False Positive - Win32:Monga [Trj]?

I Said:
Avast(current version) alert about Win32:Monga [trj] in file
hxxp://acclaim.solidstatenetworks.com/2moons_downloader_us_8-28-2008.exe

I did the comunication about the trojan in the game 2moons forum hxxp://phpbb.acclaim.com/2moons/viewtopic.php?t=107970

hxxp://2moons.acclaim.com/download.htm
Look this link is the same server.

2Moons VGM said that:
“Only Avast! seems to detect a “trojan” when clearly there aren’t any - other antivirus programs detect nothing. If you’re downloading from the official Acclaim website, there’s nothing to worry about.”

What is the truth?

01/09/2008 17:06:53 1220299613 LOCAL SERVICE 1772 Sign of “Win32:Monga [trj]” has been found in “E:\Downloads\2moons_downloader_us_8-28-2008.exe” file.
01/09/2008 17:07:29 1220299649 Andrezao 3848 Sign of “Win32:Monga [trj]” has been found in “E:\Downloads\2moons_downloader_us_8-28-2008.exe” file.
01/09/2008 17:09:32 1220299772 LOCAL SERVICE 1772 Sign of “Win32:Monga [trj]” has been found in “E:\Downloads\2moons_downloader_us_8-28-2008.exe” file.
01/09/2008 17:10:02 1220299802 Andrezao 984 Sign of “Win32:Monga [trj]” has been found in “E:\Downloads\2moons_downloader_us_8-28-2008.exe” file.
01/09/2008 17:38:21 1220301501 Anderson 1232 Sign of “Win32:Monga [trj]” has been found in “E:\Downloads\2moons_downloader_us_8-28-2008.exe” file.
02/09/2008 20:18:04 1220397484 Anderson 3764 Sign of “Win32:Monga [trj]” has been found in “E:\Downloads\2moons_downloader_us_8-28-2008.exe” file.

http://img27.picoodle.com/data/img27/3/9/2/f_mongam_3766b55.jpg

The DrWeb link checker doesn’t find anything at the link you gave.

  1. the download you downloaded from doesn’t appear to be acclaim.com that I would guess they are talking about as the official acclaim web site ???

  2. there really is only one way to check and that is by analysis. You would need to pause the web shield to be able to download it and take no action when the standard shield alerts (as it most likely will) when it is downloaded to your HDD.

You could also check the offending/suspect file at: VirusTotal - Multi engine on-line virus scanner and report the findings here. You can’t do this with the file securely in the chest, you need to extract it to a temporary (not original) location first, see below.

Create a folder called Suspect in the C:\ drive, e.g. C:\Suspect. Now exclude that folder in the Standard Shield, Customize, Advanced, Add, type (or copy and paste) C:\Suspect* That will stop the standard shield scanning any file you put in that folder. You should now be able to export any file in the chest to this folder and upload it to VirusTotal without avast alerting.

If it is indeed a false positive, see http://forum.avast.com/index.php?topic=34950.msg293451#msg293451, how to report it to avast! and what to do to exclude them until the problem is corrected.

Update, OK I tried downloading this, twice actually, once without the web shield disabled and no alert by the standard shield, I repeated it with the web shield enabled and again no detections.

So what version of avast are you using, the latest versions are, program 4.8.1229, VPS 080902-0 ?

Using notepad, check the avast! Log Viewer (right click the avast ‘a’ icon), Warning section, this contains information on all avast detections. Or the C:\Program Files\Alwil Software\Avast4\DATA\log\Warning.log file which is the data file where the info is stored.

Post the full details for this detection.

Please, edit the live link to malware or false positive (change http with hxxp, for instance).

I sent the file in e-mail.

hxxp://www.virustotal.com/pt/analisis/85a415f9c9b8c9c2880c13257cc5100b

AhnLab-V3 2008.9.3.0 2008.09.02 -
AntiVir 7.8.1.23 2008.09.02 -
Authentium 5.1.0.4 2008.09.03 -
Avast 4.8.1195.0 2008.09.02 Win32:Monga
AVG 8.0.0.161 2008.09.02 -
BitDefender 7.2 2008.09.03 -
CAT-QuickHeal 9.50 2008.09.02 (Suspicious) - DNAScan
ClamAV 0.93.1 2008.09.03 -
DrWeb 4.44.0.09170 2008.09.02 -
eSafe 7.0.17.0 2008.09.02 Suspicious File
eTrust-Vet 31.6.6064 2008.09.02 -
Ewido 4.0 2008.09.02 -
F-Prot 4.4.4.56 2008.09.03 -
F-Secure 8.0.14332.0 2008.09.02 -
Fortinet 3.14.0.0 2008.09.03 -
GData 19 2008.09.03 Win32:Monga
Ikarus T3.1.1.34.0 2008.09.03 -
K7AntiVirus 7.10.437 2008.09.02 -
Kaspersky 7.0.0.125 2008.09.03 -
McAfee 5375 2008.09.02 -
Microsoft 1.3903 2008.09.03 -
NOD32v2 3409 2008.09.02 -
Norman 5.80.02 2008.09.02 -
Panda 9.0.0.4 2008.09.02 Suspicious file
PCTools 4.4.2.0 2008.09.02 -
Prevx1 V2 2008.09.03 Suspicious
Rising 20.60.11.00 2008.09.02 -
Sophos 4.33.0 2008.09.03 Sus/Spy-B
Sunbelt 3.1.1582.1 2008.09.02 VIPRE.Suspicious
Symantec 10 2008.09.03 -
TheHacker 6.3.0.8.070 2008.09.02 -
TrendMicro 8.700.0.1004 2008.09.02 -
VBA32 3.12.8.4 2008.09.02 -
ViRobot 2008.9.2.1361 2008.09.02 -
VirusBuster 4.5.11.0 2008.09.02 -
Webwasher-Gateway 6.6.2 2008.09.02 -

please send a copy here following these instructions
and a link to the virus total results
see
http://forum.avast.com/index.php?topic=34950.msg293451#msg293451,
how to report it to avast! and what to do to exclude them until the problem is corrected if you think a FP

fixed internally… will come out with next VPS update.

