False or a virus

Hello,

I have reported something that might be a virus / false positive. Uploaded it and zip protected it to an email adddress. Can the staff check if they got it? Pavel replied to me, that he could not open it so i have resent it. {Evernotedemo.exe } which seems to be a tutorial flash placed in an .exe.

Recieved and investigated?

–Thanks

P.S: Avast also detects every reinstall of rt2500.sys {Ralink Driver on Vista Ultimate} as a virus. Even on a clean machine from OEM {Vista Ultimate} disk.

You could also check the offending/suspect file/s at: VirusTotal - Multi engine on-line virus scanner and report the findings here. You can’t do this with the file securely in the chest, you need to extract it to a temporary (not original) location first, see below. I feel virustotal is the better option as it uses the windows version of avast (more packers supported) and there are currently over 30 different scanners.

Create a folder called Suspect in the C:\ drive, e.g. C:\Suspect. Now exclude that folder in the Standard Shield, Customize, Advanced, Add, type (or copy and paste) C:\Suspect* That will stop the standard shield scanning any file you put in that folder. You should now be able to export any file in the chest to this folder and upload it to VirusTotal without avast alerting.

If it is indeed a false positive, see http://forum.avast.com/index.php?topic=34950.msg293451#msg293451, how to report it to avast! and what to do to exclude them until the problem is corrected.

Thanks, Well I checked and here are the results from few scanners: (Listed on 4 of them)

File EverNoteDemo.exe.vir received on 08.01.2008 13:51:04 (CET) Current status: finished

Result: 4/36 (11.11%)
Compact Print results
Antivirus Version Last Update Result
AhnLab-V3 2008.7.29.1 2008.08.01 -
AntiVir 7.8.1.15 2008.08.01 -
Authentium 5.1.0.4 2008.07.31 -
Avast 4.8.1195.0 2008.07.31 Win32:Trojan-gen {Other}
AVG 8.0.0.156 2008.08.01 -
BitDefender 7.2 2008.08.01 -
CAT-QuickHeal 9.50 2008.07.31 -
ClamAV 0.93.1 2008.08.01 -
DrWeb 4.44.0.09170 2008.08.01 -
eSafe 7.0.17.0 2008.07.29 -
eTrust-Vet 31.6.5999 2008.07.31 -
Ewido 4.0 2008.08.01 -
F-Prot 4.4.4.56 2008.07.31 -
F-Secure 7.60.13501.0 2008.08.01 -
Fortinet 3.14.0.0 2008.08.01 -
GData 2.0.7306.1023 2008.08.01 Win32:Trojan-gen
Ikarus T3.1.1.34.0 2008.08.01 Trojan-PWS.Win32.LdPinch.rew
K7AntiVirus 7.10.399 2008.07.31 -
Kaspersky 7.0.0.125 2008.08.01 -
McAfee 5351 2008.07.31 -
Microsoft 1.3704 2008.07.28 -
NOD32v2 3317 2008.08.01 -
Norman 5.80.02 2008.08.01 -
Panda 9.0.0.4 2008.08.01 -
PCTools 4.4.2.0 2008.08.01 -
Prevx1 V2 2008.08.01 -
Rising 20.55.42.00 2008.08.01 -
Sophos 4.31.0 2008.08.01 -
Sunbelt 3.1.1537.1 2008.08.01 -
Symantec 10 2008.08.01 -
TheHacker 6.2.96.391 2008.07.31 -
TrendMicro 8.700.0.1004 2008.08.01 -
VBA32 3.12.8.2 2008.08.01 Trojan-PSW.Win32.LdPinch.rew
ViRobot 2008.8.1.1321 2008.08.01 -
VirusBuster 4.5.11.0 2008.07.31 -
Webwasher-Gateway 6.6.2 2008.08.01 -
Additional information
File size: 2293844 bytes
MD5…: 02c3c9ce3ec0d1a419e5302d9126da2c
SHA1…: 8a84dc97da85051d15129046c7938c0991496df2
SHA256: 3d2fbc44cc3e85091661d751df3ac8421addf5ae85d60f1916fe4642e9772423
SHA512: 9ff086685c4ef4446dbc1d9e1dbf958613b93546eb8f493278ef6494affc5cd4
9246a74f305f7490220baf4bc58cd6e5e5ecd2b2dae24db94e1532cbb74f522d

File has already been analysed: MD5: 02c3c9ce3ec0d1a419e5302d9126da2c First received: 03.15.2008 19:08:19 (CET) Date: 08.01.2008 13:51:51 (CET) [<1D] Results: 4/36 Permalink: analisis/f4d8ece3b7d0811b2917517ca5e5d540
:-\

does look as if it might be a false positive
did you upload it

If it is indeed a false positive, see http://forum.avast.com/index.php?topic=34950.msg293451#msg293451, how to report it to avast! and what to do to exclude them until the problem is corrected.

