spyware in vob2mpg?

[jaman57]

Below is the report from CounterSpy that ran the night after installing and running VOB2MPG. Note that the previous day I had run a scan and no spyware was reported, and I downloaded nothing in the meantime:
Spyware Scan Details
Start Date: 9/8/2006 2:00:11 AM
End Date: 9/8/2006 2:12:30 AM
Total Time: 12 mins 19 secs

Detected spyware

Peccaminosa Porn Dialer more information...
Status: Quarantined

Infected registry entries detected
HKEY_CURRENT_USER\Software\Freeware
HKEY_CURRENT_USER\Software\Freeware\VirtualDubMod\MRU List MRUList a
HKEY_CURRENT_USER\Software\Freeware\VirtualDubMod\ MRU List a C:\MIDNIGHT_OIL_BOBW\VIDEO_TS\VTS_01_0.m2v
HKEY_CURRENT_USER\Software\Freeware\VirtualDubMod\ Persistence Save As filter index 1
HKEY_CURRENT_USER\Software\Freeware\VirtualDubMod\ Persistence Run as job 0
HKEY_CURRENT_USER\Software\Freeware\VirtualDubMod VirtualDub 1
HKEY_CURRENT_USER\Software\Freeware\VirtualDubMod SeenWelcome 1


Backdoor.NancyAjram Backdoor more information...
Details: NancyAjram is a Backdoor Trojan that gives an attacker unauthorized access to a compromised computer.
Status: Quarantined

Infected registry entries detected
HKEY_LOCAL_MACHINE\SOFTWARE\Cygnus Solutions
HKEY_CURRENT_USER\Software\Cygnus Solutions

Note that I had not run VirtualDubMod - haven't run it for probably a couple years. It has been on my computer the whole time and never had a report before - probably just where the installation hid the bad entry.

After this I had the program delete the spyware.

Next day, again without having any downloads intervening, I ran VOB2MPG. The next CounterSpy run showed the following:

Spyware Scan Details
Start Date: 9/10/2006 2:00:16 AM
End Date: 9/10/2006 2:10:36 AM
Total Time: 10 mins 20 secs

Detected spyware

Backdoor.NancyAjram Backdoor more information...
Details: NancyAjram is a Backdoor Trojan that gives an attacker unauthorized access to a compromised computer.
Status: Deleted

Infected registry entries detected
HKEY_LOCAL_MACHINE\SOFTWARE\Cygnus Solutions
HKEY_CURRENT_USER\Software\Cygnus Solutions


I am not saying that you put spyware into your program - but maybe it was modified after you submitted it? I downloaded it from svc2dvd.com, which redirected me to the download from software.badgerit.com.

Jeff

[mats.hogberg]

Well, run some anti virus check on the instalation files - it should pick it up if there was any. But I strongly suspect you'd better start looking elsewhere for the source of your virus infection.

/Mats

[ChrissyBoy]

jaman57: the zip installation from svcd2dvd.com/software.badgerit.com are the "official" versions... so they will not be modified. I can send you the same files via email if you would like...

Anyway a bit of googleing gets me:

http://research.sunbelt-software.com/threatdisplay.aspx?name=Backdoor.NancyAjram&threatid=48663

and

http://research.sunbelt-software.com/threatdisplay.aspx?name=Peccaminosa&threatid=48621

I am not familiar with "Counter Spy" but can it be run on individual files? If so what does it make of VOB2MPG? The msi installation (as mats suggests) and the exe etc (post installation)?

[jaman57]

It didn't show up in scanning the installation files - only after the program was actually run. And I definitely quarantined then delteted the bad entries after the first report, then ran the check with no spyware found. Then after I ran the program (VOB2MPG) again, with no downloads intervening, I again got the positive. I have run the check several times since with no more positives. I haven't run VOB2MPG again either since that last time.
VOB2MPG installed in the directory Program Files/Badger IT/VOB2MPG. The files in the target direcory are ffmpeg.exe, 3124KB, 3/14/2006; pthreadGC2.dll, 59KB, 2/17/2006; and VOB2MPG.exe, 640KB, 3/14/2006. It also installed under there a "logs" subdirectory which was empty, and now includes two text files which simply are the log of the two conversions I did. Do the three main files time and size match yours/what they should be?

Jeff

Well, run some anti virus check on the instalation files - it should pick it up if there was any. But I strongly suspect you'd better start looking elsewhere for the source of your virus infection.

/Mats

[ChrissyBoy]

What does your scanner make of the files in that folder?

[jaman57]

It doesn't show a positive on the files themselves. Is it possible that if a command were in there that modified the registry upon running that it might not be picked up? I don't know.

Jeff

What does your scanner make of the files in that folder?

[jaman57]

OK, I just did a complete uninstall, making sure all files were deleted, then did a reinstall and ran the program, then did a scan and DID NOT get a positive. So at this point I am going to assume that something in the original installation caused a false positive, unless something else comes up. I apologize to all concerned; though I haven't experienced anything like this before, I guess there is always a first time.

Jeff

It doesn't show a positive on the files themselves. Is it possible that if a command were in there that modified the registry upon running that it might not be picked up? I don't know.

Jeff

What does your scanner make of the files in that folder?

[Lord Flange]

I too have found entries relaing to Cygnus Solutions in the Registry, not just in HKEY_LOCAL_MACHINE\SOFTWARE but also in HKEY_CURRENT_USER

[mats.hogberg]

Cygnus Solutions is no virus/malware.
http://en.wikipedia.org/wiki/Cygnus_Solutions
Basically, they provide a platform for enabling UNIX apps to run under Windows.

/Mats

[ChrissyBoy]

True and interestingly VOB2MPG doesn't use it!