Good Afternoon,

I have noted some documentation that is around the forums, and seeing it reminded me of a processs I worked my way through when I was researching a Malware/System issue some time ago. Because it may be relevant to more than one VMware product, I'm posting this in a full disclosure and open way.

I am aware the issue may already be well understood and known, but add my info anyway in the hope that it is helpful.

The company I talked to at the time have now had a large amount of time and leeway and as far as I know have actioned this, and removed the drivers from the website. At this point I wish to make it clear that the vendor co-operated and assisted me with this. They were disappointed in finding the issue, but conceded that they did not write the drivers themselves, and had limited ability to do much more than remove them.

Now, the product that I traced the issue to was a Dynamode M8000 camera. However, in addition to this and during discussions with Dynamode, it is clear that this is one of many OEM Camera's/Web camera's available from China and the far east, and as such, the primary issue is with driver development and malware/poor behaviour. Therefore, the issue will likely be much wider and may affect a larger number of cheap OEM cameras in a wider sense, and I don't know how widely known or understood this may be - so apologies in advance if its already a well known issue.

During the examination and research, the driver breaks or causes problems with VMware products. Its also picked up by  Comodo and labeled as malware-Vmkiller by them. I can confirm that installing  the product causes problems with VMware, and I presume this is why it is being  labeled as malware by some security vendors because of this interaction or  issue.

Sophos is finding  this, and Comodo shows the following malware/problem files in its examination

Came8c37.rra

And

CameraFixer.exe

I believe that the files also affect systems care of a renaming or changing of their names 'FixCamera.exe' and 'WebCam.exe'.

In testing this affected Windows XP systems and Windows 7 systems - and in particular, it affected VMware products and caused issues with Virtual Machines. This may be accidental or by design. It affected multiple VMware products in my tests, usually with VMs refusing to start/VMware services not working correctly.

In checking the files, we took the archives and uploaded one of the culprits - 'fixcamera.exe - into:-

http://virscan.org/report/6ef0d7578bb6fa15b6c7ad3e45b10ef6.html

And as you will see, the file is picked up by various vendors in a way that indicates some behaviour regarding the affect on VMs is known or understood and is cited as VMkiller.suffix

As I wrote earlier, I worked the issue through with Dynamode who were helpful and took down the offending drivers. They also confirmed that the drivers come packaged via OEM and in general are not written by Dynamode, but by third party OEM providers. The drivers are unsigned in nature, and as such have a questionable position in terms of system stability/security anyway. It is very very likely that a much wider issue exists within the area of cheap OEM Camera's and drivers. Dynamode assisted this process by the removal of the drivers from their support site. They were not able to provide updated drivers due to the OEM issue.

The drivers supplied came in a setup.exe package, and not as unpacked inf driver files, which helped obscure the issues the driver created, accidentally or not.

Advice to the community

1. Avoid cheap OEM web/camera's if you can. Check the drivers to see if they are an executable, rather than open .inf files.

2. Try to ensure the camera is from a well known brand. Due to the OEM issue, your mileage may vary on this.

3. Don't run Camera's or Webcam's at all on your virtual machines unless you have to. If your VM software or VMs are affected by issues, check against executables running that may be from some camera drivers. I've noted quite a few postings make comments about similar worked 'cam.exe' variants -

I know of fixcamera.exe and camfix.exe, but there may be others people have come across.

4. If you find a culprit, it may be worth uploading to virscan.org or similar to see if the file has a well known signature.

I noted some suggestions of just killing the process. This may allow an initial run, but may cause issues on the next reboot in terms of VM's. I suggest hunting down the installation if you have one rather than killing the process off.

If anyone from VMware would find the comms useful, please feel free to contact me, I will pass on what I have.

Darren