Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

New Unsigned iertutil.dll


  • Please log in to reply
2 replies to this topic

#1 crazytrain86

crazytrain86

  • Members
  • 2 posts
  • OFFLINE
  •  
  • Local time:07:39 AM

Posted 28 January 2015 - 07:56 AM

I came home yesterday to something odd. My VMWare crashed, and also I had my iertutil.dll file (previously signed by Microsoft) replaced by a different iertutil.dll that is NOT signed by Microsoft.
 
I submitted this dll to virustotal but received no hits on it (first submission ever): https://www.virustotal.com/en/file/ffe0114b9c5f0aa8cd7348b729e6c29a71fc97253889feb332ba2207373d638f/analysis/1422405560/
 
Similarly, Anubis had never seen this before: https://anubis.iseclab.org/?action=result&task_id=1302cd45f154eca94816cd504b0d06881
 
The file itself resides here: C:\Windows\SysWOW64\iertutil.dll
 
As of yesterday, this file was Microsoft signed. Today, the hash changed and it is no longer Microsoft signed (however it says Microsoft in the meta information). Also, this is the ONLY Microsoft dll in my SysWOW64 directory that is unsigned now (previously none). Can someone tell me if this is legit? If it is, why is it now unsigned and how did my computer change it? I have Microsoft update set to notify, but not auto install.
 
Best,
 
Mike

Edit: Topic moved from Windows 7 to the more appropriate forum. ~ Animal

BC AdBot (Login to Remove)

 


m

#2 iangcarroll

iangcarroll

  • Malware Study Hall Senior
  • 641 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Birmingham, MI
  • Local time:07:39 AM

Posted 28 January 2015 - 11:13 AM

This file is not signed on my Windows 8 machine, and I doubt we both have an infection. While my SHA256 hash doesn't match yours, we aren't running the same OS. I would suggest running an anti-malware tool to be sure.

Here's my VT link if you're interested.

 

edit: now that it's in the right section, I would run MalwareBytes. If it picks up anything, please paste the log but otherwise you should be good.


Edited by iangcarroll, 28 January 2015 - 06:00 PM.

Ian Carroll https://ian.sh • Certly Inc
 
Member of the Bleeping Computer A.I.I. early response team!


#3 crazytrain86

crazytrain86
  • Topic Starter

  • Members
  • 2 posts
  • OFFLINE
  •  
  • Local time:07:39 AM

Posted 29 January 2015 - 04:06 PM

Update: Today that iertutil.dll file was replaced with the original one (same hash, valid signed Microsoft). This does not seem like normal activity. Of note: The invalid one is actually "'(Not verified) Microsoft Corporation'", where the valid one is "(Verified) Microsoft Windows". Subtle difference, but might be meaningful.




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users