Very DISAPPOINTMENT! i am a your user, and after downloading a game
the p2p network, it found no viruses or problems with YOUR PRODUCT!

It’s the Game “7 wonder II” and the infected file are in the keygen in the file:

FFF-ReflexV2.exe

Your product after scan say: negative and clean file.

While my office AVG Antivirus Bussiness Edition professional 2011
say:

INFECTED with Trojan Generic22.WUB

Very disappointed and worried. Best regards

https://www.virustotal.com/file-scan/report.html?id=d77be60217d6d7ef240f65854b5e9874dc85ca9f68ba3316d9c966b98b626507-1319844120

as you see from the VT scan there are many others that also do not detect…no security program have 100% detection

send the sample to avast

however there is a possibility it is a False Positive

First seen: 2007-07-25 19:47:35
Last seen : 2011-10-28 23:22:00

Since the file is this old, i think it is strange that avast does not detect it if it is malware ???

ThreatExpert
http://www.threatexpert.com/report.aspx?md5=63894385b0a65b784530200ba0c00361

OK i found the file and check it at Avira lab

The file 'FFF-ReflexV2.exe' has been determined to be 'FALSE POSITIVE'. In particular this means that this file is not malicious but a false alarm. Detection is removed from our virus definition file (VDF) with the version: 7.10.9.72.

I would have to ask the question what were you downloading a key generator for ?
Aside from any legal, moral issues, they carry a very high risk of having an uninvited guest.

Whilst it is disappointing it wasn’t detected by avast (assuming it is a good detection) when some other AVs do detect is, many if those based on generic signatures (more prone to FP) and some detecting it solely on its packing method. So this isn’t a clear cut good detection.

Good work Pondus!

this is my answer in italian post…
http://forum.avast.com/index.php?topic=88952.0

Hi giogio,

I would not conclude that easily that the executable has not been backdoored in some way,
for instance if you consider the sacn results as you care to search google for the MD5 hash of it: http://www.google.nl/search?gcx=c&ix=c2&sourceid=chrome&ie=UTF-8&q=63894385b0a65b784530200ba0c00361
All “reflexive games crack.ex-” variants according to my view should be flagged as PUP/riskware anyway. Also consider what DavidR stated earlier in his post in this thread. We are not here to give crackware a clean bill of health or tell that it has not been detected so far through anti-malware analysis or will go under the radar for the time being. That is unethical i.m.o.,

polonus

Malwarebytes detect it as - Trojan.Backdoor

have posted a FP case in the forum so we will see what they say

As this is a crack software, we do not evaluate cracks and keygen for safety.

They are often built with the same tools used to create malware so there are frequent FPs but cracks and keygens are also often malware.
This is a generic detection that is triggered by the builder being used that is used for mostly malware.

+1
I won’t help on such issues…

Hi Asyn,

And good. The use of Yoda’s Crypter here or of any cryptor generally indicates one of two things -
that a malware author is trying to hide the contents of his executable, or someone worried about intellectual property is trying to hide the contents of his executable…
See the scan at VT:

Magic: PE32 executable for MS Windows (GUI) Intel 80386 32-bit
TrID:
UPX compressed Win32 Executable (43.8%)[lb]Win32 EXE Yoda’s Crypter (38.1%)[lb]Win32 Executable Generic (12.2%)[lb]Generic Win/DOS Executable (2.8%)[lb]DOS Executable Generic (2.8%)
sigcheck:
publisher…: n/a[lb]copyright…: n/a[lb]product…: n/a[lb]description…: n/a[lb]original name: n/a[lb]internal name: n/a[lb]file version.: n/a[lb]comments…: n/a[lb]signers…: -[lb]signing date.: -[lb]verified…: Unsigned[lb]
PEiD: UPX 2.90 [LZMA] → Markus Oberhumer, Laszlo Molnar & John Reiser
packers (Kaspersky): PE_Patch.UPX, UPX
PEInfo: PE structure information

polonus

Hello,
the file looks clean.

Milos

Norman lab

Hi, This file is the crack of a game software. So there is a security risk associated with it. Thus added detection.

FFF-ReflexV2.exe : Processed - Crack.G

+1

Hi forum friends,

Maybe there should be a new classification created for these sort of programs (crack tools, keygens that go under the radar), to be found up as either “PIP” = possible illegal program or classified as “PCCIP” = possible copyright curcumventing program.
Then everyone should know what the intention was to develop, obfuscate, protect that file in the first place. Or just call them CRACK…

polonus

ok…but this crack si INFECT yes or not ? or false/positive ?

It is explained in reply nr #5 and #9

Hi miciotta62,

As we explained earlier we are not going to answer. Warez for a long time have been a major way of distributing new spyware, trojans and other malware. Everyday you can find a sample showing up detected as a trojan by a few scanners. But missed by many or all you have an ideal malware vector, and who is going to complain, no user likes to admit he got infected from an illegal download or from trying to circumvent legit copyrighted works, so an ideal propagation base for malcreants to spread their malcreations. That is why we are not going to react here,

polonus

Users that use Warez are open for infection! :

Especially female people running XP SP2.