Gumblar: Modified Sqlsodbc.chm Clue to Infection
As seen in this VirusTotal report, detection of the Gumblar malware can be pretty iffy. Gumblar includes a password stealer as well as a Web traffic interceptor, so having it go undetected can have pretty serious implications.
A common denominator in the Gumblar malware installed on the victim PCs is that it modifies sqlsodbc.chm, a default Windows file. With antivirus detection a bit hit or miss, one good method to check for infection would be to ensure the installed sqlsodbc.chm has not been modified.
On May 18th, I asked a former colleague at Microsoft if they would provide the SHA1 and file sizes of known good versions of sqlsodbc.chm, since these would vary by language and be difficult for non-Microsofties to determine. Today, Microsoft released that list, provided below.
To check your own system, locate sqlsodbc.chm in the Windows system folder (by default under Windows XP, the location is C:\Windows\System32\). Obtain the Sha1 of the installed sqlsodbc.chm and compare it to the list below. If the SHA1 and corresponding file size doesn't match one of the ones on the list below, it could be indication of a Gumblar infection.
| SHA1 | File Size |
| 005AAD8912A62127A2F416AA9FD089000D24851A | 97892 |
| 03C9CD0D8E90DD8754F8488A085359C818A28A90 | 97053 |
| 0DB4AB7E18991BF64139E7078249679098C85F2C | 97758 |
| 17257DF49E03DAF2BA1FA286FBE2C14802ACCD2A | 97176 |
| 1B10F5F97E2B7159C872B3576D72B4CF2AD2FFB5 | 49771 |
| 236F25115C31DBFEB11D9BF12B620266F46BA041 | 96647 |
| 2667D90C7B0CBCC212B8C9143C28C7AD5105BE49 | 97746 |
| 2803AD07C1C7A8908BBDB5F7AB32A19C9A724ECC | 98124 |
| 2915AA45C3FAF60137402270F0C915C0F5CA2CD1 | 96945 |
| 2C73542A1598AEA03F7927ECF8F7156106037D67 | 96975 |
| 2D570F7E8CD9DFED179996AC40F7F7EF7AC99E93 | 95765 |
| 2EA3BAFD66A74ADC6B835F31BD4E4A228F666A5D | 95739 |
| 309FF9840F53DFF406EC580063A9975224F626DE | 97015 |
| 30AE3FF04C8D486A5BE77ACB0939B06AF626F17D | 48693 |
| 328BB23CEF7816035E32B3BF28A9F9606B9FF255 | 96851 |
| 34F96E4305B6E28B966F15E9845748E44AF35762 | 97393 |
| 38A8E15E68D64670016E62D6D2150F812CD31298 | 97250 |
| 44A4B285C1B27FEB36E0E0C3D0081A63241AE6AF | 97369 |
| 487AA6CDB994E1855B33C1F3B0BE522C36540E56 | 97216 |
| 540F94FA630BB64529F656C6EAA4F48A3F87756D | 98700 |
| 5690D97E9F9E913431AA9453D0185F2665A713CC | 97035 |
| 583C919DF623E4B8A7B3EFAD6D2E1C792B823D5D | 98100 |
| 58BC35673C8B1F751CD0584A6914740B2F3DCAAE | 96705 |
| 5A658A36EF43147CB3F1DBC4276EA82A239BF8FA | 49345 |
| 5FBA738B9698AA61645CFFE3AD95192C4BACDC49 | 97260 |
| 61CBFAB7CB5AB27EED9193F225B77E2EF6BA7321 | 49648 |
| 62ABAB09DFD971A90C2030BE44778206991CE2D6 | 97268 |
| 6441922698A8CD80A2FC0AE15EFDAF0A0208F50B | 96941 |
| 694BDB08101AD5C18BB5B3425EE01073320B8D8E | 97667 |
| 6BE7E7A20D2AB835C78EB8F3759C304888B86BD4 | 97304 |
| 6DB4B4F065610CAE100FBDB850AFC9F16C76AB65 | 98753 |
| 6EAEBB4ADCB8B240571D447A1EE9B665F6C181D2 | 96827 |
| 752211F65B693C721E27785FCC6C74E9B71997E9 | 96903 |
| 7E98241E1B21361CC02DC88EB57C9BB9CF1F4239 | 49092 |
| 82B79C07941775B6072D97D5D033E45E8D3C6FDF | 98469 |
| 87230AD4C2646376B819DDA4963DD2C49BC50D7A | 46133 |
| 8FD4C3533D648A14C8183D6F3A3AFEF3D1CC75CE | 97640 |
| 91BD59E2BB7B9ED95B1DF85B314EA8FF0B3B86FD | 98074 |
| 9625698340941EB6D519A219396296E45FDCF7DB | 36253 |
| 97586996280F2A61AE5193DB827C44300BF27FCD | 96675 |
| 9811B4A14E3196AAC93DF7CE2F50C84030AA7D13 | 97232 |
| 9BA779EE746DCC5A44B30BDA6436E07997236E52 | 97146 |
| 9E1E2EDDA59BDE29226CAD2D5BDA5A954BFCA5DC | 94792 |
| 9F7658F361D9F1398DD90707EDE01F0032991946 | 48475 |
| A09564B76C13C8470A44509A17B4B6023295A361 | 98770 |
| A310EF2F35A8670F6C4B7872073F94764C23FA08 | 48095 |
| A3E367F7F30A9BF9064DEFBF94C36F4EB7CA4C0A | 95800 |
