McAfee Virusscan: Generic.dx!sux - false positives?

Do you have a question? Post it now! No Registration Necessary.  Now with pictures!

Threaded View


Hey everyone!

Struck with nostalgia, I wanted to download all the messagemates at
   http://www.screenmates.com/archives.htm
recently, and I discovered some new ones (and not all of the old ones :(
- I decided to download all of them, and came upon a virus warning on
the "DeathWish Dog":
   http://www.screenmates.com/download/DeathwishDog.exe

My McAfee Virusscan reports this as the Trojan Generic.dx!sux -
according to their website
  http://vil.nai.com/vil/content/v_267459.htm
this signature has only been added to Virusscan on 26. of May 2010.

Since the Screenmates are far older, and I am downloading from the
official site, I am wondering whether:
a) the site has been hacked and someone replaced the original with a
modified file (I found the same virus warning on a different source, so
this is unlikely)
b) this has always been a trojan (unlikely?)
c) McAfee reports false positives with this signature, or is sensitive
to something the program does which does not necessarily do any harm

Has anyone had any false positives with that signature reported in the
recent past?

Best Regards,

   Lars

Re: McAfee Virusscan: Generic.dx!sux - false positives?



Quoted text here. Click to load it

I agree - unlikely.

Quoted text here. Click to load it

Again, I agree. Although, 'trojans' are tough to nail down being
subjectively defined.

Quoted text here. Click to load it

It appears to be a generic detection as opposed to a signature based
identification.

Quoted text here. Click to load it

Not me, but false positives from 'generic' and/or 'heuristc' modules are
more likely than one might think.



Re: McAfee Virusscan: Generic.dx!sux - false positives?



Lars Uffmann wrote:

Quoted text here. Click to load it

EVERY anti-virus program suffers from false positives.  It's up to you
to do further investigation when alerted that a file is suspect.

Submit the file(s) to virustotal.com to see if other AV programs also
report the malware.

Re: McAfee Virusscan: Generic.dx!sux - false positives?



VanguardLH wrote:
Quoted text here. Click to load it

That's a case for my Linux box I guess - as the windows system here will
refuse to open the link as long as VirusScan is up :)

Otoh we already kinda know it's a false positive thanks to Ant, and
David also found it reported by AntiVir...

Edit: Virustotal reports a lot of false positives... Since the file has
been around for a loooong time, I kinda wonder if Operating Systems are
kind of flawed by design and if it's time for a different design
concept. I mean: If there's so many viruses that pose a threat, that you
cannot sensibly protect people against most of them without reporting
false positives, then something is wrong with operating systems :)

Maybe create the next generation OS of each type in a way that all
executables run in a sandbox with restrictive settings by default, that
only permits read access to input devices and write access to graphics
and sound output, as well as file creation rights in a sandbox folder
(or the program folder) and read rights to application-owned files...

Then implement a OS-specific file browser that handles read/write rights
(i.e. "open file" or "save as" not only forms an easy method of browsing
to a path location and submitting that, but also checks the users access
rights for the selected file/folder, and temporarily passes those on to
the application that called the OS-owned file browser).

E.g.: You work with Open Office's writer: you want to open a file, do so
via menu (or by opening the file directly in a system file browser), and
by using the system file browser to open it, this will pass your user
rights on the file to the OO writer, which in itself would otherwise not
have read/write rights to that file. This would of course imply that a
"history" of opened files in the file menu of untrusted applications
would not work.

That would cover most programs I can think of, and any other access
settings could be handled by global (default) and per-application
settings (network access, file access to certain folders, other devices
access).

What does everyone think? :)
Has something similar been done (I didn't name any OS on purpose, as I
am aware that Linux also has it's shortcomings)?

Best Regards,

   Lars

Re: McAfee Virusscan: Generic.dx!sux - false positives?



Lars Uffmann wrote:

Quoted text here. Click to load it

Why was it a "false" positive if you find another highly regarded AV
program also alerting on the same suspect file?  virustotal shows the
file was already submitted so I looked at the last report which showed
SEVERAL anti-malware products alerted on this file.  I requested a
reanalyze and again SEVERAL anti-malware products alerted on this file.

