Can a dll file be a virus

Is this a false positive or valid? https://www.viruscomplete.com/en/file/a71ad40cf4272dfa2d0fbf6fd95e1eb489aaef8e3295de5be20413da59bc4d9f/analysis/1425504500/

 

EDIT: Latest https://www.viruscomplete.com/en/file/a71ad40cf4272dfa2d0fbf6fd95e1eb489aaef8e3295de5be20413da59bc4d9f/analysis/

Edited by Enterprise256, 05 March 2015 - 02:49 PM.

You watching: Can a dll file be a virus


*
vr-tab-quebec.comRegister to rerelocate ads

#2White Hat Mike


White Hat Mike
*
Members312 postsOFFLINEGender:MaleLocation:::1Local time:10:56 AM

Is it possible to have actually a virus on a DLL file?

 

Is this a false positive or valid? https://www.virusfull.com/en/file/a71ad40cf4272dfa2d0fbf6fd95e1eb489aaef8e3295de5be20413da59bc4d9f/analysis/1425504500/

 

EDIT: Latest https://www.viruscomplete.com/en/file/a71ad40cf4272dfa2d0fbf6fd95e1eb489aaef8e3295de5be20413da59bc4d9f/analysis/


 

Malware deserve to certainly exist in a DLL as well as many other file types.  Often DLLs have the right to be converted to EXEs sindicate by editing some qualities within the file"s PE header.  The execution of an EXE versus a DLL differs as well.

 

Without looking also a lot into it, it could be a false positive yet the suspicious metadata leads me to think that it likely contains malicious content.  Perhaps not somepoint as malicious as some major Trojans and also various other malware, but maybe it has adware/web browser hijackers/other PUPs wrapped within the binary information deeming it moreso benign in nature.

 

I would not trust the file and also determine that it"s "unclean".  Not sure what it is (is it from a game?) but be sure that you"re just downloading software application from trusted sites; when downloading and install games and also other applications of that nature, malware in all creates is common.  The opportunity that it is malicious increases if retrieved via a torrent.


Indevelopment Security Engineer | Penetration Tester | Forensic Analyst

CipherTechs.com

#3Aura


AuraBleepin' Special Ops

*
Malware Response Team
19,707 postsOFFLINEGender:MaleLocal time:10:56 AM

Posted 05 March 2015 - 03:24 PM


Is it possible for you to uppack that file to a webwebsite prefer ge.tt or mega.co.nz and also article the non-straight download attach here, so members favor White Hat Mike or Didier could analyze the file and also view if it"s malicious or not.

Security Administrator | Sysindigenous Windows Upday Senior Analyst | Malware Hunter |
SecurityAura
My timezone UTC-05:00 (East. Coast). If I didn"t reply to you within 48 hours, please sfinish me a PM.

#4Enterprise256


Enterprise256Topic StarterMembers83 postsOFFLINELocal time:10:56 PM
Posted 05 March 2015 - 03:44 PM


 


Is it possible to have actually a virus on a DLL file?

 

Is this a false positive or valid? https://www.virusfull.com/en/file/a71ad40cf4272dfa2d0fbf6fd95e1eb489aaef8e3295de5be20413da59bc4d9f/analysis/1425504500/

 

EDIT: Latest https://www.viruscomplete.com/en/file/a71ad40cf4272dfa2d0fbf6fd95e1eb489aaef8e3295de5be20413da59bc4d9f/analysis/


 

Malware can definitely exist in a DLL and also plenty of various other file types.  Often DLLs can be converted to EXEs simply by modifying some characteristics within the file"s PE header.  The execution of an EXE versus a DLL differs also.

 

Without looking as well much into it, it can be a false positive however the suspicious metainformation leads me to believe that it likely includes malicious content.  Perhaps not something as malicious as some major Trojans and other malware, however possibly it has adware/internet browser hijackers/other PUPs wrapped within the binary information deeming it moreso benign in nature.

 

I would certainly not trust the file and also recognize that it"s "unclean".  Not certain what it is (is it from a game?) however be sure that you"re only downloading and install software program from trusted sites; when downloading games and various other applications of that nature, malware in all develops is widespread.  The possibility that it is malicious boosts if retrieved through a torrent.

 


It"s a component of an aircraft for Flight Simulator X.

 


Is it possible for you to uppack that file to a webwebsite like ge.tt or mega.co.nz and article the non-straight downfill link below, so members favor White Hat Mike or Didier could analyze the file and view if it"s malicious or not.


Ofcourse. Here it is.