I’ve the same problem,if I run Pro Evolution Soccer 2008 with kitserver. :-[ I don’t know, what I can do. I’ve downloaded new update of avast! and iAVS, too. :-[ Still doesn’t work, I just click on install in setup of kitserver, and avast! warns me, that there’s a Win32:Monga [trj]. Please, don’t kill me, if I’ve given too less informations about my problem, but I’ve never ever been there and I don’t know much about it… I need a professional help! I want to fix my problem and I want to play PES again! Tell me, what you need or what I must do and I’ll do it!

  1. Check if you really has the latest VPS (virus database) update.
  2. You need to use the Exclusion lists:

For the Standard Shield provider (on-access scanning):
Left click the ‘a’ blue icon, click on the provider icon at left and then Customize.
Go to Advanced tab and click on Add button…

For the other providers (on-demand scanning such as the screen-saver or the Simple User Interface):
Right click the ‘a’ blue icon, click Program Settings.
Go to Exclusions tab and click on Add button…

You can use wildcards like * and ?.
But be careful, you should ‘exclude’ that many files that let your system in danger.

It doesn’t work… ??? Would I post LOG here or something? I don’t know how, though… ;D

Can you say what is the infected file name, where was it found (C:\windows\system32\infected-file-name.xxx)?
What avast! version and virus database are you using? (see About dialog of avast!)

Yes, I can… I hope it could be like this!
6.9.2008 21:49:13 XXX 1868 Virus “Win32:Monga [trj]” byl nalezen v souboru “D:\Hry\Pro evolution soccer 2008\PES08\PES2008.exe”.

avast! version 4.8 Home Edition
VPS: 080906-0, 06.09.2008

I have Czech language in avast, so maybe you don’t understand, but it says that “…it was found in…”

Is that file being shown as clean to VirusTotal ?
Yes, sometimes, Exclusion lists do not work… I don’t know why… ???

http://www.virustotal.com/cs/analisis/40525807438b7a6c3abc50dfa0ebfef0

Antivirus Verze Poslední aktualizace Výsledek
AhnLab-V3 2008.9.6.0 2008.09.06 -
AntiVir 7.8.1.28 2008.09.05 -
Authentium 5.1.0.4 2008.09.06 -
Avast 4.8.1195.0 2008.09.06 -
AVG 8.0.0.161 2008.09.05 -
BitDefender 7.2 2008.09.06 -
CAT-QuickHeal 9.50 2008.09.06 -
ClamAV 0.93.1 2008.09.06 -
DrWeb 4.44.0.09170 2008.09.06 -
eSafe 7.0.17.0 2008.09.03 -
eTrust-Vet 31.6.6072 2008.09.05 -
Ewido 4.0 2008.09.06 -
F-Prot 4.4.4.56 2008.09.06 -
F-Secure 8.0.14332.0 2008.09.06 -
Fortinet 3.112.0.0 2008.09.06 -
GData 19 2008.09.06 -
Ikarus T3.1.1.34.0 2008.09.06 -
K7AntiVirus 7.10.443 2008.09.05 -
Kaspersky 7.0.0.125 2008.09.06 -
McAfee 5378 2008.09.05 -
Microsoft 1.3903 2008.09.06 -
NOD32v2 3423 2008.09.06 -
Norman 5.80.02 2008.09.05 -
Panda 9.0.0.4 2008.09.06 -
PCTools 4.4.2.0 2008.09.06 -
Prevx1 V2 2008.09.06 -
Rising 20.60.52.00 2008.09.06 -
Sophos 4.33.0 2008.09.06 -
Sunbelt 3.1.1610.1 2008.09.05 -
Symantec 10 2008.09.06 -
TheHacker 6.3.0.8.072 2008.09.04 -
TrendMicro 8.700.0.1004 2008.09.05 -
VBA32 3.12.8.5 2008.09.06 -
ViRobot 2008.9.5.1365 2008.09.06 -
VirusBuster 4.5.11.0 2008.09.06 -
Webwasher-Gateway 6.6.2 2008.09.05 -

Strange… >:( maybe I didn’t use right method.

Strange, does your computer recognize it as infected?
avast at VirusTotal returned clean ???

It isn’t unusual to not have avast detect on VT when it does so on your system. VT isn’t able to update the VPS in real time as the user is and this is often the cause.

Remember the point of submitting it to VT is to see what the other scanners find and this basically confirms a false positive.

If it is indeed a false positive and it seems so, see http://forum.avast.com/index.php?topic=34950.msg293451#msg293451, how to report it to avast! and what to do to exclude them until the problem is corrected.

The definition update resolved the problem.

thx

Thanks for reporting. Seems that they’ve corrected the false positive detection.

Thanks for the update.

A belated welcome to the forums.