Windows Defender - Trojan Dropper Malware

csun · 15 Aug 2016

Malwarebytes discovered the Trojan Dropper in rundlll.32exe file. Windows Defender (WD) did not detect in a scan performed immediately before. I removed with Malwaebytes and did a follow-up scan with Norton Power Eraser which was negative. I do not have Malwarebytes installed but download periodically to do a scan.

Posting this to illustrate the importance of supplementing WD with another AV.

If you are not familiar with Trojan Dropper it is a type of Trojan whose purpose is to deliver an enclosed payload onto a destination host computer.

Slartybart · 15 Aug 2016

torre : Posting this to illustrate the importance of supplementing WD with another AV

Not another AV, but I understand.

You should only run ONE real time Virus protection product on your system. More than one often causes conflict when they fight each other for controll. Each one might treat the other as a virus and the fight for control escalates... well you get the idea.

Running one or more on-demand scanners IS a good idea when warranted. Your machine is exhibiting signs of infections (erratic mouse, strange homepage, excessive pop-up ads, etc - there are plenty of sites that describe what you might experience).

I run Malwarebytes FREE about once a month - maybe every two months, just to get that warm and fuzzy feeling.

The paid Malwarebytes runs well with almost every real-time AV product.

Just to clarify, there are Anti-Virus products and there are Anti-Malware products. They are tuned to process different threats.

I just looked at your post again and see that the file Mbam found is: rundlll.32exe
There's an extra l id .dlll and the extension is not an executable .32exe

It's possible that WD cleaned up the threat and that file is a remnant - it's a good rename that will never get executed anyway

If you have that file in Mbam quarantine, you might consider sending it to MS for analysis. It could help everyone

csun · 16 Aug 2016

just looked at your post again and see that the file Mbam found is: rundlll.32exe
There's an extra l id .dlll and the extension is not an executable .32exe

Typo on my part. Only one l, rundll32.exe. Is rundll.32exe an executable extension ?

If you have that file in Mbam quarantine, you might consider sending it to MS for analysis. It could help everyone

I removed from quarantine. Does Malwarebytes automatically collect, or does user have to send. I saw no option.

MoxieMomma · 16 Aug 2016

Hi:

In addition to @Slartybart's excellent advice.

MBAM does conduct anonymous telemetry about detected threats, but I am not sure how that works "under the hood".
I do not think there is currently an in-app file submission process from the GUI (I think it has been a requested feature).

If you think that the detection might be a False Positive detection by MBAM, then I suggest having a look at this forum sticky and then submitting to their F/P forum AT LEAST the MBAM scan log that shows the detection. This KB article explains how to locate and export the log files.
The Research/QA teams will evaluate the data and advise you accordingly.

Also, as @Slartybart pointed out, MBAM Free is only a manual, on-demand scanner. For layered real-time protection targeting zero-hour and zero-day, mostly non-viral malware threats, you need the paid, Premium version alongside your AV.

Cheers,
MM

Slartybart · 16 Aug 2016

torre said:

Typo on my part. Only one l, rundll32.exe. Is rundll.32exe an executable extension ?
I removed from quarantine. Does Malwarebytes automatically collect, or does user have to send. I saw no option.

No sweat - typos and mischaracterizations happen to me a LOT

No, .32exe is not a known executable filetype

Moxie answered your other question about Mbam collecting samples.

Defender can automatically submit samples if that is on in Defender settings. The sample is sent to MS labs and that is usually shared with the other malware vendors.

I saw one tool that had a submit to VirusTotal button - can't recall or find which one it was now. Darn, I thought it was a great thing to have at your fingertips.

I've used this in the past to make sample submission to VirusTotal a little easier
VirusTotal Windows Uploader - VirusTotal

csun · 16 Aug 2016

MoxieMomma said:

Hi:

Also, as @Slartybart pointed out, MBAM Free is only a manual, on-demand scanner. For layered real-time protection targeting zero-hour and zero-day, mostly non-viral malware threats, you need the paid, Premium version alongside your AV.

Thanks for the reply. I am familiar with Malwarebytes and use the free, on-demand scanner as a supplement to WD.

From my research, the rundll.32exe Trojan Dropper seems to a common threat. While there is always a possibility of a false positive, I chose to err on the side of caution and remove the reported virus.

My post was not intended to degrade WD, but to illustrate the importance of a secondary scan by another AV as is also stated on the numerous forum posts on "what is the best av."

Slartybart · 16 Aug 2016

You did the right thing by removing a detected threat.

Can you point me to what you found? That will help me help other folks - thanks
I know Droppers are a common threat and I thought I saw that VirusTotal determined that rundll.32exe was a threat until I noticed my search results were for rundll32.exe.

Same thing for other searches I performed - it looked as though there were .32exe files flagged as threats, but when I looked at the actual mediation the files were xyz32.exe.

I didn't think your statement was derogatory towards WD - on the contrary, your thread shows the value of 2nd opinion malware software.

