Can you check this file?

Viruses and worms
1

It says it contains a sample of virus win32 worm.
Its a keygen for an avi joiner.
I have submitted to other online file scanners like kaspersky and bitdefender.
And they says its clean.
Yet avast goes crazy and wont even let me access it.
I hope this is not an example of avast trying to double as an anti piracy sofware. :o
Here is the link to the .rar file.
htXp://www.filefactory.com/file/agh53e7/n/Dc1_rar
Avast renamed it and moved it.
The file inside the archive its real name is Keygen.exe.
Can someone look please?
This is a false positive in my opinion.
Or an attempt to be an anti piracy software.
Thankyou.

2

You can identify the file and extract it you can then check it. However keygen.exe files are frequently malware especially if they are used to bypass paying for a program by generating a key, that is often not the only thing that they generate.

So avast isn’t acting as some anti-piracy agent, but a legit anti virus trying to prevent you getting infected.

Create a folder called Suspect in the C:\ drive, e.g. C:\Suspect. Now exclude that folder in the Standard Shield, Customize, Advanced, Add, type (or copy and paste) C:\Suspect* That will stop the standard shield scanning any file you put in that folder. You should now be able to export any file in the chest to this folder and upload it to VirusTotal without avast alerting.

Check the offending/suspect file at: VirusTotal - Multi engine on-line virus scanner and report the findings here the URL in the Address bar of the VT results page. You can’t do this with the file securely in the chest, you need to extract it to a temporary (not original) location first, see below.

3

Yes DavidR,

Curious about this one, apparently a FP, but I will await the virustotal results to come up with a final verdict, in the meantime mahhhh please make the link non-click-able like htXp:// followed by the internet address, general McAfeeSiteAdvisor info: filefactory.com
Yellow Verdict Image

In our tests, we found a small fraction of downloads on this site that some people consider adware or other potentially unwanted programs.
Country Popularity
Netherlands Many users

polonus

4

Well I downloaded it and there is only one file inside the rar, dc1.exe.vir now I don’t know if avast tacked the .vir suffix or not.

But an old virustotal shows, http://www.virustotal.com/analisis/9702560059010949522a2d1e5ec85b5a:
keygen.exe received on 05.06.2009 03:17:51 (CET)
Current status: finished
Result: 19/41 (46.34%)

So it doesn’t look like an FP to me, it is currently doing a fresh scan of the file as the old one was 9 days ago. The new scan shows one less 18/40 (45%) so still I would say not an FP, http://www.virustotal.com/analisis/62f90beaf6ae206a3df308557afaef63.

5

Yes the renamed file is from avast doing that when it moved it.
It could not heal the file.
The file is called Keygen.exe
Basically I turned off the shield.
Ran the keygen which was an ordinary one with the funny music.
Got a key then deleted it.
And scanned the pc with everything I can find since.
So clearly there is no virus in the keygen all av’s say there is nothing here.
I have scanned for rootkits with rootkit revealer and a few other programs as well and there is nothing.
However, it may act like a virus the way it extracts the keys, as avast says it contains a copy of w32 virus/worm the code just may be similar.
Oh and also, the file name Keygen.exe would apply to millions of different files all called that.
I have tried to submitt it to virus total but it just hangs and does nothing.

6

Here is my result from Virus Total.
Antivirus Version Last Update Result
AVG 8.5.0.336 2009.05.15 -
BitDefender 7.2 2009.05.16 -
DrWeb 5.0.0.12182 2009.05.16 Trojan.PWS.Gamania.16857
eSafe 7.0.17.0 2009.05.14 SuspiciousR-Mytob3
F-Secure 8.0.14470.0 2009.05.15 -
GData 19 2009.05.16 Win32:Trojan-gen {Other}
K7AntiVirus 7.10.735 2009.05.14 Trojan.Win32.Malware.4
Kaspersky 7.0.0.125 2009.05.16 -
McAfee-GW-Edition 6.7.6 2009.05.15 Trojan.Crypt.ULPM.Gen
Norman 6.01.05 2009.05.16 -
nProtect 2009.1.8.0 2009.05.16 -
Panda 10.0.0.14 2009.05.15 -
Sunbelt 3.2.1858.2 2009.05.16 Trojan.Crypt.ULPM.Gen
Symantec 1.4.4.12 2009.05.16 -
Additional information
File size: 583367 bytes
MD5…: daecd36d9a03fb3216c6360ac17a5ae0
SHA1…: b3f376f56361cd52a80e8b165ec5e11ad63e88bb
SHA256: a448443547dfb1928c806fa274d971bab2f9c97e91d3d2e95e97c6a191045301
SHA512: 8ca2a76c5e103285b746afb11d24eca29932b07834453615fa17d752ed469fbf
bf305fc0a8f00dc90ce9a15b8582ff2e9b2916f088295dcd08112ff0cdcb5609
ssdeep: 12288:pEg2haFNu498bTaPDdH+ObZu8QVkRXRkHPhZ+UEevga0saK:MhIN198bTi
DdGVaXRkHp8URorjK
PEiD…: -
TrID…: File type identification
RAR Archive (83.3%)
REALbasic Project (16.6%)
PEInfo: -
PDFiD.: -
RDS…: NSRL Reference Data Set

packers (Kaspersky): Molebox, UPX

I believe this is a false positive.

7

Here is virscan.org report.
http://virscan.org/report/d7ed53b50e46fa7272a54b34dd1afdf8.html
14 out of 38 scanners say its some kind of malware thats not even half.
However, they are reporting it as different types.
Some say banker some spy some game key stealer some ad ware unlcassified unwanted trojan etc etc.
It would seem the ones who are saying its something have not updated the false positive.

8

What about the virustotal results? ??? ???