| ABB417B6F06F8C18F92DCD62D9BC9F2284F468E9 | 97740 |
| B194BB244FF0FD101DCDA79CD8FFC8D33C392D13 | 94808 |
| C6CD44574CC0F5BAC24DE85B0933A132B3A0D684 | 50004 |
| C97875A6819A3F675ABE42C8BB870E191102C94C | 98724 |
| C98D1FF5D9E1D8366CF130899BC210EBE54E77F8 | 98955 |
| CA58E7CA1EE50FB8EB7428064DFE84381EEDB453 | 95771 |
| CD3B8E1C9C1096C635AA7B37D545C9B0CA241F70 | 101112 |
| CF2DA46516BE3FC6312C2F05DF33C6A05F8562D7 | 48343 |
| D6ED920D3D0ACEB52930A753256A21D43AE1899E | 97087 |
| D7E22080BF67CA6AE29BB12A51E865C22DDA48F7 | 101136 |
| DA27CBA986161938C5086BB5C94FBBAB523B1F37 | 97791 |
| DF025689B1E2E3C813969828AF26573BA4E2F23A | 98800 |
| E42C0D9D4669D41F8AB45F31F12B405489F39AFD | 95808 |
| E5EDDC4EF26EED5A64E4B4C509F01E224238D3C6 | 48401 |
| E634C31114AE87D026812748E791402D69C6D996 | 97949 |
| E667F70144423A645C6BC67CE01424F720594320 | 95909 |
| E79A39606A2067120AEF63431F2C073B4B9298DC | 97200 |
| E9B9F0A53ED36C9464E4C4C154878742F1CA6EC6 | 96965 |
| EAF20A3BC180FFE0AD59FF7AC786A5FC27DB0C3B | 97662 |
| EB60EEFA1AD57FA27E661032329AD9AF5FD243DA | 97033 |
| ED9E18A7E5EE245B77CFB4FC560013849072C943 | 96927 |
| EF7A63AC6A45FA3BD6DD7390CA60462F61A6FCB2 | 47721 |
| F3AF84FA7D5536E54F6A5357F3AC5AEDFA7EE52A | 49249 |
| FA0E76E509A8DF67B36B20BCBD0F6E4406DF32BA | 100493 |
| FAEFB399B9FFEBA156D31E2A0DE4195793300343 | 98052 |
| FBDD32ED13D27E4102621E1067FDF3634F33B2C3 | 50727 |
| FBFFF74687F608887E277068ED0390BD04CCF506 | 98977 |
| FEDDBA02158D0425E5895439663C0481CA3911E6 | 94850 |
Mary Landesman
Reader Comments (17)
To check SHA1 of a file, send it to VirusTotal.com and you will see it in the "Additional information" section of the report.
w00t, not infected :)
Vista SP2 ... search turns up 3 locations on my laptop
paths are;
"C:\Windows\Help\mui\0409\sqlsodbc.chm"
"C:\Windows\winsxs\x86_microsoft-windows-m..ents-mdac.resources_31bf3856ad364e35_6.0.6000.16386_en-us_cf8e930b25996837\sqlsodbc.chm"
"C:\Windows\winsxs\Backup\x86_microsoft-windows-m..ents-mdac.resources_31bf3856ad364e35_6.0.6000.16386_en-us_cf8e930b25996837_sqlsodbc.chm_92fe0a89"
Thank you for this information. It has been very helpful.
Good job of providing this information and getting Microsoft to provide it! (Too bad Microsoft didn't come up with it on its' own). Thanks for being (and remaining) vigilant.
Did you down load the FileAlyzyer.
Thanks for the info. My SHA1 and file size are good as of today, and hopefully will stay that way.
How do I find the info on Vista, I followed the above and could not locate the sqlsodbc.chm file.
thanks for you help
I have an SQLODBC.CHM that matches none of the entries on this list - it is dated August 27th 2004 and has a length of 47.532 bytes. However, it is in Danish. Could it be that the list provided contains only English versions?
(The file scans all right in ZoneAlarm Antivirus.)
Brgds, Jesper
Apparently mine wasn't modified, Do I really need this file if it was modified?
I followed the instructions in the artical and SHA1 numbers did match what I found in my System 32 87230AD4C2646376B819DDA4963DD2C49BC50D7A 46133 Thanks for this info.
is my website infected?
is checked de sha1, on my computer it's 1323.
my sha1 is 98438BFABD720DF8D54862BF0ED0C818789FACFC
i don't find this in the list below.
does that mean that my computer is infected?
thanks for helping me
this app is very helpful. thanks for making this one public. more power!
The SHA1 on mine is also 87230AD4C2646376B819DDA4963DD2C49BC50D7A and it's size is also 46133.
Thanks for the info!
Thanks for posting this info.
Yeah, cheers for posting! Glad I seem fine.
I am also having same problem.
I checked sqlodbc.chm file on my computer it has size 1323. This size is not listed in the above list, am i affected with this worm?