virus total results of solitaire game

Do you have a question? Post it now! No Registration Necessary.  Now with pictures!

Threaded View
So I downloaded a solitaire game named Forty Thieves and ran it by
Virus Total to make sure it was safe and this is the result.  The major
AV companies call it clean while some others flag it.  What is your
opinion?



SHA256:    781053bc3d9a1c180c9f87950b46560e71734ade600c7d45d7e2e4800d0a4e2c
File name:    forty-thieves-solitaire_setup.exe
Detection ratio:     10 / 48
Analysis date:     2013-12-09 14:03:22 UTC ( 0 minutes ago )

Ad-Aware         20131209
Agnitum         20131207
AhnLab-V3         20131209
AntiVir     APPL/InstallCore.AX.1     20131209
Antiy-AVL         20131209
Avast         20131209
AVG         20131209
Baidu-International         20131209
BitDefender         20131209
Bkav     W32.Clod823.Trojan.4d87     20131209
ByteHero         20131127
CAT-QuickHeal         20131209
ClamAV         20131209
Commtouch         20131209
Comodo     Application.Win32.InstallCore.KAX     20131209
DrWeb     Adware.InstallCore.133     20131209
Emsisoft         20131209
ESET-NOD32     a variant of Win32/InstallCore.FJ     20131209
F-Prot         20131209
F-Secure         20131209
Fortinet         20131209
GData         20131209
Ikarus         20131209
Jiangmin         20131209
K7AntiVirus         20131207
K7GW         20131209
Kaspersky         20131209
Kingsoft         20130829
Malwarebytes     PUP.Optional.Freemium.A     20131209
McAfee         20131209
McAfee-GW-Edition         20131209
Microsoft         20131209
MicroWorld-eScan         20131209
NANO-Antivirus         20131209
Norman         20131209
nProtect         20131209
Panda         20131209
Rising     PE:Malware.XPACK-LNR/Heur!1.5594     20131209
Sophos     Install Core Click run software     20131209
SUPERAntiSpyware     PUP.InstallCore/Variant     20131208
Symantec         20131209
TheHacker         20131204
TotalDefense         20131206
TrendMicro         20131209
TrendMicro-HouseCall         20131209
VBA32         20131209
VIPRE     InstallCore (fs)     20131209
ViRobot         20131209

Re: virus total results of solitaire game

badgolferman formulated the question :
Quoted text here. Click to load it


I wouldn't trust it, but that's just me. I suspect it is a good program  
with bundled crap in the wrapping. You might be able to extract the  
good program (if there is one) and lose the crap.



Re: virus total results of solitaire game

On 12/9/2013 10:06 AM, FromTheRafters wrote:
Quoted text here. Click to load it

Agreed.

--  
Mark Warner
...lose .inhibitions when replying

Re: virus total results of solitaire game

On 12/9/2013 4:52 PM, Mark Warner wrote:
Quoted text here. Click to load it

Might be okay to install then scan afterwards with AdwCleaner and JRT  
from Bleepingcomputer.

--  
Mark Warner
...lose .inhibitions when replying

Re: virus total results of solitaire game

badgolferman wrote:

Quoted text here. Click to load it

Save an image backup of your drives, or use a virtual machine to install
the unknown app, or use virtualized disk to undo all changes (e.g.,
Returnil).  Then test the program.  Check to see if you permits a custom
install to eliminate the bundleware or if its installer screens let you
deselect the bundled crap.  Then run the executables and DLLs against
VirusTotal and/or your anti-virus program.

You never bothered to mention where you found the installer for this
game.  Why bother installing an unknown and untrusted program when there
are sites that let you play the Forty Thieves version while online
(e.g., http://greenfelt.net/fortythieves )?  Bing found a lot of these
online copies of that game.  Do you really have a critical requirement
that the game be available when you happen to not have Internet access?
How often is your computer without Internet access?

Re: virus total results of solitaire game

VanguardLH wrote:

Quoted text here. Click to load it

I don't want an online version, I want an installed version.  It
doesn't matter anymore, I found another one that fits the bill.

My main concern was the difference in results between the AV vendors.
The major ones call it clean while some others don't like it at all.
What gives?