 

http://ge.tt/5NbquhB2/v/0?c

 

It must be 8.54MB once downloaded. ( for some reason showing 8.9 on the website )


#5White Hat Mike


White Hat Mike
*
Members312 postsOFFLINEGender:MaleLocation:::1Local time:10:56 AM

Posted 05 March 2015 - 04:14 PM


 


 


Is it feasible to have a virus on a DLL file?

 

Is this a false positive or valid? https://www.virusfull.com/en/file/a71ad40cf4272dfa2d0fbf6fd95e1eb489aaef8e3295de5be20413da59bc4d9f/analysis/1425504500/

 

EDIT: Latest https://www.viruscomplete.com/en/file/a71ad40cf4272dfa2d0fbf6fd95e1eb489aaef8e3295de5be20413da59bc4d9f/analysis/


 

Malware can absolutely exist in a DLL as well as many other file forms.  Often DLLs have the right to be converted to EXEs sindicate by editing some qualities within the file"s PE header.  The execution of an EXE versus a DLL differs also.

 

Without looking also much into it, it can be a false positive however the suspicious metadata leads me to believe that it most likely includes malicious content.  Perhaps not something as malicious as some major Trojans and other malware, however perhaps it has adware/internet browser hijackers/various other PUPs wrapped within the binary information deeming it moreso benign in nature.

 

I would not trust the file and also identify that it"s "unclean".  Not certain what it is (is it from a game?) yet be sure that you"re just downloading software from trusted sites; when downloading and install games and also various other applications of that nature, malware in all develops is common.  The possibility that it is malicious boosts if retrieved using a torrent.

 


It"s a component of an aircraft for Flight Simulator X.

 


Is it feasible for you to uppack that file to a webwebsite like ge.tt or mega.co.nz and article the non-straight download attach right here, so members choose White Hat Mike or Didier might analyze the file and also see if it"s malicious or not.


Ofcourse. Here it is.

 

http://ge.tt/5NbquhB2/v/0?c

 

It have to be 8.54MB when downloaded. ( for some factor showing 8.9 on the site )

 


 

The download is not working for me.  Could you upload it to Mega?


Information Security Engineer | Penetration Tester | Forensic Analyst

CipherTechs.com

#6Enterprise256


Enterprise256Topic StarterMembers83 postsOFFLINELocal time:10:56 PM
Posted 05 March 2015 - 04:54 PM


 


 


 


Is it feasible to have actually a virus on a DLL file?

 

Is this a false positive or valid? https://www.virustotal.com/en/file/a71ad40cf4272dfa2d0fbf6fd95e1eb489aaef8e3295de5be20413da59bc4d9f/analysis/1425504500/

 

EDIT: Latest https://www.virusfull.com/en/file/a71ad40cf4272dfa2d0fbf6fd95e1eb489aaef8e3295de5be20413da59bc4d9f/analysis/


 

Malware deserve to absolutely exist in a DLL as well as numerous other file forms.  Often DLLs have the right to be converted to EXEs simply by editing some characteristics within the file"s PE header.  The execution of an EXE versus a DLL differs too.

 

Without looking also much right into it, it might be a false positive but the suspicious metainformation leads me to believe that it most likely contains malicious content.  Perhaps not somepoint as malicious as some major Trojans and also various other malware, yet probably it has actually adware/browser hijackers/various other PUPs wrapped within the binary data deeming it moreso benign in nature.

 

I would certainly not trust the file and also determine that it"s "unclean".  Not certain what it is (is it from a game?) but be certain that you"re only downloading and install software from trusted sites; once downloading games and other applications of that nature, malware in all forms is widespread.  The opportunity that it is malicious increases if retrieved by means of a torrent.

 


It"s a component of an aircraft for Flight Simulator X.

 


Is it feasible for you to upfill that file to a webwebsite favor ge.tt or mega.co.nz and also post the non-straight download attach here, so members prefer White Hat Mike or Didier can analyze the file and also view if it"s malicious or not.


Ofcourse. Here it is.

 

http://ge.tt/5NbquhB2/v/0?c

 

It should be 8.54MB when downloaded. ( for some factor mirroring 8.9 on the site )

 


 

The download is not functioning for me.  Could you upfill it to Mega?

 


Albest.

 

https://mega.co.nz/#!CZ8z1LBb!-y4mhUXmnI5qtqKMHMS1wulo4Hgk-FWGJR6jDJ2ICsk


#7White Hat Mike


White Hat Mike
*
Members312 postsOFFLINEGender:MaleLocation:::1Local time:10:56 AM

Posted 05 March 2015 - 05:56 PM


Can"t provide you a definite answer as I didn"t break it down comprehensive.

