Jump to content
HardDriveWhiner

TOJAN.EMOTET erroneously identified?

Recommended Posts

Recent signature files identified 2 files on my computer as EMOTET.  These files were in a dormant c:\ drive directory that were installed from a Sybex Book's CD called Mastering Database Programming in VB6.  This directory hasn't been visited for years and just travels as a directory from one computer to another.  The directory contains files that are dated from 1998. 

I know that the files have not been altered because I dug out the old CD and scanned it.  The same two files are identified as Trojan.EMOTET.  The C:\ directory has never come up with any flags for as long as I have been scanning with antivirus.  Probably greater than 10 years.  I can't actually see the file size because they are in quarantine.  However, a set of these two files located on another logical HD show that the file size and dates from that location are the same as the ones on the CD.

Before I restore them, can you please confirm that they are false positives.

I can submit the actual files if you need them.

________________________________________________________________

HERE"S THE LOG FILE FROM THE C:\ DRIVE SCAN:

Malwarebytes
www.malwarebytes.com

-Log Details-
Scan Date: 12/21/18
Scan Time: 5:38 PM
Log File: 24c542c2-0571-11e9-b9cf-0026b900b27c.json

-Software Information-
Version: 3.6.1.2711
Components Version: 1.0.482
Update Package Version: 1.0.8431
License: Free

-System Information-
OS: Windows 10 (Build 17134.407)
CPU: x64
File System: NTFS
User: XPS1640\Robert

-Scan Summary-
Scan Type: Custom Scan
Scan Initiated By: Manual
Result: Completed
Objects Scanned: 499417
Threats Detected: 2
Threats Quarantined: 2
Time Elapsed: 2 hr, 6 min, 38 sec

-Scan Options-
Memory: Enabled
Startup: Enabled
Filesystem: Enabled
Archives: Enabled
Rootkits: Enabled
Heuristics: Enabled
PUP: Detect
PUM: Detect

-Scan Details-
Process: 0
(No malicious items detected)

Module: 0
(No malicious items detected)

Registry Key: 0
(No malicious items detected)

Registry Value: 0
(No malicious items detected)

Registry Data: 0
(No malicious items detected)

Data Stream: 0
(No malicious items detected)

Folder: 0
(No malicious items detected)

File: 2
Trojan.Emotet, C:\VB 6 MASTERING AND DATABASE PROGRAMMING\MASTDPVB (G)\ALPHA\SETUP\DS32A.DLL, Quarantined, [5854], [614685],1.0.8431
Trojan.Emotet, C:\VB 6 MASTERING AND DATABASE PROGRAMMING\MASTDPVB (G)\X86\SETUP\DS32.DLL, Quarantined, [5854], [614685],1.0.8431

Physical Sector: 0
(No malicious items detected)

WMI: 0
(No malicious items detected)


(end)

______________________________________________

Here's the log file from the CD:

Malwarebytes
www.malwarebytes.com

-Log Details-
Scan Date: 12/21/18
Scan Time: 8:27 PM
Log File: c2d58b9a-0588-11e9-ba29-0026b900b27c.json

-Software Information-
Version: 3.6.1.2711
Components Version: 1.0.482
Update Package Version: 1.0.8435
License: Free

-System Information-
OS: Windows 10 (Build 17134.472)
CPU: x64
File System: NTFS
User: XPS1640\Robert

-Scan Summary-
Scan Type: Custom Scan
Scan Initiated By: Manual
Result: Completed
Objects Scanned: 2102
Threats Detected: 2
Threats Quarantined: 0
Time Elapsed: 6 min, 17 sec

-Scan Options-
Memory: Disabled
Startup: Disabled
Filesystem: Enabled
Archives: Enabled
Rootkits: Disabled
Heuristics: Enabled
PUP: Detect
PUM: Detect

-Scan Details-
Process: 0
(No malicious items detected)

Module: 0
(No malicious items detected)

Registry Key: 0
(No malicious items detected)

Registry Value: 0
(No malicious items detected)

Registry Data: 0
(No malicious items detected)

Data Stream: 0
(No malicious items detected)

Folder: 0
(No malicious items detected)

File: 2
Trojan.Emotet, I:\ALPHA\SETUP\DS32A.DLL, No Action By User, [5854], [614685],1.0.8435
Trojan.Emotet, I:\X86\SETUP\DS32.DLL, No Action By User, [5854], [614685],1.0.8435

Physical Sector: 0
(No malicious items detected)

WMI: 0
(No malicious items detected)


(end)

 

Share this post


Link to post
Share on other sites

I can't attach the .dll so I'm changing it to a .doc extension.  Please change it back if you need to do so.

How were you able to verify as a false positive?  Was Emotet not in existence in 1998?

Please let me know that this is definitely not a virus because reading about the emotet is fairly scary. 

THANKS.

ds32.doc

ds32a.doc

Share this post


Link to post
Share on other sites
1 hour ago, HardDriveWhiner said:

I can't attach the .dll so I'm changing it to a .doc extension.  Please change it back if you need to do so.

How were you able to verify as a false positive?  Was Emotet not in existence in 1998?

Please let me know that this is definitely not a virus because reading about the emotet is fairly scary. 

THANKS.

ds32.doc

ds32a.doc

Thanks for attaching.

I looked at another file that had a similar component to what was targeted. Emotet did not exist in 1998.

The files you attached aren't malicious. It was a false positive on our end. Sorry for the inconvenience

Fixed in the following DB versions:

MBAM2 Version: v2018.12.22.01
MBAM3 Version: 1.0.8437

More reading if you're interested: https://blog.malwarebytes.com/detections/trojan-emotet/

Best regards

Share this post


Link to post
Share on other sites

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.

Guest
Reply to this topic...

×   Pasted as rich text.   Paste as plain text instead

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.


  • Recently Browsing   0 members

    No registered users viewing this page.

×
×
  • Create New...

Important Information

This site uses cookies - We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.