False positive?

system · January 25, 2010, 7:56pm

Hi
This file is detected as a virus (Win32.Malware.gen) by Avast 5. I think this is a false positive. Can you check please ?

the file is here:
hxxp://www.mediafire.com/?yymnydemjoz

Virustotal analisys:
http://www.virustotal.com/it/analisis/5868e19349c2cb669ae2463f7bc6978f93339c71668880d17a4aa6893e1c5d16-1263586155

Thanks

polonus · January 25, 2010, 8:28pm

Hi justnet,

Make that live link unclickable like hxtp in stead of http or wXw in stead of www

Malicious software includes 1 scripting exploit.

Malicous software is being hosted on 2 domains, e.g. interclick.com/, erverspy.com/.

This site was hosted on 1 network(s) including AS46179 (LINKRIGHT),

polonus

system · January 25, 2010, 8:39pm

Done!
If I understand correctly the file contains a malicious script? Right?

DavidR · January 25, 2010, 9:49pm

@ justnet
The virustotal analysis is 10 days old, when VT says this file has been scanned before don’t accept the previous results, always have VT scan again, 10 days in the AV world is a long time.

polonus · January 25, 2010, 10:13pm

Hi DavidR,

I assume that the file has some specifications that makes it flagged by heuristic scan, and I do not know what that actually could be. Also anxious to know if it is indeed a flase flag or malcode (backdoor). There must be some packer or protection used to make it suspicious, because avira has flagged it, bitdefender has flagged it, and analysis was needed to give it eventually an all green. Until then the file is in “limbo”,

polonus

system · January 25, 2010, 10:23pm

This is last scan:
http://www.virustotal.com/it/analisis/5868e19349c2cb669ae2463f7bc6978f93339c71668880d17a4aa6893e1c5d16-1264457740

I sent the file to avast, and I await the response.
Thanks

DavidR · January 25, 2010, 10:33pm

I don’t either it isn’t my file, all I am suggesting is to get the latest VT scan, which I see we now have.

DavidR · January 25, 2010, 10:37pm

@ justnet

What makes you think it is an FP ?
It has grown just a little since the old VT scan, so it might be worth sending to another on-line analysis site that does a detailed single file analysis. http://anubis.iseclab.org/?action=home.

polonus · January 25, 2010, 10:43pm

Hi justnet,

You could also check if you have Kernel32.exe the Windows system directory (C:\WINDOWS\SYSTEM or C:\WINNT\SYSTEM32, depending on the operating system) If so you have to delete that file in SafeMode, this because of the flag Trojan.Delf.hwh…

polonus

misak · January 25, 2010, 11:52pm

thank you for reporting false positive alert. False alert will be fixed in next VPS 100126-0

Milos · January 26, 2010, 1:26pm

Hello,
new VPS has just been released (100126-0).

Milos

False positive?

Announcements