False positive: Win32:Agent-ZKA [Trj] detected in clean program

Avast detects Win32:Agent-ZKA [Trj] in a program I know is clean. Said program is DC Tool GUI, an open source application used to upload/download binary files between a PC and a Dreamcast game console. It can be found here: http://www.dcemu.co.uk/vbulletin/showthread.php?t=97389 http://dchelp.dcemulation.org/?dc-tool_GUI and http://sbibuilder.free.fr/files/dev/dctool/dctoolgui/?N=D

I have submitted it as a false positive report today.

You could also check the offending/suspect file at: VirusTotal - Multi engine on-line virus scanner and report the findings here the URL in the Address bar of the VT results page. You can’t do this with the file securely in the chest, you need to extract it to a temporary (not original) location first, see below.

Create a folder called Suspect in the C:\ drive, e.g. C:\Suspect. Now exclude that folder in the Standard Shield, Customize, Advanced, Add, type (or copy and paste) C:\Suspect* That will stop the standard shield scanning any file you put in that folder. You should now be able to export any file in the chest to this folder and upload it to VirusTotal without avast alerting.

That’s what I was just doing. Here’s the report on setup.exe from version 2.0 of DC Tool GUI

http://www.virustotal.com/analisis/e940cc04e2a5635f36df4cc02868004bba70579e07f9028f2eaed41ac35a239e-1252973682

Antivirus Version Last Update Result
a-squared 4.5.0.24 2009.09.15 -
AhnLab-V3 5.0.0.2 2009.09.14 -
AntiVir 7.9.1.14 2009.09.14 -
Antiy-AVL 2.0.3.7 2009.09.14 -
Authentium 5.1.2.4 2009.09.14 -
Avast 4.8.1351.0 2009.09.14 Win32:Agent-ZKA
AVG 8.5.0.412 2009.09.14 -
BitDefender 7.2 2009.09.15 -
CAT-QuickHeal 10.00 2009.09.14 -
ClamAV 0.94.1 2009.09.14 -
Comodo 2320 2009.09.15 -
DrWeb 5.0.0.12182 2009.09.15 -
eSafe 7.0.17.0 2009.09.14 -
eTrust-Vet 31.6.6737 2009.09.14 -
F-Prot 4.5.1.85 2009.09.14 -
F-Secure 8.0.14470.0 2009.09.13 -
Fortinet 3.120.0.0 2009.09.15 -
GData 19 2009.09.15 Win32:Agent-ZKA
Ikarus T3.1.1.72.0 2009.09.14 -
Jiangmin 11.0.800 2009.09.14 -
K7AntiVirus 7.10.844 2009.09.14 -
Kaspersky 7.0.0.125 2009.09.15 -
McAfee 5741 2009.09.14 -
McAfee+Artemis 5741 2009.09.14 -
McAfee-GW-Edition 6.8.5 2009.09.14 -
Microsoft 1.5005 2009.09.14 -
NOD32 4425 2009.09.14 -
Norman 6.01.09 2009.09.14 -
nProtect 2009.1.8.0 2009.09.14 -
Panda 10.0.2.2 2009.09.14 -
PCTools 4.4.2.0 2009.09.14 -
Prevx 3.0 2009.09.15 -
Rising 21.47.04.00 2009.09.14 -
Sophos 4.45.0 2009.09.15 -
Sunbelt 3.2.1858.2 2009.09.15 -
Symantec 1.4.4.12 2009.09.15 -
TheHacker 6.3.4.4.404 2009.09.15 -
TrendMicro 8.950.0.1094 2009.09.14 -
VBA32 3.12.10.10 2009.09.14 -
ViRobot 2009.9.14.1934 2009.09.14 -
VirusBuster 4.6.5.0 2009.09.14 -
Additional information
File size: 3825713 bytes
MD5…: 534d59139e65f06ff0b6d08df3cfde46
SHA1…: 8a66656f49cc7eac182246e06298be6f0575d90f
SHA256: e940cc04e2a5635f36df4cc02868004bba70579e07f9028f2eaed41ac35a239e
ssdeep: 98304:iY5YltX6zvIN2IqbzgQwQa5fOlymhRQ1vK4Mj8d:iY5ZjIN+S5gZ4M6
PEiD…: -
PEInfo: PE Structure information

