Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

"new Malware.bm" Trojan


  • Please log in to reply
13 replies to this topic

#1 Dialer

Dialer

  • Members
  • 642 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:The Great State of Disarray
  • Local time:06:34 PM

Posted 20 November 2007 - 12:59 AM

McAfee detected and quarantined a trojan named "New Malware.bm (yes, with a space in its name) while I was downloading DeepBurner Free. I ran across this program for burning ISO images to DVD at Snapfiles -- http://www.snapfiles.com/get/deepburner.html -- but went to the developer's home page for the download. Got no more than 1% of the file downloaded (using a download manager) when McAfee alerted me. According to the log, the download came from a mirror site, the URL for which I will PM to anyone who wants to explore this further.

Click here to see what McAfee says about it (not much). I will mention, though, that they say the risk level is low.

Needless to say, I'm a little confused about how this happened, given that this app is listed on several reputable sites, including Tucows, unless someone hacked into the download file itself. Certainly wouldn't be the first time.

BC AdBot (Login to Remove)

 


#2 tg1911

tg1911

    Lord Spam Magnet


  • Members
  • 19,274 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:SW Louisiana
  • Local time:07:34 PM

Posted 20 November 2007 - 03:18 AM

I think it's probably a false positive, because besides DeepBurner, there are other trustworthy programs, that seem to trigger it:
Sunbird installer
plugins for Irfanview
Downloading files, using GetRight

In most of the instances I found, it was McAfee that said it was a trojan.
Try scanning the file at Jotti's malware scan, and see what it reports.

Edited by tg1911, 20 November 2007 - 03:20 AM.

MOBO: GIGABYTE GA-MA790X-UD4P, CPU: Phenom II X4 955 Deneb BE, HS/F: CoolerMaster V8, RAM: 2 x 1G Kingston HyperX DDR2 800, VGA: ECS GeForce Black GTX 560, PSU: Antec TruePower Modular 750W, Soundcard: Asus Xonar D1, Case: CoolerMaster COSMOS 1000, Storage: Internal - 2 x Seagate 250GB SATA, 2 x WD 1TB SATA; External - Seagate 500GB USB, WD 640GB eSATA, 3 x WD 1TB eSATA

Become a BleepingComputer fan: Facebook

#3 quietman7

quietman7

    Bleepin' Janitor


  • Global Moderator
  • 52,099 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Virginia, USA
  • Local time:08:34 PM

Posted 20 November 2007 - 08:43 AM

Post back with the results of the Jotti file analysis.
.
.
Windows Insider MVP 2017-2018
Microsoft MVP Reconnect 2016
Microsoft MVP Consumer Security 2007-2015 kO7xOZh.gif
Member of UNITE, Unified Network of Instructors and Trusted Eliminators

If I have been helpful & you'd like to consider a donation, click 38WxTfO.gif

#4 Dialer

Dialer
  • Topic Starter

  • Members
  • 642 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:The Great State of Disarray
  • Local time:06:34 PM

Posted 20 November 2007 - 10:01 AM

I'd be delighted if it's nothing more than a false positive. In the 15 or so years I've been wandering the internet, the only thing that ever happened to me along these lines was a browser hijack about 8 years ago. The result is that I actually know very little about the workings of any AV program once it's detected something.

So, since McAfee quarantined the file before the download finished -- I have only 48.9 KB of a 2.7 MB file -- is that adequate for a scan, or should I turn off McAfee and complete the download first? I feel very foolish, but I have no idea how to unquarantine a file, in any event.

Thanks for your help, guys.

ETA: Come to think of it, I'm going to have to do the full download. I'm on slow dialup and use a download manager, so of course the file fragment is in its format. I'll be back later.

Edited by Dialer, 20 November 2007 - 10:17 AM.


#5 quietman7

quietman7

    Bleepin' Janitor


  • Global Moderator
  • 52,099 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Virginia, USA
  • Local time:08:34 PM

Posted 20 November 2007 - 11:00 AM

Don't turn off you anti-virus. VirusScan includes the ability to submit suspicious files directly from the Quarantine feature to the McAfee AntiVirus Emergency Response Team (AVERT) for research. Submit what you have and explain to them its only a partial download.

Also see Submit a Sample
.
.
Windows Insider MVP 2017-2018
Microsoft MVP Reconnect 2016
Microsoft MVP Consumer Security 2007-2015 kO7xOZh.gif
Member of UNITE, Unified Network of Instructors and Trusted Eliminators

If I have been helpful & you'd like to consider a donation, click 38WxTfO.gif

#6 Dialer

Dialer
  • Topic Starter

  • Members
  • 642 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:The Great State of Disarray
  • Local time:06:34 PM

Posted 20 November 2007 - 12:16 PM

There wasn't enough of the quarantined fragment to submit or restore it. In fact, I wasn't even offered the option.

