False positive - OBJFIX.EXE

system · August 1, 2007, 9:39pm

Hello,

I was performing a compile of the latest ZSNES and received what I believe to be a false positive upon compiling an executable for correcting Win32 object files for MinGW. The source code for the executable follows:

#include <stdio.h>
#include <string.h>

int open_error(const char *filename, const char *mode)
{
 printf("Failure opening %s for %s\n",filename,mode);
 return 1;
}

int main(int argc, char **argv)
{
 int c;
 int section_count;
 FILE *in, *out;
 unsigned char section_header[40];

 if (argc < 2 || argc > 3)
 {
  printf("Fixes MS Win32 object files to be compatible with the incorrect\n");
  printf(" implementation in MinGW32.\n");
  printf("Usage: objfix infile [outfile]\n");
  return 1;
 }

 in = fopen(argv[1], (argc == 2 ? "rb+" : "rb"));
 if (!in) return open_error(argv[1], (argc == 2 ? "read" : "update"));

 if (argc == 3)
 {
  out = fopen(argv[2], "wb");
  if (!out) return open_error(argv[1], (argc == 2 ? "read" : "update"));
 }
 else
 {
  out = NULL;
 }

 if (out)
 {
  fputc(fgetc(in), out);
  fputc(fgetc(in), out);

  fputc(section_count = fgetc(in), out);
  fputc(c = fgetc(in), out);
  section_count += c << 8;

  for (c = 4; c < 0x14; c++)
  {
   fputc(fgetc(in), out);
  }

  for (c = 0; c < section_count; c++)
  {
   fread(section_header, 1, 40, in);

   if (!strncmp(section_header, ".bss", 8))
   {
    memcpy(section_header + 8, section_header + 16, 4);
    memset(section_header + 16, 0, 4);
   }
   else
   {
    memset(section_header + 8, 0, 4);
   }

   fwrite(section_header, 1, 40, out);
  }

  while ((c = fgetc(in)) != EOF)
  {
   fputc(c, out);
  }
 }
 else
 {
  fgetc(in);
  fgetc(in);

  section_count = fgetc(in);
  section_count += fgetc(in) << 8;

  fseek(in, 0x14, SEEK_SET);

  for (c = 0; c < section_count; c++)
  {
   fread(section_header, 1, 40, in);

   fseek(in, -40, SEEK_CUR);

   if (!strncmp(section_header, ".bss", 8))
   {
    memcpy(section_header + 8, section_header + 16, 4);
    memset(section_header + 16, 0, 4);
   }
   else
   {
    memset(section_header + 8, 0, 4);
   }

   fwrite(section_header, 1, 40, in);

   fseek(in, 0, SEEK_CUR);
  }
 }

 fclose(in);
 if (out) fclose(out);

 return 0;
}

I am using avast! v4.7 Home Edition, VPS file dated 08/01/2007 version 000763-0. I scanned objfix.exe at VirusTotal as well, the outcome was:

[tr][td]Antivirus[/td][td]Version[/td][td]Last Update[/td][td]Result[/td][/tr]
[tr][td]AhnLab-V3[/td][td]2007.8.2.0[/td][td]2007.08.01[/td][td]-[/td][/tr]
[tr][td]AntiVir[/td][td]7.4.0.54[/td][td]2007.08.01[/td][td]-[/td][/tr]
[tr][td]Authentium[/td][td]4.93.8[/td][td]2007.08.01[/td][td]-[/td][/tr]
[tr][td]Avast[/td][td]4.7.1029.0[/td][td]2007.08.01[/td][td]Win32:Agent-HFI[/td][/tr]
[tr][td]AVG[/td][td]7.5.0.476[/td][td]2007.08.01[/td][td]-[/td][/tr]
[tr][td]BitDefender[/td][td]7.2[/td][td]2007.08.01[/td][td]-[/td][/tr]
[tr][td]CAT-QuickHeal[/td][td]9.00[/td][td]2007.08.01[/td][td]-[/td][/tr]
[tr][td]ClamAV[/td][td]0.91[/td][td]2007.08.01[/td][td]-[/td][/tr]
[tr][td]DrWeb[/td][td]4.33[/td][td]2007.08.01[/td][td]-[/td][/tr]
[tr][td]eSafe[/td][td]7.0.15.0[/td][td]2007.07.31[/td][td]-[/td][/tr]
[tr][td]eTrust-Vet[/td][td]31.1.5024[/td][td]2007.08.01[/td][td]-[/td][/tr]
[tr][td]Ewido[/td][td]4.0[/td][td]2007.08.01[/td][td]-[/td][/tr]
[tr][td]FileAdvisor[/td][td]1[/td][td]2007.08.01[/td][td]-[/td][/tr]
[tr][td]Fortinet[/td][td]2.91.0.0[/td][td]2007.08.01[/td][td]-[/td][/tr]
[tr][td]F-Prot[/td][td]4.3.2.48[/td][td]2007.08.01[/td][td]-[/td][/tr]
[tr][td]F-Secure[/td][td]6.70.13030.0[/td][td]2007.08.01[/td][td]-[/td][/tr]
[tr][td]Ikarus[/td][td]T3.1.1.8[/td][td]2007.08.01[/td][td]-[/td][/tr]
[tr][td]Kaspersky[/td][td]4.0.2.24[/td][td]2007.08.01[/td][td]-[/td][/tr]
[tr][td]McAfee[/td][td]5088[/td][td]2007.08.01[/td][td]-[/td][/tr]
[tr][td]Microsoft[/td][td]1.2704[/td][td]2007.08.01[/td][td]-[/td][/tr]
[tr][td]NOD32v2[/td][td]2431[/td][td]2007.08.01[/td][td]-[/td][/tr]
[tr][td]Norman[/td][td]5.80.02[/td][td]2007.08.01[/td][td]-[/td][/tr]
[tr][td]Panda[/td][td]9.0.0.4[/td][td]2007.08.01[/td][td]-[/td][/tr]
[tr][td]Prevx1[/td][td]V2[/td][td]2007.08.01[/td][td]-[/td][/tr]
[tr][td]Rising[/td][td]19.34.22.00[/td][td]2007.08.01[/td][td]-[/td][/tr]
[tr][td]Sophos[/td][td]4.19.0[/td][td]2007.08.01[/td][td]-[/td][/tr]
[tr][td]Sunbelt[/td][td]2.2.907.0[/td][td]2007.08.01[/td][td]-[/td][/tr]
[tr][td]Symantec[/td][td]10[/td][td]2007.08.01[/td][td]-[/td][/tr]
[tr][td]TheHacker[/td][td]6.1.7.160[/td][td]2007.08.01[/td][td]-[/td][/tr]
[tr][td]VBA32[/td][td]3.12.2.2[/td][td]2007.07.31[/td][td]-[/td][/tr]
[tr][td]VirusBuster[/td][td]4.3.26:9[/td][td]2007.08.01[/td][td]-[/td][/tr]
[tr][td]Webwasher-Gateway[/td][td]6.0.1[/td][td]2007.08.01[/td][td]-[/td][/tr]

Additional information
File size: 6656 bytes
MD5: 5469672259c2f6a1bc63b6e7520974f8
SHA1: a24b127c1ca517e3f258162323b9cda570997037

DavidR · August 1, 2007, 10:39pm

Send the sample to virus@avast.com zipped and password protected with password in email body and false positive in the subject.

Or you can also add the file to the User Files (File, Add) section of the avast chest where it can do no harm and send it from there (select the file, right click, email to Alwil Software). No need to zip and PW protect when the sample is sent from chest. A copy of the file/s will remain in the original location, so any further action you take can remove that.

False positive - OBJFIX.EXE

Announcements