I see nothing in Ant's or David's response that proves this file is not
infected or malware.  Running through a debugger means looking at the
code as it currently chooses to execute.  If the malware is currently
quiescent (i.e., it is dormant), the code won't proceed into the block
containing the malware.  It may get triggered by some event later.  Ant
did not claim to analyze all the code (unless that what was meant by
"file structure") but just traced its execution using a debugger as it
happened to run that time on his host.

With several anti-virus programs alerting on this file, it could still
be a false positive but not likely after 19 days later for when the
malware's signature was added to several AV programs and when more than
one AV program issues an alert.

What's so special about this 3rd party executable that you MUST have it?
It's possible the file is benign but with so many AV programs saying
otherwise then perhaps you should reevalute if you really need this file
or should get any more of them from that source.

Quoted text here. Click to load it

You said you JUST downloaded the file.  I don't know what are
"messagemates" coming from a site titled screenmates.  Since you are
downloading the file, how old it is (the one you presume that you are
downloading) is irrelevant.  It could've been infected right before you
downloaded it or a second after the prior time you downloaded it.  The
datestamp is irrelevant because, one, you are downloading the file and
will get a new timestamp and, two, the timestamp can be altered using
the touch or other similar command to alter that file attribute.

Quoted text here. Click to load it

There is no problem with embedded, single-purpose, or closed operating
systems.  You are using one of those.  You are using a general-purpose
OS that is designed to be modified, adapted, or extended.

Quoted text here. Click to load it

Sandboxes aren't perfect.  Malware can detect they are running under a
virtualized environment and remain quiescent so the user and
anti-malware programs don't detect through heuristics their malicous
behavior.  The user then moves the malware to their non-sandboxed
environment and then the malware engages.  Sandboxes are just more
software and it is still possible to leak outside of a sandbox.

http://taviso.decsystem.org/virtsec.pdf
http://www.seclab.tuwien.ac.at/papers/detection.pdf

A little old but still applicable.  I also watched a recorded seminar
where the speaker showed many principles possible (by malware) to detect
if running in a virtualized environment and also how to leak out of it.
(It was a webcast but several months later when I wanted to see it again
I couldn't find it again.)

The locks on your house doors and perhaps a siren alarm (and maybe even
connected to a security service) is probably all you use to protect your
home because it is sufficient security without getting excessively in
your way.  Do you want to get out of your car or reach out a opened
window for a handprint reader at an electrified gate to enter your
premises, review or pay someone to monitor cameras all over your yard
and inside your house, turn off ground vibration and pressure sensors
and have guards run outside when you need to let the kids or dog out
into the yard, use a keypad to get from the garage into your house,
remember to use another keypad and retinal scanner once inside the house
to keep the alarms from going off, remember to reactivate the alarms and
be sure to run back to your bedroom before the timer expires for the
laser beams, infrared sensors, temperature change sensors, vibration
sensors, and motion sensors, replace all windows with bullet-proof glass
along with lining the walls with metal sheets to prevent assassination,
and so on just to go home?  Well, all that is possible but it's not
reasonable or feasible for most of us.  

You get a level of security with which you are comfortable and will
tolerate.  Security should, at best, be transparent and not interfere
with your host.  Since security and ease-of-use are the antithesis of
each other, you have to sacrifice one to have the other.  

I do use anti-virus, HIPS, Returnil, daily image backups, VMs, LUA
tokens on Internet-facing apps, and some other methods for securing my
host.  Most of that runs in the background without interferring with my
use of my computer.  My purpose in using my host isn't to spend lots of
time on securing it and then having to maintain that security.  My
purpose is to *use* my computer.  

If the security gets in the way of me using my host then it gets
discarded.  There is always the performance impact on a host when adding
security but that I'm willing to tolerate but only if the impact to
responsiveness is just noticeable.  A general-purpose computer is
vulnerable.  Sorry, but I don't want a fixed OS, like what might be in
my washing machine or TV, for use with most apps and games.

I don't really want to get into a lengthy discussion of how to prevent
malware but so securing a general-purpose OS that it becomes a burden or
near impossible for use by its owner.  I just wanted to express my
opinion this one time.  My original intent was only to address your
concern about the suspect file and that it appears more than one
anti-virus program is alerting on it and to ponder why you really think
you need this file which looks to be non-critical and perhaps not even
really that important.