So, I went back to my download manager and continued the original download, with McAfee on. No alerts this time, just a normal download. I scanned the file, and it came up clean. Nonetheless, I tried to upload it to Jotti, but it just sat there at 0% progress for about 10 minutes, and my patience wore out.

I'm banking on your being right, tg1911, that the alert was just a false positive, unless you all think I should continue investigating this.

Thanks again!

#7 quietman7

quietman7

    Bleepin' Janitor


  • Global Moderator
  • 52,099 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Virginia, USA
  • Local time:08:34 PM

Posted 20 November 2007 - 12:34 PM

If you have a full file sample now, you can still try submitting it to McAfee to see what they have to say. Does appear its a FP but it should not be time consuming to send it in.
.
.
Windows Insider MVP 2017-2018
Microsoft MVP Reconnect 2016
Microsoft MVP Consumer Security 2007-2015 kO7xOZh.gif
Member of UNITE, Unified Network of Instructors and Trusted Eliminators

If I have been helpful & you'd like to consider a donation, click 38WxTfO.gif

#8 Dialer

Dialer
  • Topic Starter

  • Members
  • 642 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:The Great State of Disarray
  • Local time:06:34 PM

Posted 20 November 2007 - 12:41 PM

Good idea, quietman7. Will do. And thanks again! :thumbsup:

#9 quietman7

quietman7

    Bleepin' Janitor


  • Global Moderator
  • 52,099 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Virginia, USA
  • Local time:08:34 PM

Posted 20 November 2007 - 12:43 PM

Your welcome. :thumbsup:
.
.
Windows Insider MVP 2017-2018
Microsoft MVP Reconnect 2016
Microsoft MVP Consumer Security 2007-2015 kO7xOZh.gif
Member of UNITE, Unified Network of Instructors and Trusted Eliminators

If I have been helpful & you'd like to consider a donation, click 38WxTfO.gif

#10 Dialer

Dialer
  • Topic Starter

  • Members
  • 642 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:The Great State of Disarray
  • Local time:06:34 PM

Posted 20 November 2007 - 01:46 PM

Results from Avert Labs WebImmune:

Name: deepburner1.exe
Findings: inconclusive
Detection: null
Type: null
Extra: no

Upon analysis the file submitted does not appear to contain one of the 200,000 known threats in the AutoImmune database. The file may contain a new threat, or no code capable of being infected. Your submission is being forwarded to an Avert Labs Researcher for further analysis. You will be contacted by AVERT through e-mail with the results of that analysis.


I'll post again when I hear back from them.

#11 3eyesbaby

3eyesbaby

  • Members
  • 1 posts
  • OFFLINE
  •  
  • Local time:09:34 AM

Posted 21 August 2008 - 12:25 AM

Hi All,
This is a false positive!!

Avert Labs is issuing an emergency notice for the 5365 DAT files. The reason for this Emergency DAT release is due to a false detection for New Malware.bm.
Avert Labs will be releasing the 5366 DATs early to resolve this issue.

Please update DAT to 5366,or roback DAT to 5364. and When you update DAT to 5366, you can goto Quarantine Manager restore the false file.

Edited by 3eyesbaby, 21 August 2008 - 12:26 AM.


#12 quietman7

quietman7

    Bleepin' Janitor


  • Global Moderator
  • 52,099 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Virginia, USA
  • Local time:08:34 PM

Posted 21 August 2008 - 08:02 AM

This thread you replied to is 10 months old and there have been no complaints since then but thanks for letting us know about the emergency DAT release.
.
.
Windows Insider MVP 2017-2018
Microsoft MVP Reconnect 2016
Microsoft MVP Consumer Security 2007-2015 kO7xOZh.gif
Member of UNITE, Unified Network of Instructors and Trusted Eliminators

If I have been helpful & you'd like to consider a donation, click 38WxTfO.gif

#13 chazzee23

chazzee23

  • Members
  • 2 posts
  • OFFLINE
  •  
  • Local time:02:34 AM

Posted 18 May 2009 - 02:38 PM

hello first time posting! so this thread is even older now and ive just had the same problem come with McAfee as dialer, while downloading Irfanview, which i have downloaded before with no error on AVG! but now every where i go to download this file 'irfanview' it stops at 65% with error new malware.bm, so i cant even download the file i want, so to 3eyesbaby, i hope this work friend im gonna try now!!

Edited by chazzee23, 18 May 2009 - 02:39 PM.


#14 chazzee23

chazzee23

  • Members
  • 2 posts
  • OFFLINE
  •  
  • Local time:02:34 AM

Posted 18 May 2009 - 03:59 PM

it works




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users