False positive?

(Running Avast Free)
I think I’ve got a false positive. The supposedly infected file is the setup file (sp50setup.exe) for Spector Pro 5 which is a monitoring program (to track the kids internet habits.) The file has been on my PC since August, thought not installed yet. I run a full scan using the integrated shell command and Windows Task Scheduler once a week, using my own instructions, posted here. It appears that Avast detection of this virus was added on March 25, 2005. The infection is Win32:Urlbot [Trj].

A google search turns up very little about this potential infection. Only two newsgroup posts about Win32:Urlbot.A and a potential false positive for Spector Pro with NOD32 back in October 2003. Those are here, and here.

I can find nothing about this virus on Symantec’s site, Avast.com, or the NOD32 site.

A few questions:

  1. Could the very nature of the Spector Pro program (monitoring internet activity) be triggering this alert?
  2. Why is Avast only now adding support for this Urlbot trojan when NOD32 has detected it for almost two years.
  3. How do I know for sure that this is a false positive or not?

Maybe yes, maybe not. Better is using Jotti, as bellow… You can test the file in RejZor’s webpage too: http://www.security-ops.tk/

Maybe Pavel, maybe Karel (the virus analyst) could say something.

To know if a file is a false positive, please submit it to JOTTI and let us know the result. If it is indeed a false positive, send it in a password protected zip to virus@avast.com
Please, mention in the body of the message why you think it is a false positive and the password used.

Here’s what Jotti came up with:

File: sp50setup.exe
Status: POSSIBLY INFECTED/MALWARE (Note: this file was only classified as malware by scanners known to generate more false positives than the average scanner. Do not consider these results definately accurate. Also, because of this, results of this scan will not be recorded in the database.)

Scanner results
AntiVir - Found nothing
Avast - Found Win32:Urlbot
AVG Antivirus - Found nothing
BitDefender - Found nothing
ClamAV - Found nothing
Dr.Web - Found nothing
F-Prot Antivirus - Found nothing
Fortinet - Found nothing
Kaspersky Anti-Virus - Found nothing
mks_vir - Found nothing
NOD32 - Found nothing
Norman Virus Control - Found nothing
VBA32 - Found nothing

At this point I’m going to assume this is a false positive.

By the name avast gave Win32:Urlbot it would appear the legitimate use of the monitoring program is being confused with malware doing a similar task.

If you can do as Technical suggests in his reply to your point 3. avast can check it out and correct the VPS database.

Karel… Please, check this false positive… We’re almost sure it is 8) ::slight_smile:

I checked the day the original message was posted, but couldn’t find a download link for the tool (I admit I may be blind, of course).
Did you submit the file to us, as Technical suggested?
Thanks.

I found a link for sp50setup.exe and have sent it to you by PM for obvious reasons.

Stranger and stranger, I just downloaded the sp50setup.exe file and scanned it using ashquick.exe and no alarm, so I scanned it using ashSimpl on-demand folder scan (no archives and again with archives) and no alarm?

Jedisb, is the problem still present with the latest VPS update?

Igor, I think today we had 2 iPush updates? The first one was corrupt and the second invoke the 0515-0 VPS file.
Am I right?

New iAVS update (VPS 514-3) for avast! program has been released recently.
Related information could be also found on our Internet sites.
Note: Detection of several Win32:Mytob variants added

                                  avast! support team

ALWIL Software Prubezna 76, Praha 10, 100 00, Czech Republic
phone: (+420) 274005 666 fax: (+420) 274005 888
e-mail: support@asw.cz web: www.avast.com


avast! PUSH update: error during processing.
[09:50:23, 11.04.2005]
VPS: 0514-1, 07/04/2005

I’ll check when I get home tonight.

Yes

In that case, can you send us the affected file?
If it’s too big to be sent by e-mail, can you upload it to [b]ftp://www2.asw.cz/incoming[/b], please?
Thanks.

I know this is an old post, but was this ever resolved? I am assuming not.

My issue is similar in that I am trying to run the Console for Spector CNE, but I get the same error as referenced earlier.

If this has not been resolved, please let me know and I’ll forward a zipped version of the offending .dll.

Thanks.

It’s really hard to say due to the age of this thread.

Anyway, if you have a file detected by avast! and you think it’s a false positive, you are certainly welcome to send it to virus@avast.com in a password-protected archive, or if too big, upload it to ftp://ftp.avast.com/incoming

Thanks.

I think you can be assured that it has been resolved or the topic is unlikely to have ended. I also didn’t have avast alert on the file that I downloaded. This possibly meant jedisb had a different version of the .exe file (not dll file as you mention).

False positive detections don’t usually last very long as they are currently dealt with very quickly when reported.

But if you aren’t getting detections on the same file it has been resolved if you are then send as Igor suggests. Make sure you have the latest version of the offending file and VPS though.