Re: McAfee Virusscan: Generic.dx!sux - false positives?



"VanguardLH" wrote:

Quoted text here. Click to load it

The file I downloaded (DeathwishDog.exe) is a standard GUI application
written in MS VC++ 5.0 with the usual message processing loop. I
inspected the file strucure and content in a PE editor, the code in a
disassembler and there's nothing suspicious about it. I'm very used to
analysing malware/infected files and I know the signs. I also ran it
under a debugger with suitable breakpoints on API functions (e.g. for
accessing the registry, file system & network) and no unexpected calls
were made. I also single-stepped enough of the code to see there were
no special checks to call what might be otherwise dormant malicious
routines.

However, there are command line parameters which cause it to behave
differently.

If run with the argument "-1 filename", where filename is any file
name, it will copy itself to that file (overwiting if it exists) and
run that file with the arguement "-2 [path]\DeathwishDog.exe". The
new process, with the new argument, then deletes DeathwishDog.exe and
exits. So the effect of all that is simply to move it to a new file.

If the file names are missing (with -1 or -2) or it can't delete the
file it sits in an infinite loop! That's bad programming.

Also note that it only creates the file mmates.ini if you tell it to
visit the website and it creates DeskToppers.ini (both saved in the
windows directory) only if you customise the settings. It also has the
abillity to interact with other screenmates/messagemates applications.



Re: McAfee Virusscan: Generic.dx!sux - false positives?



"Ant" wrote:

Quoted text here. Click to load it

Correction: If the name is missing with -1 it creates a garbage name
and uses that. I'm sure I found another case where it loops but can't
reproduce it now.



Re: McAfee Virusscan: Generic.dx!sux - false positives?



On 07/29/2010 07:11 PM, VanguardLH wrote:
Quoted text here. Click to load it

That was two separate statements, as marked by the "and" linking them,
as opposed to a "because".

Quoted text here. Click to load it

Of course you are right in that there is no "proof" that this file is
harmless, however it being detected as JOKE/DeathWish by some AV
software is a strong indicator. And we already debated the likeliness of
various cases earlier in the thread, which you clearly didn't read, or
deliberately chose to ignore.

Quoted text here. Click to load it

Wrong. Your statement would mean that false positives are hardly ever
kept in signature files and just as seldomly are propagated from one AV
software to others.

Quoted text here. Click to load it

It's called nostalgia, if you live in a world of "musts" and "must nots"
then you have my pity.

Quoted text here. Click to load it

Thanks for the lesson on file timestamps. Had you read my initial post,
you could have saved the energy that went into typing though.

Quoted text here. Click to load it

You clearly fail at listening/reading. Again. In the environment I
described, there is no reason to move most software out of a sandboxed
environment, because the software runs in such by default and for good
reasons without implications on the usability. And "sandboxes aren't
perfect" is a useless statement: it is neither true nor false, it is
simply a statement with no applicability. No bigger piece of software
can be perfect, if only for the fact that there are different approaches
to the same solution. However, that also applies to AV software. That
is, anyways, no reason to not consider applying a different philosophy
to operating systems and execution of third party software.

Quoted text here. Click to load it

So you watch webcasts and think you're an expert, eh? I much preferred
the useful responses of everyone else on the thread.

Quoted text here. Click to load it

You clearly have too much time on your hands... And...

Quoted text here. Click to load it

You failed on this first point.

Quoted text here. Click to load it

And you should have stuck to this.

Thanks for taking your time, but I seriously don't feel like reading
through a novel (of dubious relevance at best) when simply trying to
find out whether or not a certain malware detection is a false positive.

Cheers,

   Lars

Re: McAfee Virusscan: Generic.dx!sux - false positives?



Lars Uffmann wrote:

Quoted text here. Click to load it

And both contradict each other.  One impugns that it may be malware
because another AV program alerted on that file.  Another said it wasn't
infected.  Your AV alerted on it.  So, at that time, you have 2 votes
yes and 1 vote no.  AFTER my reply, ANT replied to me and it seems he
knows what he's doing, so the score evened up with 2 votes Yes and 2
votes (weighted for Ant) No.  However, with more than one AV program
alerting on this file at virustotal.com, the voting goes to Yes (it's
infected).  However, as evidenced by your later statement that I
shouldn't believe experts in a field, then that explains why you
wouldn't believe several AV programs alerting on a file for which you
have nostalgic fondness.

