[FREE version] UNLZEXE is actually a False Positive... [FIXED]

I am a fan of Avast (Free Version) since my family loves using it, so I made my own, solo account for needs that are personally satisfying…

Today, I still received (and confirmed it is) a false-positive on a .EXE Decompressor named UNLZEXE for Win32, of which I tried submitting to Avast’s service, but it failed for some reason! UNLZEXE has the same genre of false-positives as [UPX] back then, and wasn’t seen until recently with UNLZEXE!

It should not be detected as anything, on mine it says [Win32:MalwareGen] falsely.

UNLZEXE is, should be, and always clean! Link can be PM’d or Posted if needed

EDIT: See post for more info, since it is now verified as a Backdoor!

EDIT2: Now truely verified as a false positive, so I am right, not a backdoor!

Have you checked it at virus total as you will possibly find that it isn’t only avast finds it at least suspect.

Don’t know how you tried to submit it, from the virus chest, submit to virus lab or using the on-line contact form, http://www.avast.com/contact-form.php?loadStyles or submission to virus (at) avast (dot) com as a possible false positive ?

Virus Total: Mostly Clean, Three Unrated: SecureBrain, WePawet and URLQuery

I used the Red Warning box (Three Dings) to report the False Positive!

coud you give us the linj to the scan result?
anyway…it looks as you are doing a URL scan…and not a file scan, is it not a file you have problems with?

Main EXE File
https://www.virustotal.com/file/5c2e9cb11a60a1dd725c478e014f7314defff3a589b6b31f85e8b2c19d286090/analysis/1357224008/

Website that it is from (SourceForge link, from http://www.shikadi.net/keenwiki/UNLZEXE)
https://www.virustotal.com/url/9469e27a766f7341cd035f56bdc5315a77688f6c1007d246a75ee3724a0169a5/analysis/1357219512/

I fully believe it should be clean!

hmmmmm…not sure

First seen by VirusTotal
2012-07-21 18:55:52 UTC ( 5 måneder, 2 uker ago )

Then please go ahead and study the file then since it is suspicious-looking, I guess. Safety is still key to everyone!

EDIT: I looked for suspicious code in XVI32 hex editor, Nothing is seemingly bad-looking, But in case… Keep an eye on it!

This is the response from Sophos lab

The file(s) submitted were [b]malicious[/b] in nature and detection will be available on the Sophos Databank shortly.

•unlzexe.exe – identity created/updated (New detection Troj/Bdoor-BEQ)
•readme.txt.zip – archive file
•readme.txt – non-malicious
•unlzexe.exe.zip – archive file

attached pic of ThreatExpert report

Thanks for verifying this! ;D

and Norman lab say

Hi Pondus , The File cna be run in console , command prompt and result can be seen . There is no malicious behavior seen in the binary . Hence the detection has been removed from the Definitions

FP Case closed. FP Confirmed

consider what you find at the website, and whats written in the readme file the program sure looks OK to me
but then again, i am not the expert ::slight_smile:

also uploaded it to Malwarebytes and they have not added detection for it…

well…after telling Sophos lab about Norman labs result… we got new response ;D

Hi Pondus,

SophosLabs have analysed the file further and have now confirmed that the file that you sent to us for analysis is not malicious.

Hello,
false positive will be fixed in next VPS update.

Milos