False Positive on Win32:WOW-HN [Trj] (0)

system · May 25, 2007, 6:57pm

Since todays virus database update I have started getting hits on a program that I have been using for almost 2yrs now. Now I get a warning that the program is infected with Win32:WOW-HN [Trj] (0). It apprears that macafee has also had this problem, see http://www.cosmosui.org/showthread.php?p=59711 and http://www.cosmosui.org/showthread.php?p=59711 postted by doncorneo.

Why did it start all the sudden even when the makers of the program have verified that there are no virus’s in the program?

Lisandro · May 25, 2007, 7:19pm

To know if a file is a false positive, please submit it to JOTTI or VirusTotal and let us know the result. If it is indeed a false positive, send it in a password protected zip to virus@avast.com
Please, mention in the body of the message why you think it is a false positive and the password used. Thanks.

As a workaround, you can add these files to the Standard Shield provider (on-access scanning) exclusion list.
Left click the ‘a’ blue icon, click on the provider icon at left and then Customize. Go to Advanced tab and click on Add button…
You can use wildcards like * and ?. But be carefull, you should ‘exclude’ that many files that let your system in danger.
After that, please, periodically check it - scan it into Chest, right clicking the file - there should still be a copy in the chest even though you restored it to the original location. When it is no longer detected as being infected then you can also remove it from the Exclusion list.

This link is a tutorial on how to help correct a virus detection that you believe to be false:
http://forum.avast.com/index.php?topic=25009.msg204838#msg204838

system · May 25, 2007, 8:09pm

K… submitted to Jotti… Here is the results… 17 scanners total and 3 say it is infected, the others dont… which is correct?

Service load: 0% 100%
File: Cosmos.exe.prepatch
Status: INFECTED/MALWARE
MD5 07a75913ed8d3da40b2c7f6bb87e2bf1
Packers detected: -

Scan taken on 25 May 2007 20:03:49 (GMT)
A-Squared
Found nothing
AntiVir
Found nothing
ArcaVir
Found nothing
Avast
Found Win32:WOW-HN
AVG Antivirus
Found nothing
BitDefender
Found nothing
ClamAV
Found nothing
Dr.Web
Found nothing
F-Prot Antivirus
Found nothing
F-Secure Anti-Virus
Found Trojan-PSW.Win32.WOW.qt
Fortinet
Found nothing
Kaspersky Anti-Virus
Found Trojan-PSW.Win32.WOW.qt
NOD32
Found nothing
Norman Virus Control
Found nothing
Panda Antivirus
Found nothing
Rising Antivirus
Found nothing
VirusBuster
Found nothing
VBA32
Found nothing

system · May 25, 2007, 8:16pm

and the totalvirus sacan results
File “Cosmos.exe.prepatch” received on 05.25.2007 at 22:12:20 (CET) is being scanned by VirusTotal in this moment. Results will be shown as they’re generated.

Antivirus Version Update Result
AhnLab-V3 2007.5.24.0 05.25.2007 no virus found
AntiVir 7.4.0.27 05.25.2007 no virus found
Authentium 4.93.8 05.23.2007 no virus found
Avast 4.7.997.0 05.25.2007 Win32:WOW-HN
AVG 7.5.0.467 05.25.2007 no virus found
BitDefender 7.2 05.25.2007 no virus found
CAT-QuickHeal 9.00 05.25.2007 no virus found
ClamAV devel-20070416 05.25.2007 no virus found

Aditional Information
File size: 188416 bytes
MD5: 07a75913ed8d3da40b2c7f6bb87e2bf1
SHA1: 8ffd0545eb070b855dcb5b532d0a9eb08e4c0756

Lisandro · May 25, 2007, 8:47pm

I’ll believe on Kaspersky detection, mostly when F-Secure does the same. I’m glad avast detects this one 8)
But in this case, if the file is there for two years, is really strange…

system · May 25, 2007, 8:54pm

So you belive to be a virus instead of a false positive?
btw… I have aleady submitted it to virus@avast.com just in case.

Jadrian

Lisandro · May 25, 2007, 8:59pm

I believe on Kaspersky detection. But, of course, every software could be wrong and have false positives.
Which is the file full path and date?

system · May 25, 2007, 9:03pm

full path is C:\Program Files\World of Warcraft\cosmos.prepatch.exe

the date I dont know as after reading the cosmos forums and avast ones I restored the files so it put todays date on them.

Lisandro · May 25, 2007, 10:39pm

The double extension could make the file suspicious but, after all, it’s hard to say.
You’ll need to wait some days and submit the file again to see what we really get from it.

DavidR · May 25, 2007, 11:23pm

I too would also treat it as suspect and not an FP when two other strong performers detect the same family name WOW. I would suggest waiting for the full results from VT as that uses the windows version of avast and others and there are more scanners 32 at last count. so you may find others on there.

system · May 30, 2007, 2:47pm

I too would also treat it as suspect and not an FP when two other strong performers detect the same family name WOW. I would suggest waiting for the full results from VT as that uses the windows version of avast and others and there are more scanners 32 at last count. so you may find others on there.
[/quote]
After a long weekend… The results have come back from avast and it is indeed a false positive… Glad to know that this file is not a virus after 2 yrs.
Thanks to the Personnel at Avast!!

DavidR · May 30, 2007, 3:50pm

Thanks for the feed back at least you know for sure now.

False Positive on Win32:WOW-HN [Trj] (0)

Announcements