virus or not ?

Do you have a question? Post it now! No Registration Necessary.  Now with pictures!

Threaded View
hello,

http://www.megaupload.com/fr/?d=399TXP8L

the original file is on the "KGB Archiver" on the sourceforge.net
project

virusscan.jotti.org gave me: Scan taken on 03 Dec 2008 20:12:19 (GMT)
A-Squared     Found Virus.Trojan.Win32.Agent.vgw!IK
AntiVir     Found nothing
ArcaVir     Found Trojan.Hupigon.Adi
Avast     Found Win32:Trojan-gen
AVG Antivirus     Found nothing
BitDefender     Found Trojan.Generic.710836
ClamAV     Found nothing
CPsecure     Found Troj.W32.Agent.tti
Dr.Web     Found nothing
F-Prot Antivirus     Found nothing
F-Secure Anti-Virus     Found nothing
G DATA     Found Win32:Trojan-gen
Ikarus     Found Virus.Trojan.Win32.Agent.vgw
Kaspersky Anti-Virus Found nothing
NOD32     Found nothing
Norman Virus Control Found W32/Spybot.CMLJ
Panda Antivirus     Found Trj/Downloader.MDW
Sophos Antivirus     Found nothing
VirusBuster     Found nothing
VBA32     Found Trojan.Win32.Agent.vgw

*******************************************

KASPERSKY

Hello
No malicious software was found in the attached file.

Quoted text here. Click to load it
Regards, Tatarinov Ivan
Virus Analyst

******************************************************

AVG

Quoted text here. Click to load it
---

Re: virus or not ?


OK.  This file *IS* from KGB Archiver 2 Beta and is not malware.

--
Dave
http://www.claymania.com/removal-trojan-adware.html
Multi-AV - http://www.pctipp.ch/downloads/dl/35905.asp



Re: virus or not ?

wrote:
Quoted text here. Click to load it

why you think it is not malware ? because packed file contains a part
of a virus code and unpacked file contains no bad code ? because it is
an open source project ?

Seriously, it is not logic too many AV detection services are not
agree :-X This report give 10 found it is a virus, 10 found not... now
AVG will add it as a virus, so 11-9 grin !

Re: virus or not ?



Quoted text here. Click to load it

The file is UPX-packed.
Both the packed (150k/b) and unpacked (320k/b) versions fail to run.

"Microsoft Visual C++ Runtime Library.

Runtime Error!
Program: Stubzip.exe
This application has requested the Runtime to terminate it
in an unusual way.
Please contact the application's support team for more information."


It appears to be broken as it will not self-extract.
No files or registry entries added/altered.
It does not write any malicious code.

The AVs that report a virus in this file are useless.

Ask AVG to describe in detail the new "worm" they found.
Don't just accept what they say without question - ask for proof.
What does this "worm" do exactly ?
What are the names of the malicious file(s) they found ?

 


Re: virus or not ?


| wrote:

Quoted text here. Click to load it


| why you think it is not malware ? because packed file contains a part
| of a virus code and unpacked file contains no bad code ? because it is
| an open source project ?

| Seriously, it is not logic too many AV detection services are not
| agree :-X This report give 10 found it is a virus, 10 found not... now
| AVG will add it as a virus, so 11-9 grin !

Because analysis doesn't show malcious or possibly malicious activity.

There may be no logic to that many False Positives but I is NOT the first time
this has
happened.

A similra situation was with ...
http://sourceforge.net/project/showfiles.php?group_id=151236&package_id=205228

On October 24th, dsp_bs2b.dll had the following detections on Virus Total.

