Does this file (keyfinder.exe) really have W32.W.Kolab?

Do you have a question? Post it now! No Registration Necessary.  Now with pictures!

Threaded View
The file "KeyFinder.exe", which is a component file inside, is being flagged as:

W32.W.Kolab (detected by AegisLab)

Only Aegislab is giving a positive detection on that file.

A .dll and .ocx file that is also part of this package comes back with
no detections.

The program in question is known as the SterJo Key Finder v.1.8

This was the portable version I was submitting to VT.  There are no
comments or votes on VT regarding these files.

There is almost nothing on the net regarding "Kolab" (in relation to
malware) other than this: has a file-submission interface, which works but does not
follow through and give any indication that it's performing an analysis
or will display any scan results.


Re: Does this file (keyfinder.exe) really have W32.W.Kolab?

"Virus Guy" wrote:

Quoted text here. Click to load it

It's a false positive.

The exe is written in classic Visual Basic (VB6) with no obfuscation
or other trickery. Everything (strings, API calls, form structure) is
in plain sight. The file is signed with a valid certificate and the
author has a web site with several other utilities and a social media
presence. It'd be quickly found out if Sterjosoft was deliberately
spreading malware.

Since the program recovers product keys from MS and other vendors
applications, there are many references to places in the registry
where the info is stored. It's quite likely that this is the reason
for the detection. Also there are API calls to URLDownloadToFile and
ShellExecute. These are to download the latest database and launch a
browser to the site, so are benign.

If you were planning to run this on Win98 it will only work on XP and
above. To my mind this rather negates the point of writing it in VB6
but so much necessary use of the Win32 API is made that I guess he
was tempted to use some newer funcs for convenience and appearance.

Re: Does this file (keyfinder.exe) really have W32.W.Kolab?

Ant wrote:
Quoted text here. Click to load it

Thanks for the analysis.

Quoted text here. Click to load it

With KernelEx I can still trick it to run (or at least start) under
win-98, but almost immediately I get:

Run-time error 429
ActiveX component can't create object

Re: Does this file (keyfinder.exe) really have W32.W.Kolab?

"Virus Guy" wrote:

Quoted text here. Click to load it

So KernelEx must be returning a version of 5.1 (XP) when the program

Quoted text here. Click to load it

Not very helpful. Which component and which object? The resources.dll
is implemented as a COM server but has nothing specific to XP.

Even if it got past this error it probably still wouldn't work. It's
using a registry key for XP Themes and also using WMI (Windows
Management Instrumentation), e.g:

"SELECT * FROM SoftwareLicensingService"

Does KernelEx implement this?

Site Timeline