( base data )
entrypointaddress.: 0x9220
timedatestamp…: 0x2a425e19 (Fri Jun 19 22:22:17 1992)
machinetype…: 0x14c (I386)

( 8 sections )
name viradd virsiz rawdsiz ntrpy md5
CODE 0x1000 0x8958 0x8a00 6.58 74a653de99a5acaa8c73bf5b7b7d7d20
DATA 0xa000 0x248 0x400 2.73 676c1acce5fabc5712cc48f2e1ee12bd
BSS 0xb000 0xe40 0x0 0.00 d41d8cd98f00b204e9800998ecf8427e
.idata 0xc000 0x8a8 0xa00 4.19 a7668017e30885485e625a90abb57b62
.tls 0xd000 0x8 0x0 0.00 d41d8cd98f00b204e9800998ecf8427e
.rdata 0xe000 0x18 0x200 0.20 d293bf8d4ebe9826d58e1d27c25fe4b6
.reloc 0xf000 0x84c 0x0 0.00 d41d8cd98f00b204e9800998ecf8427e
.rsrc 0x10000 0x2800 0x2800 4.28 ac50500d0286ae6b5bf6c0a46b1b0f53

( 8 imports )

kernel32.dll: DeleteCriticalSection, LeaveCriticalSection, EnterCriticalSection, InitializeCriticalSection, VirtualFree, VirtualAlloc, LocalFree, LocalAlloc, WideCharToMultiByte, TlsSetValue, TlsGetValue, MultiByteToWideChar, GetModuleHandleA, GetLastError, GetCommandLineA, WriteFile, SetFilePointer, SetEndOfFile, RtlUnwind, ReadFile, RaiseException, GetStdHandle, GetFileSize, GetSystemTime, GetFileType, ExitProcess, CreateFileA, CloseHandle
user32.dll: MessageBoxA
oleaut32.dll: VariantChangeTypeEx, VariantCopyInd, VariantClear, SysStringLen, SysAllocStringLen
advapi32.dll: RegQueryValueExA, RegOpenKeyExA, RegCloseKey, OpenProcessToken, LookupPrivilegeValueA
kernel32.dll: WriteFile, VirtualQuery, VirtualProtect, VirtualFree, VirtualAlloc, Sleep, SetLastError, SetFilePointer, SetErrorMode, RemoveDirectoryA, ReadFile, GetWindowsDirectoryA, GetVersionExA, GetUserDefaultLangID, GetSystemInfo, GetSystemDefaultLCID, GetProcAddress, GetModuleHandleA, GetModuleFileNameA, GetLocaleInfoA, GetLastError, GetFullPathNameA, GetFileSize, GetFileAttributesA, GetExitCodeProcess, GetEnvironmentVariableA, GetCurrentProcess, GetCommandLineA, FormatMessageA, DeleteFileA, CreateProcessA, CreateFileA, CreateDirectoryA, CloseHandle
user32.dll: TranslateMessage, SetWindowLongA, PeekMessageA, MsgWaitForMultipleObjects, MessageBoxA, LoadStringA, ExitWindowsEx, DispatchMessageA, DestroyWindow, CreateWindowExA, CallWindowProcA, CharPrevA, CharNextA
comctl32.dll: InitCommonControls
advapi32.dll: AdjustTokenPrivileges

( 0 exports )
RDS…: NSRL Reference Data Set

pdfid.: -
trid…: Inno Setup installer (96.7%)
Generic Win/DOS Executable (1.6%)
DOS Executable Generic (1.6%)
Autodesk FLIC Image File (extensions: flc, fli, cel) (0.0%)
packers (Avast): UPX
packers (Kaspersky): UPX, UPX, UPX, UPX, UPX

Also, looks like the file that triggers Avast is not the executable file, but a dll. URL to follow.

(edit) Hmm, for some reason VirusTotal will not let me upload the dll

However, here’s the result of dctool.dll from virscan:
http://www.virscan.org/report/1b46c1671073c2641515ff65a2ec5da6.html

@ stamasd
Certainly looks like an FP, GData also uses avast as one of its two engines, so effectively only the one detection.

Once confirmed avast are generally quick to correct it.

Thanks for notice, FP will be fixed.

Milos

Thanks! Fixed as of today.

Thanks for the feedback, I said it wouldn’t take them long once confirmed ;D