Quoted text here. Click to load it

Look at the timestamps.  There were 2 replies at the time that I
replied.  As I stated and at THAT time, it did not look like either of
them were proof that the file was clean.  Your replies at THAT time
weren't a debate.

Quoted text here. Click to load it

Each AV vendor generates their own output for signature databases.  That
several of them alerted on the same file would be unlikely due to ALL of
them having independently generated the same bad signature.  Please show
evidence that the major AV vendors are sharing their signature
databases.  That would be very interesting information.  It would
violate the license for each product that states there shalt be no
reverse engineering.

I doubt there is any propagation (sharing) of signature databases from
one AV vendor to the next.  For the same pest, yes, it is likely that
the same signature gets generated by each AV vendor but that's not
sharing or propagating the signature.  That just means they came up with
the same result for the same pest.  Senders don't need to share your
postal mailing address to each send a letter to your home.  Same target,
multiple sources, no sharing but same result.

Quoted text here. Click to load it

Wow, suddenly I become another user participating in a thread to an AV
expert.  I don't rebuild the world from scratch to evidence something.
There are experts other than myself AND yourself.  Apparently you
believe everyone other than yourself is lying or an idiot.  Must be
pretty tough to get accreditation at a school when you don't believe any
of your teachers.

Based on the credentials of the speaker, I had no reason to believe that
I was listening to a snakeoil salesman.  David and Ant assuaging your
ego hardly qualifies them as experts.  You're starting to sound like an
Alan Connor clone: agree with you and I'm your buddy but disagree with
you and I must be the spawn of Satan.

Quoted text here. Click to load it

Gee, sorry for being verbose.  So now you can go back to watching that
rerun of Gilligan's Island.

Re: McAfee Virusscan: Generic.dx!sux - false positives?



"Lars Uffmann" wrote:

Quoted text here. Click to load it

[...]

Quoted text here. Click to load it

It's a false positive. Maybe McAfee is picking up on its ability to
run at startup and contact the screenmates site but that only happens
if you tell it to. All screenmates do this, so I don't know what's
causing this one to be flagged.

I examined the file structure and there's nothing unusual about it.
I'm convinced its clean after monitoring in a debugger, which shows
normal code and normal behaviour. An "mmates.ini" file is created in
the windows directory.



Re: McAfee Virusscan: Generic.dx!sux - false positives?



Ant wrote:
Quoted text here. Click to load it

Have you just tried them screenmates out, or are you one of the people
who fondly remember them from the time when the first (x-mas) greetings
were sent around with the gal or the lad stripper? :)

I kinda liked them... And just wanted to show a colleague some of those
from the old times - more specifically: The magic watercooler! Sadly, it
seems nowhere to be found :(

Quoted text here. Click to load it

Thank you for checking! I wonder if there's a chance to get McAfee to
exclude this from detections, or if they don't consider fixing false
positives for signature detections...

Best Regards,

   Lars

Re: McAfee Virusscan: Generic.dx!sux - false positives?



"Lars Uffmann" wrote:

Quoted text here. Click to load it

I don't remember those particular ones but I do remember some
screenmates from the old days.

Quoted text here. Click to load it

I seem to recall that but unfortunately don't have a copy.

Quoted text here. Click to load it

You could try asking them.



Re: McAfee Virusscan: Generic.dx!sux - false positives?




| Hey everyone!

| Struck with nostalgia, I wanted to download all the messagemates at
|    h**p://www.screenmates.com/archives.htm
| recently, and I discovered some new ones (and not all of the old ones :(
| - I decided to download all of them, and came upon a virus warning on
| the "DeathWish Dog":
|    h**p://www.screenmates.com/download/DeathwishDog.exe

| My McAfee Virusscan reports this as the Trojan Generic.dx!sux -
| according to their website
|   http://vil.nai.com/vil/content/v_267459.htm
| this signature has only been added to Virusscan on 26. of May 2010.

| Since the Screenmates are far older, and I am downloading from the
| official site, I am wondering whether:
| a) the site has been hacked and someone replaced the original with a
| modified file (I found the same virus warning on a different source, so
| this is unlikely)
| b) this has always been a trojan (unlikely?)
| c) McAfee reports false positives with this signature, or is sensitive
| to something the program does which does not necessarily do any harm

| Has anyone had any false positives with that signature reported in the
| recent past?

