Topic: Virus on 2.4.2? Johab.so Suspicious.Cloud.7.F

[paulalbinson]

Hi,

I downloaded Apache httpd 2.4.2 for 32 bit windows and Norton 360 says it has a virus in file Johab.so and it is Suspicious.Cloud.7.F and removed the file. Is this a virus and if so when will a fix be available?

I have been sceptical in the past of using Apache Lounge as it isn't official and this makes me worry if it is safe to use.

Any advice would be greatly received.

Thanks
Paul

[glsmith]

Hard to know where you picked it up from as there is no johab.so file in the zip files here to download. I just downloaded and looked at all four 2.4.2 downloads available here. Just cause it is .so doesn't mean it has anything to do with Apache either. Looking at what is below, looks like it is from some fake anti-malware program.

johab.so description and related error

By default, the johab.so is located in directory of C:\Progam Files\Common Files. The most common size of the johab.so on Windows system is 108,648 bytes. You may also find it in 14,336 bytes (86% of all occurrence), 12,800 bytes, 13,312 bytes, 13,437 bytes, 18,589 bytes and 19,364 bytes sizes.

johab.so is also known to create the following error messages when the system is shutting down:

The instruction at "0x059a2df" referenced memory at 0x059a2df" the memory could not be written. Click OK to terminate the Program.

%UserProfile%\Application Data\<affiliate id>\

%UserProfile%\Start Menu\Malware Destructor.lnk

%UserProfile%\Start Menu\Programs\Startup\Malware Destructor.lnk

%UserProfile%\Application Data\PAV\

%UserProfile%\Application Data\antispy.exe

%UserProfile%\Local Settings\Temp\kjkkklklj.bat

%Documents and Settings%\All Users\Application Data\Microsoft\Network\Downloader\smmservice.exe

%Documents and Settings%\All Users\Application Data\mswd\

[paulalbinson]

Hi,

Thanks for taking a look at it.

I downloaded both 32 bit versions and johab.so in both it is in bin/iconv. It identified it as a virus on the httpd-2.4.2-win32-ssl_0.9.8u.zip version but it didn't alert me to a virus for that file in the httpd-2.4.2-win32.zip version but this is probably because it has already blocked it for suspicious activity. When I tried it before it was a virus in both versions.

Thanks
Paul

[Steffen]

It is a false heuristic positive, way back I had one more report on johab.so and norton. With other downloads it is seen more with the Norton malware-heuristic scanning.

To take your worry away, I removed johab.so from all the downloads. If someone need it, contact me.

Before downloads made available, it is scanned with Eset and MS Essentials, they are not complaining about johab.so.

Thanks for reporting.


Steffen

[paulalbinson]

Hi Steffen,

Many thanks for sorting it.

Regards
Paul

[James Blond]

[Steffen]

It is in the iconv(Charset Conversion Library) folder. Is was there always.