(Running Avast Free)
I think I’ve got a false positive. The supposedly infected file is the setup file (sp50setup.exe) for Spector Pro 5 which is a monitoring program (to track the kids internet habits.) The file has been on my PC since August, thought not installed yet. I run a full scan using the integrated shell command and Windows Task Scheduler once a week, using my own instructions, posted here. It appears that Avast detection of this virus was added on March 25, 2005. The infection is Win32:Urlbot [Trj].
A google search turns up very little about this potential infection. Only two newsgroup posts about Win32:Urlbot.A and a potential false positive for Spector Pro with NOD32 back in October 2003. Those are here, and here.
I can find nothing about this virus on Symantec’s site, Avast.com, or the NOD32 site.
A few questions:
Could the very nature of the Spector Pro program (monitoring internet activity) be triggering this alert?
Why is Avast only now adding support for this Urlbot trojan when NOD32 has detected it for almost two years.
How do I know for sure that this is a false positive or not?
Maybe yes, maybe not. Better is using Jotti, as bellow… You can test the file in RejZor’s webpage too: http://www.security-ops.tk/
Maybe Pavel, maybe Karel (the virus analyst) could say something.
To know if a file is a false positive, please submit it to JOTTI and let us know the result. If it is indeed a false positive, send it in a password protected zip to virus@avast.com
Please, mention in the body of the message why you think it is a false positive and the password used.
File: sp50setup.exe
Status: POSSIBLY INFECTED/MALWARE (Note: this file was only classified as malware by scanners known to generate more false positives than the average scanner. Do not consider these results definately accurate. Also, because of this, results of this scan will not be recorded in the database.)
Scanner results
AntiVir - Found nothing
Avast - Found Win32:Urlbot
AVG Antivirus - Found nothing
BitDefender - Found nothing
ClamAV - Found nothing
Dr.Web - Found nothing
F-Prot Antivirus - Found nothing
Fortinet - Found nothing
Kaspersky Anti-Virus - Found nothing
mks_vir - Found nothing
NOD32 - Found nothing
Norman Virus Control - Found nothing
VBA32 - Found nothing
At this point I’m going to assume this is a false positive.
I checked the day the original message was posted, but couldn’t find a download link for the tool (I admit I may be blind, of course).
Did you submit the file to us, as Technical suggested?
Thanks.
Stranger and stranger, I just downloaded the sp50setup.exe file and scanned it using ashquick.exe and no alarm, so I scanned it using ashSimpl on-demand folder scan (no archives and again with archives) and no alarm?
Igor, I think today we had 2 iPush updates? The first one was corrupt and the second invoke the 0515-0 VPS file.
Am I right?
New iAVS update (VPS 514-3) for avast! program has been released recently.
Related information could be also found on our Internet sites.
Note: Detection of several Win32:Mytob variants added
In that case, can you send us the affected file?
If it’s too big to be sent by e-mail, can you upload it to [b]ftp://www2.asw.cz/incoming[/b], please?
Thanks.
It’s really hard to say due to the age of this thread.
Anyway, if you have a file detected by avast! and you think it’s a false positive, you are certainly welcome to send it to virus@avast.com in a password-protected archive, or if too big, upload it to ftp://ftp.avast.com/incoming
I think you can be assured that it has been resolved or the topic is unlikely to have ended. I also didn’t have avast alert on the file that I downloaded. This possibly meant jedisb had a different version of the .exe file (not dll file as you mention).
False positive detections don’t usually last very long as they are currently dealt with very quickly when reported.
But if you aren’t getting detections on the same file it has been resolved if you are then send as Igor suggests. Make sure you have the latest version of the offending file and VPS though.