Ant analyzed the file and he indicates it is clean so I won't go into the file
itself.
However...  Whenever you are suspicious of a file or it may be malicious
*always*
obfuscate the URL so it is NOT clickable such as I have done in my reply in case
the URL
is malicious.

http://www.virustotal.com/analisis/64f4ef7f014b8b0df311ece66978d0550b2b33c3e5b6c58e36e4c271829510df-1280353283

I like AntiVir's declaration on this one.
AntiVir    8.2.4.26    2010.07.28    JOKE/Deathwish

Defining it is the class of Jokes and not malware.


--
Dave
http://www.claymania.com/removal-trojan-adware.html
Multi-AV - http://www.pctipp.ch/downloads/dl/35905.asp



Re: McAfee Virusscan: Generic.dx!sux - false positives?



David H. Lipman wrote:
Quoted text here. Click to load it

My bad - didn't think of this in a newsgroup that is all about viruses
and in a posting stating I have a positive detection... But I see the point.

Quoted text here. Click to load it

It is strange that they would declare it as JOKE and still classify it
as something that should be detected by an antivirus software...


Cheers,

   Lars

Re: McAfee Virusscan: Generic.dx!sux - false positives?




| David H. Lipman wrote:
Quoted text here. Click to load it

| My bad - didn't think of this in a newsgroup that is all about viruses
| and in a posting stating I have a positive detection... But I see the point.

Quoted text here. Click to load it

| It is strange that they would declare it as JOKE and still classify it
| as something that should be detected by an antivirus software...


In the actual Avira AntiVir application, you have to enable "Joke" files for
this to be
detected.

--
Dave
http://www.claymania.com/removal-trojan-adware.html
Multi-AV - http://www.pctipp.ch/downloads/dl/35905.asp



Re: McAfee Virusscan: Generic.dx!sux - false positives?



Lars Uffmann wrote:

Quoted text here. Click to load it

"Joke" malware can be spyware.  In most cases, joke malware doesn't
enact malicous behavior but creates a severe nuisance to the user.  A
joke malware that emulates a blue screen of death (BSOD) crash of the
host will scare the user and waste their time trying to determine why
their host crashed when it really didn't.  Having your mouse cursor go
bezerk can make your host unusable or just a damnable situation to do
anything useful.  It may interrupt and prevent you from doing further
work on your host unless, say, you solve some puzzle.  It could keep the
CPU very busy, like when you login, to take longer before you can start
using your host.  It might phone-home to update a list of MOTDs (message
of the days) to spew out a randomly selected and randomly generated joke
window on your screen which becomes the foreground window and interferes
with whatever you were doing at the time.

Joke malware is to annoy you.  It doesn't do [much] damage to your OS,
apps, or files and it usually isn't hard to terminate.  Unless you enjoy
nuisances that waste your time instead of using your computer for the
tasks you intend, joke malware is still something to get rid of.  If
someone snuck up to your house to somehow adapt your telephone wiring so
your phone rang everytime anyone's phone rang in a mile radius from your
home (and I'm not talking about a party line but just making your phone
ring), you don't think that is malicious behavior?  It doesn't stop you
from receiving real phone calls made to you or you dialing out although
having to wade through all the incoming calls to see which ones actually
have a connection with someone calling you or trying to catch a lull
between rings to dial out would impact your use of your phone service.
Joke malware instigates nuisancesome behavior that you don't want.

Re: McAfee Virusscan: Generic.dx!sux - false positives?



Quoted text here. Click to load it

I used to have this one, I renamed it rundll32.exe and put it in the
system directory on my W98 machine.

http://www.processlist.com/info/esheep.html

There were several versions out at that time - none of them legit, but
some weren't modified from the Village Center Inc original.



Site Timeline