AhnLab-V3   2008.10.24.3   2008.10.24   Win-Trojan/Agent.69632.HO
Authentium   5.1.0.4   2008.10.24   W32/Downldr2.DXOJ
Avast   4.8.1248.0   2008.10.24   Win32:Trojan-gen
AVG   8.0.0.161   2008.10.23   Downloader.Agent.AGFC
BitDefender   7.2   2008.10.24   Trojan.Generic.581796
CAT-QuickHeal   9.50   2008.10.24   TrojanDownloader.Agent.nxa
ClamAV   0.93.1   2008.10.24   Trojan.Downloader-34337
eSafe   7.0.17.0   2008.10.23   Win32.Agent.nxa
Ewido   4.0   2008.10.23   Downloader.Agent.nxa
F-Prot   4.4.4.56   2008.10.24   W32/Downldr2.DXOJ
F-Secure   8.0.14332.0   2008.10.24   Trojan-Downloader.Win32.Agent.nxa
Fortinet   3.113.0.0   2008.10.24   W32/Agent.NXA!tr.dldr
GData   19   2008.10.24   Trojan.Generic.581796
Ikarus   T3.1.1.44.0   2008.10.24   Trojan-Dropper.Agent
K7AntiVirus   7.10.505   2008.10.23   Trojan-Downloader.Win32.Agent.nxa
Kaspersky   7.0.0.125   2008.10.24   Trojan-Downloader.Win32.Agent.nxa
McAfee   5414   2008.10.24   Downloader.gen.a
NOD32   3550   2008.10.23   probably a variant of Win32/TrojanDownloader.Agent
Norman   5.80.02   2008.10.23   W32/Agent.FNUZ
Panda   9.0.0.4   2008.10.23   Trj/Downloader.MDW
Prevx1   V2   2008.10.24   Malware Downloader
Sophos   4.34.0   2008.10.24   Mal/Generic-A
Sunbelt   3.1.1749.1   2008.10.23   Trojan-Downloader.Win32.Agent.nxa
Symantec   10   2008.10.24   Downloader
TheHacker   6.3.1.0.126   2008.10.23   Trojan/Downloader.Agent.nxa
VBA32   3.12.8.8   2008.10.22   Trojan-Downloader.Win32.Agent.nxa
ViRobot   2008.10.24.1436   2008.10.24   Trojan.Win32.Downloader.69632.BI


As of Yesterday it was down to...

ClamAV        Trojan.Downloader-34337
Fortinet      W32/Agent.NXA!tr.dldr
K7 Computing  Trojan-Downloader.Win32.Agent.nxa
Sunbelt       Trojan-Downloader.Win32.Agent.nxa

I think, Suzi had had Sunbelt fix their False Positive Today.

--
Dave
http://www.claymania.com/removal-trojan-adware.html
Multi-AV - http://www.pctipp.ch/downloads/dl/35905.asp



Re: virus or not ?

answer from AVG is just received ;)

Dear Sir,

thank you for your email.

Please accept our apology for misleading information in last email.

The provided file is virus-free. It does not contain any infection.

The analysis result we have sent was probably interchanged with result
of another file during creating of the answer. We understand that the
situation is unpleasant and we are very sorry for the caused
inconvenience.

Please accept our sincere apology.

     Best regards,

     Zdenek Parizek
     AVG Technical Support

Re: virus or not ?


| answer from AVG is just received ;)

| Dear Sir,

| thank you for your email.

| Please accept our apology for misleading information in last email.

| The provided file is virus-free. It does not contain any infection.

| The analysis result we have sent was probably interchanged with result
| of another file during creating of the answer. We understand that the
| situation is unpleasant and we are very sorry for the caused
| inconvenience.

| Please accept our sincere apology.

|      Best regards,

|      Zdenek Parizek
|      AVG Technical Support

Thanx for the update.

--
Dave
http://www.claymania.com/removal-trojan-adware.html
Multi-AV - http://www.pctipp.ch/downloads/dl/35905.asp



Re: virus or not ?



Quoted text here. Click to load it

I bet they would not have said anything if their statement about "a new virus
worm"
had not been questioned.
What a bunch of clowns.




 

Re: virus or not ?

On Wed, 3 Dec 2008 12:15:43 -0800 (PST), sebastien62@gmail.com wrote:

Quoted text here. Click to load it

Wouldn`t touch it but I`m paranoid:>)
        Regards  
        buddy b

Re: virus or not ?


Quoted text here. Click to load it

Awe.. C'mon.. thats no way to learn something new and interesting. LoL


--
Regards,
Dustin Cook
Malware Researcher
MalwareBytes - http://www.malwarebytes.org
  


Re: virus or not ?


Quoted text here. Click to load it

| Awe.. C'mon.. thats no way to learn something new and interesting. LoL


Dustin, what is your valued opinion on my findings ?

--
Dave
http://www.claymania.com/removal-trojan-adware.html
Multi-AV - http://www.pctipp.ch/downloads/dl/35905.asp



Re: virus or not ?


Quoted text here. Click to load it

I find myself in agreement with you sir.


--
Regards,
Dustin Cook
Malware Researcher
MalwareBytes - http://www.malwarebytes.org
  


Re: virus or not ?


Quoted text here. Click to load it

*yawn*. almost 4 years now, hundreds of thousands of downloads. Nothing
bad has happened in all that time. No malicious code has ever been found
in BugHunter. In fact, it got me a sweet gig working for MalwareBytes.
*grin* So the last laugh really is on you, anonymous wannabe.


--
Regards,
Dustin Cook
Malware Researcher
MalwareBytes - http://www.malwarebytes.org
  


Re: virus or not ?

bughunter.dustin@gmail.com says...

<snip>

Quoted text here. Click to load it

Congratulations Dustin. A "sweet gig" and a good product.

--
James E. Morrow
 Email to: jamesemorrow@email.com

Site Timeline