 

While I believe it could be clean, it definitely fits the benign category at ideal.  As declared prior to (and Didier proclaimed below), the metadata is incredibly suspicous.  Common for a third-party mod but through a mod you never actually understand what they put inside the file (from a normal user standpoint).  It additionally shows up to be packed.

See more: {A2A9545D-A0C2-42B4-9708-A0B2Badd77C8}, Pin Program Icon To Start Up Menu

Edited by White Hat Mike, 05 March 2015 - 06:30 PM.


Information Security Engineer | Penetration Tester | Forensic Analyst

CipherTechs.com

#8Didier Stevens


Didier Stevens
*
BC Advisor
2,947 postsOFFLINEGender:Not TellingLocal time:04:56 PM
Posted 05 March 2015 - 06:08 PM


Flight Simulator X is from Microsoft and dates from 2006, right?Do third parties carry out extensions to this trip simulator, like added aircraft models?Due to the fact that the metainformation makes me believe that this DLL was not compiled by Microsoft.

Didier Stevenshttp://blog.DidierStevens.comhttp://DidierStevensLabs.com

SANS ISC Senior HandlerMicrosoft MVP 2011-2016 Consumer Security, Windows Insider MVP 2016-2022

 

If you send me messages, per Bleeping Computer"s Forum plan, I will certainly not communicate in a conversation, yet attempt to answer your question in the appropriate forum short article. If you don"t desire this, don"t sfinish me messages.

 

Stevens" law: "As an virtual defense conversation grows longer, the probcapacity of a reference to BadUSB viewpoints 1.0"

#9Aura


AuraBleepin' Special Ops

*
Malware Response Team
19,707 postsOFFLINEGender:MaleLocal time:10:56 AM

Posted 05 March 2015 - 06:10 PM


Yes Didier, there"s the majority of mods that exists for Microsoft Flight Simulator. Maps, skins, planes, and so on the entirety point. It"s pretty a lot like Garry"s Mod.

Security Administrator | Sysnative Windows Update Senior Analyst | Malware Hunter |
SecurityAura
My timezone UTC-05:00 (East. Coast). If I didn"t reply to you within 48 hours, please send me a PM.

#10Didier Stevens


Didier Stevens
*
BC Advisor
2,947 postsOFFLINEGender:Not TellingLocal time:04:56 PM
Posted 05 March 2015 - 06:19 PM


So it"s feasible that someone compiled this just 2 weeks ago?And is it usual to use packers for the executables?

Didier Stevenshttp://blog.DidierStevens.comhttp://DidierStevensLabs.com

SANS ISC Senior HandlerMicrosoft MVP 2011-2016 Consumer Security, Windows Insider MVP 2016-2022

 

If you sfinish me messperiods, per Bleeping Computer"s Forum policy, I will certainly not communicate in a conversation, however try to answer your question in the pertinent forum short article. If you do not desire this, do not sfinish me messperiods.

 

Stevens" law: "As an digital defense conversation grows longer, the probcapability of a referral to BadUSB approaches 1.0"

#11White Hat Mike


White Hat Mike
*
Members312 postsOFFLINEGender:MaleLocation:::1Local time:10:56 AM
Posted 05 March 2015 - 06:28 PM


Flight Simulator X is from Microsoft and days from 2006, right?Do 3rd parties provide extensions to this flight simulator, choose added aircraft models?Because the metadata provides me believe that this DLL was not compiled by Microsoft.


 

 


Yes Didier, there"s the majority of mods that exists for Microsoft Flight Simulator. Maps, skins, planes, and so on. the whole thing. It"s pretty a lot like Garry"s Mod.


 

 


So it"s possible that someone compiled this just 2 weeks ago?And is it usual to usage packers for the executables?


 

This is why I think that it might not be safe.  The metainformation simply doesn"t make sense; it looks choose a layout that was never modified (i.e. "Your Company" as the firm name).  Microsoft would certainly not develop and also distribute a DLL through such metadata.

 

The DLL does not exhilittle bit any blatantly obvious malicious behavior with standard checks, and it being packed might lead it to be flagged by miscellaneous AV engines.  I didn"t recognize that this was a mod, interpretation a third-party user compiled it and it might really be anything.  I wouldn"t trust it.


Indevelopment Security Engineer | Penetration Tester | Forensic Analyst

CipherTechs.com

#12Enterprise256


Enterprise256Topic StarterMembers83 postsOFFLINELocal time:10:56 PM
Posted 05 March 2015 - 07:27 PM


Can"t offer you a definite answer as I didn"t break it down comprehensive.

