Help - Search - Members
Full Version: Trojan-banker.win32.chepro.fsy
Kaspersky Lab Forum > English User Forum > Protection for Business
ChasLkb
I have 7 computers that kaspersky 8 has detected the Trojan-banker.win32.chepro.fsy
looks like it is coming from a google chrome update
they have been disinfected and have no file to send.
is this a false positive?
Nikolay Arinchev
Hi,

We need a sample to tell something definite.

Maybe you can tell were did you get this update?
Mehboob.Qureshi
QUOTE(ChasLkb @ 18.12.2013 03:51) *
I have 7 computers that kaspersky 8 has detected the Trojan-banker.win32.chepro.fsy
looks like it is coming from a google chrome update
they have been disinfected and have no file to send.
is this a false positive?


Hi ChasLkb,

Please find the link for your reference only http://www.kaspersky.com/au/viruswatchlite...hour_offset=1.5

As Nikolay Arinchev suggest We need a sample to tell something definite, i will suggest you to perform the below steps.

Note:- isolate the system from the network and Turn off system restore option before you scan the system.
1) Open Kaspersky Antivirus Console
2) Settings
3) Custom Scan
4) Security level
5) Additional
6) and select Deep

Below mention are the steps how to turn off the system restore option.
Click Start, right-click My Computer, and then click Properties.
In the System Properties dialog box, click the System Restore tab.
Click to select the Turn off System Restore check box. Or, click to select the Turn off System Restore on all drives check box.
Click OK.
Click Yes to confirm that you want to turn off System Restore:


If nothing could be found in the system after perform the above steps please use the below mention tool to scan the system and generate the log file for further analysis.
Below mention link help you to understand how to use the virus removal tool and how to generate the log file.

Note: for further investigation all the below logs and tools are mandatory to run.
1) Virus Removal Tool (AVPTool) to scan the system
http://support.kaspersky.com/avptool2011/start?qid=208284194

If the issue not resolve please send us the log files.
1) Get System Info (GetSystemInfo4)
http://www.getsysteminfo.com/download/GetSystemInfo.exe
2) AVZ System Info (AVZ4)
http://support.kaspersky.com/downloads/utils/avz4.com
Please do a scan with AVZ tool (http://support.kaspersky.com/downloads/utils/avz4.zip)
--Click "File"-"database update"
--Click standard scripts, check "
3. Advanced system analysis with malware removal mode enabled"
4. Collecting not recognized and suspicious files." and execute.

Then send us the "Quarantine" "Infected" and "Log" folders.

If you found some sample please submit the same on below ID
newvirus@kaspersky.com
If any more questions, please feel free to contact us. we are happy to help you.


ChasLkb
the name of the files are PE_patch.juba and widevinecdm.dll

the files are located in the paths below

c:\documents and settings\USERNAME\Local Settings\Application Data\Google\Chrome\User Data\WidevineCDM\1.4.1.376\_platform_specific\win_x86\widevinecdm.dll//PE_Patch.Juba


c:\documents and settings\USERNAME\Local Settings\Application Data\Google\Chrome\User Data\WidevineCDM\1.4.1.376\_platform_specific\win_x86\widevinecdm.dll

I have no samples of these files as they have been deleted.
Caos
Hi,

You can restore the files from quarantine

Regards
ChasLkb
No I deleted them

QUOTE(Caos @ 18.12.2013 07:52) *
Hi,

You can restore the files from quarantine

Regards

Caos
QUOTE(ChasLkb @ 18.12.2013 12:59) *
No I deleted them


sad.gif
ChasLkb
QUOTE(Caos @ 18.12.2013 08:04) *
sad.gif


please look at the link below
https://www.zonealarm.com/forums/showthread...-False-Positive
Ivan Sazhin
QUOTE(ChasLkb @ 18.12.2013 16:08) *

Hello!
Unfortunately we are not able to investigate this issue without file samples.
Thank you!
derfraenk
We had the same detection in our network. On a user's computer the file widevinecdm.dll was found in a Google Chrome Portable installation. An analysis of the file widevinecdm.dll revealed that only Kaspersky (1 / 48) detected the file as malicious. These are the old analysis results:
https://www.virustotal.com/en/file/24baf286...sis/1387288669/

I had sent the file to Kaspersky Labs for analysis via the web form on Dez 17th, 15:30 CET ([VirLabSRF][Malicious file analysis][M:1][LN:EN][L:0] [KLAN-1275320066]). I have received no update from them yet but during a scan of the file with up-to-date signatures today, the file was not detected as a trojan by Kaspersky any more. So it seems there were some signature updates. Another Virustotal analysis also shows that the file is not detected as malicious by Kaspersky any more:
https://www.virustotal.com/en/file/24baf286...sis/1387443140/

Maybe this information is helpful for others.
Evgeny Medvedev
QUOTE(derfraenk @ 19.12.2013 12:53) *
We had the same detection in our network. On a user's computer the file widevinecdm.dll was found in a Google Chrome Portable installation. An analysis of the file widevinecdm.dll revealed that only Kaspersky (1 / 48) detected the file as malicious. These are the old analysis results:
https://www.virustotal.com/en/file/24baf286...sis/1387288669/

I had sent the file to Kaspersky Labs for analysis via the web form on Dez 17th, 15:30 CET ([VirLabSRF][Malicious file analysis][M:1][LN:EN][L:0] [KLAN-1275320066]). I have received no update from them yet but during a scan of the file with up-to-date signatures today, the file was not detected as a trojan by Kaspersky any more. So it seems there were some signature updates. Another Virustotal analysis also shows that the file is not detected as malicious by Kaspersky any more:
https://www.virustotal.com/en/file/24baf286...sis/1387443140/

Maybe this information is helpful for others.


Hi,

It seems that the file is not getting detected by all mentioned anti-malware thus probably it was fixed in a new bases update already.

Thank You!
ChasLkb
QUOTE(derfraenk @ 19.12.2013 05:53) *
We had the same detection in our network. On a user's computer the file widevinecdm.dll was found in a Google Chrome Portable installation. An analysis of the file widevinecdm.dll revealed that only Kaspersky (1 / 48) detected the file as malicious. These are the old analysis results:
https://www.virustotal.com/en/file/24baf286...sis/1387288669/

I had sent the file to Kaspersky Labs for analysis via the web form on Dez 17th, 15:30 CET ([VirLabSRF][Malicious file analysis][M:1][LN:EN][L:0] [KLAN-1275320066]). I have received no update from them yet but during a scan of the file with up-to-date signatures today, the file was not detected as a trojan by Kaspersky any more. So it seems there were some signature updates. Another Virustotal analysis also shows that the file is not detected as malicious by Kaspersky any more:
https://www.virustotal.com/en/file/24baf286...sis/1387443140/

Maybe this information is helpful for others.



Thank You (-:
IT_SEC
Came up on 220 of our devices, hoping a new def release is the fix. Thanks for the info guys.
This is a "lo-fi" version of our main content. To view the full version with more information, formatting and images, please click here.
Invision Power Board © 2001-2014 Invision Power Services, Inc.