Re: virus total results of solitaire game

badgolferman wrote:

Quoted text here. Click to load it

False positives.  All AV programs have them occasionally.  Some are more
aggressive in a few categories of malware than others.  For example, PUP
means Probably Unwanted Program.  That doesn't mean you don't want them
only that sometimes they are installed and users may not want them.
Almost all AV software identifies several Nirsoft utilities as PUPs
despite YOU installed them and YOU want them but they MIGHT be used for
bad purposes by others.

Forget any results from AV Rising.

InstallCore is delivering advertising during installation, similar to
the Candy installer.  The problem with InstallCore (and a *lot* of other
installers) is that you do not download the whole program.  You download
just the installer which then downloads the rest of the real program.
That means you don't get to download the real program.  You just
download a web installer.  It also means you don't know what you're
getting from their file server.  Even Microsoft has web installers.
Some folks complain the CNet download.com downloads are also just web
installers.  Some software vendor use web installers to make sure you
get their latest version and so they don't have to keep changing file
links in their web site.

http://en.wikipedia.org/wiki/InstallCore
http://www.installcore.com/technology/

Re: virus total results of solitaire game


Quoted text here. Click to load it

It's not a false positive, tho. A false positive is claiming something is  
infected with such and such thing when it's not. The program likely does  
contain a bundled installer and this is what's alerting various AV.
  
Quoted text here. Click to load it

Sometimes. Each piece it downloads is subject to change at anytime. It may  
also elect to download partnered 3rd party advertising software.  

Without pointing fingers, apps like this are the ones that have to be  
studied by those who can actually read assembler. It's not enough to run  
the program under something such as revo uninstaller and "watch it make  
changes". You will miss all kinds of things and that's not really malware  
research in the pure sense of the word. Without giving names, I know of  
atleast one/two big name companies that do this on a routine basis. To  
them, that's research. :)

Yep, no disassembly, no code study. Run it, run your "companies app",  
collect what's left. If the offending app is poly, has timers/date based  
easter eggs, etc, you will not be aware of any of it using this method of  
"research". You'll see what it's author intends for you to see.  

Some malware apps intentionally will not run under revo, total uninstaller,  
etc.. for this specific reason. :) The malware guys are aware that some  
antimalware companies methods of research are seriously crippled by lack of  
actual coding knowledge and so make it even harder for them by  
intentionally not running under one of their tools. :)

If I was still writing malicious software, I'd scan for sandboxie, vpc, etc  
and refuse to run under all of them. To deal with my work, you would read  
assembler or you'd be passed up.. Oh wait, I didn't write simple  
trojans...nearly 14 years later, the antimalware companies I'm writing  
about still don't have the ability to handle the code I was responsible for  
writing. You can't study a virus like that. LOLz.

Quoted text here. Click to load it

a web installer? cute. It's just a loader tho. And no, you don't know what  
you're actually downloading. MS actually does use http served web wrapped  
installers, but not everything is actually one of those, even if it  
functions in a similar manner. MS didn't invent the technology.

Quoted text here. Click to load it

They're cnet wrappers. I'd prefer the actual app, not some stupid little  
hand holding program that assumes i'm too stupid to understand what I'm  
doing.
  

--  
Sometimes there's a part of me...Has to turn from here and go...Running  
like a child from these warm stars down the seven bridges road. There are  
stars in the southern sky. And if you ever you decide you should go...There  
is a taste of thyme sweetened and honey down the seven bridges road...

Re: virus total results of solitaire game


Quoted text here. Click to load it

It has atleast one bundled installer with it. If you can provide the url  
where you got it, I'd be happy to disect it and report back. If I can remove  
the adware from it, I'll tell you exactly how to do so... Upto you tho.

Some AV ignore these things as you the user willingly install them and other  
AV let you know about them because they don't agree with the click thru means  
you agreed line of thinking.

  



--  
Sometimes there's a part of me...Has to turn from here and go...Running like  
a child from these warm stars down the seven bridges road. There are stars in  
the southern sky. And if you ever you decide you should go...There is a taste  
of thyme sweetened and honey down the seven bridges road...

Site Timeline