary-
Scan Type: Custom Scan
Scan Initiated By: Manual
Result: Completed
Objects Scanned: 2102
Threats Detected: 2
Threats Quarantined: 0
Time Elapsed: 6 min, 17 sec

-Scan Options-
Memory: Disabled
Startup: Disabled
Filesystem: Enabled
Archives: Enabled
Rootkits: Disabled
Heuristics: Enabled
PUP: Detect
PUM: Detect

-Scan Details-
Process: 0
(No malicious items detected)

Module: 0
(No malicious items detected)

Registry Key: 0
(No malicious items detected)

Registry Value: 0
(No malicious items detected)

Registry Data: 0
(No malicious items detected)

Data Stream: 0
(No malicious items detected)

Folder: 0
(No malicious items detected)

File: 2
Trojan.Emotet, I:\ALPHA\SETUP\DS32A.DLL, No Action By User, [5854], [614685],1.0.8435
Trojan.Emotet, I:\X86\SETUP\DS32.DLL, No Action By User, [5854], [614685],1.0.8435

Physical Sector: 0
(No malicious items detected)

WMI: 0
(No malicious items detected)


(end)

 

Link to post
Share on other sites

I can't attach the .dll so I'm changing it to a .doc extension.  Please change it back if you need to do so.

How were you able to verify as a false positive?  Was Emotet not in existence in 1998?

Please let me know that this is definitely not a virus because reading about the emotet is fairly scary. 

THANKS.

ds32.doc

ds32a.doc

Link to post
Share on other sites

1 hour ago, HardDriveWhiner said:

I can't attach the .dll so I'm changing it to a .doc extension.  Please change it back if you need to do so.

How were you able to verify as a false positive?  Was Emotet not in existence in 1998?

Please let me know that this is definitely not a virus because reading about the emotet is fairly scary. 

THANKS.

ds32.doc

ds32a.doc

Thanks for attaching.

I looked at another file that had a similar component to what was targeted. Emotet did not exist in 1998.

The files you attached aren't malicious. It was a false positive on our end. Sorry for the inconvenience

Fixed in the following DB versions:

MBAM2 Version: v2018.12.22.01
MBAM3 Version: 1.0.8437

More reading if you're interested: https://blog.malwarebytes.com/detections/trojan-emotet/

Best regards

Link to post
Share on other sites

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now
  • Recently Browsing   0 members

    • No registered users viewing this page.
Back to top
×
×
  • Create New...

Important Information

This site uses cookies - We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.