Comments on: Another AVG false alarm http://paulwallbank.com/2008/12/23/another-avg-false-alarm/?utm_source=rss&utm_medium=rss&utm_campaign=another-avg-false-alarm Society and business in the 21st Century Thu, 01 Jan 2009 17:47:38 +0000 hourly 1 https://wordpress.org/?v=5.8.3 By: Phil http://paulwallbank.com/2008/12/23/another-avg-false-alarm/comment-page-1/#comment-76 Thu, 01 Jan 2009 17:47:38 +0000 http://paulwallbank.com/?p=177#comment-76 Wrong, wrong, wrong…

The legitimate sysaudio.sys lives in Windows\System32\drivers. The version in Windows\System32 IS most likely a virus (actually, a trojan that manipulates Google search results to forward you to scam sites), and there’s a big giveaway.

The app that installs the trojan creates a registry key:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Drivers32\aux2

And sets it to “sysaudio.sys”.

There’s also a variant floating around that calls itself “wdmaud.sys”. Again, the legitimate driver lives in System32\Drivers, the fake drops itself in System32.

Apparently this is related to the “yahoo counter” Javascript hack; this exploits security vulnerabilities in (IIRC) Flash, Java and various web browsers, and uses exploit code to install the trojan. The trojan then manipulates Google search results, apparently with the intention of selling the victim scamware (namely, fake antivirus software).

I’ve been picking apart this little pain-in-the-neck since it appeared on one of my machines last month. I’ve yet to get conclusive proof of the installation method, but the trojan itself is a nasty piece of work.

Feed the file to Virustotal.com and watch the scan results come in… Microsoft, AVG and a few others (notably Sophos, AIUI they were one of the first, after Microsoft interestingly enough) detect it. It’s still quite rare in AV detection checklists, and nothing recognises the new “wdmaud.sys” variant at all.

Just a small FYI.

]]>
By: sysaudio.sys is infected with the Downloader.Delf trojan | IT Queries: Computer problems answered http://paulwallbank.com/2008/12/23/another-avg-false-alarm/comment-page-1/#comment-75 Tue, 23 Dec 2008 21:50:25 +0000 http://paulwallbank.com/?p=177#comment-75 […] the time of writing, this appears to be a mistake by AVG which is the third time in recent months. You should not delete or put sysaudio.sys in the virus vault as you will disable your […]

]]>