Hi cubex,

Hi welcome to the avast forum -virus and worms and FP section.
Do not panic, and know everything will be well in the end.
This infection you have on your computer could be
a variant of this malware family: http://www.castlecops.com/p970160-Spy_Banker_samples.html

Put a hijackthis logfile as an added txt file in your next posting.
Get hijackthis from here: http://www.filehippo.com/download_hijackthis/download/58170ee6e58bba306c943f5b6d745c99/

Make sure you place hijackthis in C, and not in a temporal file, because of later backups.
We will try to analyze the hijackthis logfile txt, as I said attach it to your next posting,
and could also establish it is a FP.

polonus

You’re welcome.

Even if a file has been scanned before it is always best to have it rescanned, you never know if more scanners now detect it or importantly less scanners detect it.

GData uses two scanning engines and one of those is avast so effectively only three detections, so the file should be analysed and you have sent it to avast.

So that means evernote distributed it with it’s download? It was an offical evernote download and install. Actually I remember running it the program demo’s evernote’s features. Avast needs to test this file themselves evernote’s latest 2.x series.


Email 1:
Hello,

Is this a virus that I have zipped up with 7zip?

================================
Password is: <— It is a real password based on what i think.

Rather have it sent normally, but guess it would spread right? If it is a real virus?
Also forum uploading would be great then emailing having upload for staff only.

EverNoteDemo.7z
2207K Download


Email 2:

Hello,

and thank You for notifying us about a suspected file.
However, I cannot unpack it due to wrong password, the " " does not work.
Would You please send me the correct password, or this file recompressed using standard password " "?

Many thanks and best regards,

P wrote (not sure if he was ok to use his name here)
Alwil Software, a.s.

wrote:

Hello,
Is this a virus that I have zipped up with 7zip?

Password is:

  1. Rather have it sent normally, but guess it would spread right?

    If it is a real virus?

 Also forum uploading would be great then emailing having upload
 for staff only.

[b]Email 3:[/b]

Hello Pavel,

I’ll try to do so maybe gmail ruins the zip.7z file. As it has trouble’s with exe’s in the first place.

I’m trying the following:

Using the password: " " without quotes.
Recompressing the file.
If It still does not work we would need to find another way to do it. That is what i meant very complicated to report to you guys!

Hopefully this will work this time.
Let me know what else I can do to transmit you the virus (funny way said it well to investigate) / potential false positive.


I contacted evernote http://evernote.com lets see what they say too.

All it means is that a file in evernote’s distribution was detected as infected by three scanners and requires further investigation, nothing more nothing less. You have emailed the sample and it will be analysed. If it is found to be an FP it will be quickly corrected.

Interestingly I can find no EverNoteDemo.exe on the EverNote.com site, so I can’t try anything else. Unless it is in the full download which is 50+ MB which as a dial-up user I won’t be trying to download.

Hi DavidR,

Went to the site and checked with the DrWeb link checker. That said all OK. Finjan did not alert the site neither,

pol

Thanks,
Lets hope this is not a real virus and also out of reach for other people.

Yup the file is inside: EverNote_2.2.1.386.exe off the offical site.

Check my pics below labeled pict 1 and pict 2

Hi cubex,

You can check it against this: http://www.indowebster.com/EverNote_221386.html

If the EverNote_2.2.1.386.exe differs from the original there is reason for concern, the official site could have been compromised.

polonus

It is possible when I downloaded it was the file size appears same. The download will be done in an hour and something will check. :slight_smile:

Well, pardon for writing way I’m sick today so physically fatigued (taking Iron) not paying attention to punctuations.

I have checked this out after finally being able to get full file. Using three different versions of it. With assumptions server was compromised. And all of them seem clean until point of setup deflate. Seems avast is showing a false positive. Because evernote is a “for profit” entity would not neglect this file since 2007 and not know. This same program is free and pro depending if one orders pro license. Clearly not in their interest to have people pay for Trojans. Although none freeware servers might be compromised. Such an active Company would already pull it a year later. Unless they accidentally somehow got infected and just now the scanners starting to sound the alarm. Still no word from evernote or Avast. Good thing though the demo file is prevented from launching upon install. But if it is really a virus year later. I might be screwed as it originally went undetected.

Well cubex,

Really hope you will feel much better soon! You have sort of solved your problem yourself through exploration and you are a wiser man through doing this. You know that it is more than likely a FP, have to wait for the AV scanner to get updated to not flag it any longer or put it to the exclusion list.
Never trust anyone, and establish the facts first hand, that is get the information to make an informed decision. We are glad to help you with this, and so all will be well in the end, have a nice day and stay healthy,

polonus