My focus is on the threat Mbam found and if there is anything else that should be run.

Here are two good tools, please run them when you get the chance.

Download Temp File Cleaner (TFC) by Oldtimer
1. Save your work and close all open windows.
2. Restart your machine in case there are any system operations pending
3. Navigate to your Downloads folder
  Right click on TFC
  Select Run as administrator
4. Press the start button in the TFC window
  TFC begins cleaning up temporary files and folders.
  
  !!!!! Do not work on other things while TFC is running - most applications use some sort of temporary files. !!!
5. Restart your machine immediately after TFC completes
Download AdwCleaner by Xplode
1. Save your work and close all open windows.
2. Navigate to your Downloads folder
  Right click AdwCleaner
  Pick Run as administrator
3. Click on the Scan button.
  - AdwCleaner begins scanning your system. It might take some time to complete.
  - Review the detected objects grouped under each of the tabs.
    --> If there is something you KNOW should NOT be cleaned, clear the checkbox next to the object. If you're not sure about an object, paste the scan logfile (AdwCleaner[S#].txt) in a new post for a member to review and advise you.
    
    Otherwise, go to the next step.
4. After the scan has finished and you have reviewed the objects to be cleaned, click on the Clean button.
  - Answer OK to the close all programs prompt, then follow the onscreen prompts.
  - Answer OK to the restart the computer prompt to complete the removal process.
    The AdwCleaner log file is opened in your default Text editor when the machine has restarted.
    Each time AdwCleaner runs, the log file number [#] is incremented, the highest number is the most recent. There are two log files, one for the scan (AdwCleaner[S#].txt) and one for the clean (AdwCleaner[C#].txt).
  Paste the entire clean logfile (AdwCleaner[C#].txt) in your next post.
  --> AdwCleaner logs are located in the C:\AdwCleaner folder if you need to reference them again

MoxieMomma · 16 Aug 2016

Hi;

Thanks for the clarification.

If you had been running MBAM Premium in real-time alongside your AV, it's possible that MBAM might have prevented the infection in the first place.
In my book, at least, it seems preferable to try to PREVENT infection, rather than to try to CLEAN-UP after it.
With certain types of malware these days (e.g. ransomware), after-the-fact cleanup can be too late.

Cheers,:)
MM

csun · 16 Aug 2016

Can you point me to what you found?

The below is an example from a google search. Google

Trojan.Dropper Description

A Trojan.Dropper is designed to deliver a payload onto the victim's computer system. However, a Trojan.Dropper will usually lead a large-scale attack, usually not the end infection itself. Typically, one of the main goals of computer criminals is to find ways to install malware onto their victim's computer without alerting the victim of the intrusion. A Trojan.Dropper is a typical method that is quite common.

Typically, a Trojan.Dropper contains a malware infection within itself which is designed to deliver the infection by copying it onto the victim's computer's file system. A Trojan.Dropper will usually install and execute the malware installed and then will often delete itself or simply remain harmless on the victim's computer system.

A Trojan.Dropper will usually be confusing to the victim, and designed to cause no symptoms. A typical example of a Trojan.Dropper is a fake screen saver which, when opened, will simply display an error message. However, even though the error message may look genuine, it will actually have been part of the Trojan.Dropper's tactics to install its payload without the user being aware of the problem. Many Trojan.Dropper infections will include an encrypting algorithm of some kind of obfuscator or packing algorithm to make their detection and removal much more difficult than normal.

Usually, a Trojan.Dropper is created as a way to distribute malware, since a Trojan.Dropper is relatively cheap and easy to distribute. A Trojan.Dropper is also low risk for the criminals that create it, since it is easy for them to cover their tracks when there are several steps to an infection. However, one of the features of Trojan.Dropper infections that make them attractive to criminals is that they can be easily disguised by simply changing their icon and file name.

The payload of a typical Trojan.Dropper will vary from one case to the next. Typically, they will drop executable files, which can then infect the victim's computer system or download malware from a remote location.

There are few symptoms associated with a Trojan.Dropper. Some kinds of Trojan.Dropper infections will display a fake error message while dropping their payload. However, most of the time a Trojan.Dropper will display no signs of infection at all. Usually, the symptoms on an infected computer system will have been caused by the Trojan.Dropper's payload rather than by the dropper. Some examples of Trojan.Dropper infections will be associated with rootkits that hide the Trojan.Dropper's payload and may also make changes to the System's settings and the Windows Registry

Trojan.Dropper or Application.E.Surveiller.D Removal Report

.

.

.

Slartybart · 16 Aug 2016

Thanks for the info - you'll get lots of hits for a generic malware type.

When I'm researching a file, I get tons of hits from malware logs - it doesn't mean the file is malware, it only means that a common file was reported in a log. Drives me bonkers - so I have to sort those things out.

I think you're in the clear and the file was the result of the remediation of a threat. Regardless, Malwarebytes cleaned it up and you deleted it from quarantine.

Still, you should run the other tools above.