Avast FP with HyperDesktop updater.

Screenshot of FP

http://i.imgur.com/LD7Nf.jpg

HyperDesktop is a screenshot capturing utility. It was just trying to auto-update.

URL:mal means the url is on a blacklist

URLvoid
http://www.urlvoid.com/scan/hyperupdate.info.tm/ also scroll down to domains listed at the bottom

if you think this is wrong…you can report False Positive here http://www.avast.com/contact-form.php?

also include a link to this topic…

I have seen this earlier and this was my response:
OK, well the program in itself might be clean but avast doesn’t like the domain it is going to (presumably for its update). Whilst the update URL looks like it is related to Hyperdesktop hXXp://hyperupdate.info.tm/update.php?v=1.0.3.5, my guess is avast doesn’t like the info.tm domain.

Tried checking the hXXp://info.tm to test that theory and no alert, but it tries to redirect (firefox stops that), if allowed it goes to freedns.afraid.org, but no alert on that either.

Going to test hXXp://hyperupdate.info.tm now.

Yes that is the problem, avast doesn’t like the hXXp://hyperupdate.info.tm sub-domain hyperupdate of the info.tm domain.

Avast isn’t alone in considering it at least suspect, http://www.urlvoid.com/scan/hyperupdate.info.tm/

So you will have to use the avast contact form to have it analysed:

  • http://www.avast.com/contact-form.php?loadStyles for: * Sales inquiries; Technical issues; Website issues; Report false virus alert in file; Report false virus alert on website; Undetected Malware; Press (Media), issues.

  • If you are reporting an FP, then you get another input field open, enter the web URL for the site you wish to submit for review (network shield), etc.

I just saw the same thing… and it also detected Hyperdesktop itself as being malicious.

It looks like ‘hyperupdate.info.tm’ belongs to a Free DNS provider, and the official URL is ‘http://gethyperdesktop.com/’.

Either Avast is seeing a false positive, or Hyperdesktop’s servers have been compromised.

Sadly, Avast deleted the offending executable and I can’t do a malware analysis on it.

Either way, looks like hyperdesktop was indeed compromised, and this should NOT be marked as false positive.
I am disappointed that the authors did not put a warning up on their site about this.

EDIT 06/11/2012: Looks like it was actually a false positive, see next reply.

Cal

Just spoke with the authors of HyperDesktop, their response was the following;

Gotcha... you should know that info.tm gets used A LOT by malware, as do a lot of free DNS providers - which is probably why Avast blocked it (and rightly so!)

I’ll update the thread with this conversation.

Cal

On Tue, Nov 6, 2012 at 7:44 PM, hyperdesktop@gmail.com hyperdesktop@gmail.com wrote:
Before we had our official domain (gethyperdesktop.com) we used a free dns for updates (which we still use).

And for some (yet unknown) reason Avast does not like that url.

Best Regards,
/Andy

2012/11/6 Cal Leeming [Simplicity Media Ltd] cal.leeming@simplicitymedialtd.co.uk

Could you explain why it is attempting to do a lookup on hyperdesktop.info.tm?? Seems a bit dodgy :slight_smile:

Cal

On Tue, Nov 6, 2012 at 6:20 PM, hyperdesktop@gmail.com hyperdesktop@gmail.com wrote:
Hi Cal,

Hyperdesktop is not compromised, it is a false-positive detection by Avast. Please let the forum know, we have confirmed this.

Best Regards,
Andy

2012/11/4 Cal Leeming [Simplicity Media Ltd] cal.leeming@simplicitymedialtd.co.uk

See the following thread;
https://forum.avast.com/index.php?topic=108459.0

Hi all,
I can confirm this was a false positive and it will be fixed in the next virus database update.