Sponsored by..

Tuesday, 22 April 2008

Win32/Loodok!generic.2 in SYSTEM.DLL - likely false positive

We're getting a plague of these with eTrust (pattern 5723):

[time 22/04/2008 12:54:21: ID 14: machine xxxxx.com: response 22/04/2008 12:54:46] The Win32/Loodok!generic.2 was detected in C:\DOCUME~1\XXXXX\LOCALS~1\TEMP...\SYSTEM.DLL. Machine: XXXXX, User: XXXXX\xxxxx. Status: File was cured; system cure performed.

The subdirectory varies, but it is usually %user profiles%\local settings\temp\ns???.tmp where the question marks indicate a random letter/number. You may find that the subdirectory has vanished by the time you investigate.

This appears to be happening with the installer for Firefox (also tested with Netscape Navigator). You can see the problem if you snooze the AV scanner and then fire up the Firefox installer and leave it running.. the SYSTEM.DLL is clearly there.

Apart from eTrust, VirusTotal gives it a clean bill of health.

You may be seeing this fire off by itself if a software package is autoupdating. I can't identify exactly which installer is in use here, but it is likely to be shared between many other applications.. so expect a storm of these.

As usual with false positives, expect a fix to be issued by CA very soon. The problem seems to be with pattern 5723, so updating to a later virus signature should probably cure it.

Added: Pattern 5724 also reports a positive, but the beta version of 5725 does not. You can download beta signatures from CA here.

Added: 5725 is now available for download as normal, this should cure the problem!

5 comments:

Unknown said...

well said dear friend.

My whole day got wasted because of this etrust antivirus alarm (or false positive).
First, it affected Portable Firefox 3.0 beta 5, Portable Pidgin 2.1.1
Then, i tried to reinstall/extract fresh Portable apps, almost all gave the virus alert Win32/Loodok!generic.2
Then, i thought portableapps has gone crazy, so i downloaded latest stable release of Firefox (2.0.0.12)
It also gave alert. Now almost all the executables on my system have started giving alert.

I am eagerly waiting from fix from CA.

Rakesh G said...

See the solution for the virus at

http://sqlfundas.blogspot.com/2008/04/loodokgeneric2-problem.html

Rakesh G said...

Also solution available at http://bulletproofresearch.blogspot.com/2008/04/loodokgeneric2-problem.html

Rakesh G said...

The CA Latest CA Fix is avaiable : See http://bulletproofresearch.blogspot.com/2008/04/loodokgeneric2-problem.html

Unknown said...

Thanks for the info! I hit this last night and there were no hits for Loodok!generic.2. It was driving me nuts.