 

While I think it could be clean, it absolutely fits the benign category at best.  As stated before (and Didier proclaimed below), the metainformation is incredibly suspicous.  Typical for a third-party mod however via a mod you never before actually know what they put inside the file (from a normal user standpoint).  It likewise shows up to be packed.


Right. I"m not sure what to execute at this point... Hm.

 

The DLL is run when the aircraft is loaded into Flight Simulator X and is required for it to run.

 

The point that"s placing me off is as soon as I review "Malware_Prot.AJ" on virustotal and did a google search.

 

It"s provided for this addon to be certain... http://majesticsoftware program.com/mjc8q400/


#13Didier Stevens


Didier Stevens
*
BC Advisor
2,947 postsOFFLINEGender:Not TellingLocal time:04:56 PM

Posted 06 March 2015 - 11:00 AM


I searched through VirusTotal and also uncovered 3 papers with the same name.

 

https://www.viruscomplete.com/en/file/e526c3df6d5a44e76759d1aca8d13660afdf1fe742c82c5b44c10cef459d7cba/analysis/

https://www.virustotal.com/en/file/1a906a298bb6c6bc0cb84b2609f99fa17b2bc34689c678b46770ea99b054a21e/analysis/

https://www.virusfull.com/en/file/a71ad40cf4272dfa2d0fbf6fd95e1eb489aaef8e3295de5be20413da59bc4d9f/analysis/

 

That first file is not packed, has actually the same variation indevelopment, and also has actually no detections.

I wonder if the packed documents are changes of the first file (done by somebody else than Majestic Software)?


Didier Stevenshttp://blog.DidierStevens.comhttp://DidierStevensLabs.com

SANS ISC Senior HandlerMicrosoft MVP 2011-2016 Consumer Security, Windows Insider MVP 2016-2022

 

If you sfinish me messperiods, per Bleeping Computer"s Forum policy, I will not connect in a conversation, however try to answer your question in the relevant forum post. If you do not want this, do not sfinish me messages.

 

Stevens" law: "As an digital defense discussion grows much longer, the probcapacity of a referral to BadUSB philosophies 1.0"

#14Enterprise256


Enterprise256Topic StarterMembers83 postsOFFLINELocal time:10:56 PM
Posted 06 March 2015 - 01:14 PM


How complex is it to look into the dll to number out if it"s actually doing anything malicious? Would I be able to perform it myself through some time? My guess is not. :|

 

The first one is from an older revision of the package.

Edited by Enterprise256, 06 March 2015 - 01:16 PM.


#15Didier Stevens


Didier Stevens
*
BC Advisor
2,947 postsOFFLINEGender:Not TellingLocal time:04:56 PM

Posted 06 March 2015 - 02:25 PM


The dimension of the DLL is substantial. I guess it would take months, if not years, of 1 FTE to analyze every little thing this DLL does.

But prior to you have the right to start disassembling and decompiling it, you have to unfill it.

 

Unpacking is regularly a difficulty, because the packers are designed to make unpacking for reverse engeneering hard.

 

If these 3 DLLs all come from the exact same source (Majestic Software), then they recently began to pack the DLL to safeguard it versus snooping eyes.

 

One way to inspect the DLL is to unfill it, and then submit it to VT. But unfortunately, these packers have actually no unpacker.

 

If I have actually time, I"ll have actually a go at it by running it in a VM and also dumping it from the process memory.

See more: How To Fix Clock Interrupt Was Not Received


Didier Stevenshttp://blog.DidierStevens.comhttp://DidierStevensLabs.com

SANS ISC Senior HandlerMicrosoft MVP 2011-2016 Consumer Security, Windows Insider MVP 2016-2022

 

If you sfinish me messeras, per Bleeping Computer"s Forum policy, I will certainly not communicate in a conversation, yet attempt to answer your question in the relevant forum article. If you do not want this, do not sfinish me messperiods.

 

Stevens" law: "As an online protection discussion grows much longer, the probability of a reference to BadUSB approaches 1.0"
1
Back to General Security
0 user(s) are analysis this topic0 members, 0 guests, 0 anonymous users


Reply to quoted postsClear
*
*

Advertise|About Us|Terms of Use|Privacy Policy|Sitemap|Chat|RSS Feeds|Contact Us
Tech Support Forums|Virus Removal Guides|Downloads|Tutorials|The Computer Glossary|Uninstall List|Startups|The File Database

©2004-2021 All Rights Reoffered Bleeping Computer LLC
.Site Changelog

Community Forum Software by IP.Board


Sign In


Username
Remember meThis is not recommfinished for mutual computers
Sign in anonymouslyDon"t include me to the active users list