GIMP Portable - Fabot FP

I have a couple of detections in the past few weeks. On 10/28 Avast hit on a GIMP Portable installation package that I have had on my PC for over a year. It detected Win32:Fabot[trj] on the files psp.exe and video.exe. I scanned the files with Jotti and VirusTotal and only a couple of the scanners detected anything. Then, I scanned the same download package (either downloaded fresh onto another PC, or from another storage source, i cannot recall) and it hit as well. So I was pretty sure this was a false positive. I sent the files the Avast, but they are still detecting as infected. I have left them in the Chest just in case.

Now, this morning, on the file unp191624958.tmp in the folder C:\Documents and Settings\Paul\Local Settings\Temp_avast4_ the same virus Win32:Fabot[trj] was detected. The file size of this file is different than the others.

What is going on here? What is this Avast folder? I did rescan one of the previous files in the chest the other day to check to see if Avast still thought it was hot. Is this tmp file related to that?

Am I really infected with something?

PK

That video.exe is proper detection because i can tell you that just by filename. Does it have Windows Media Player icon? (i’m quite sure it does). That psp.exe also looks suspicious by the name itself. Personally i wouldn’t doubt in these detections.

Google shows psp.exe as being PaintshopPro

It may well show it as paint shop pro, but that doesn’t mean it is.

When you consider that these supposedly came as part of a GIMP Portable installation package, it would be strange if it has a pain shop pro file contained in it. They certainly warrant further investigation.

@ Allochthonous
You could also check the offending/suspect files at: VirusTotal - Multi engine on-line virus scanner and report the findings here. You can’t do this with the file securely in the chest, you need to extract it to a temporary (not original) location first, see below.

Create a folder called Suspect in the C:\ drive, e.g. C:\Suspect. Now exclude that folder in the Standard Shield, Customize, Advanced, Add, type (or copy and paste) C:\Suspect* That will stop the standard shield scanning any file you put in that folder. You should now be able to export any file in the chest to this folder and upload it to VirusTotal without avast alerting.

Psp.exe is a standard plugin for The Gimp. In the latest version 2.6 it is named file-psp.exe. in earlier versions it is named psp.exe. It should be located in Gimp Installation Folder\lib\gimp\2.0\plug-ins. Gimp Install Folder is the folder Gimp was installed to. The Gimp has many such plugins for handling a large variety of graphic formats.

Thanks for the info, whilst that may be correct of earlier versions of the Gimp, Allochthonous should still confirm at virustotal and report the findings.

That goes without saying. How else can the data base be corrected if it’s a false positive? I only pointed out that it is not a supposed part The Gimp installation, but in fact a real plugin used by The Gimp.

This was indeed a previous version of Gimp Portable (2.2). The alarm fired on the extracted files on 10/28, but today during a complete scan, Avast also alerted on the Gimp_Portable_2.2.17.paf.exe package that I downloaded straight from PortableApps.com. I am going to see if i can still download this version from PortableApps.com and put it on a test box and scan. If it tests hot, I would say that is good evidence that this is a false positive. I highly doubt that PortableApps is distributing a viral app.

As stated in the orginal post, I did upload both files to jotti and virustotal, and it was only hot to a couple of the scanners. I have scanned again so I can post the results. However, I do not know how to post the images.

What about that other file/location? unp191624958.tmp in the folder C:\Documents and Settings\Paul\Local Settings\Temp_avast4_

What is this folder?

PK

avast4 is an avast! processing folder. You can ignore/delete everything avast! finds in it. I guess something was left behind and avast! re-detected that. Nothing to worry about. Just select Delete…

OK, so do we all agree that the alert on the file unp191624958.tmp in the folder C:\Documents and Settings\Paul\Local Settings\Temp_avast4_ was meaningless?

How do we proceed with the other files? I did not have time to set up a test box and try to find the version 2.2.17 of GIMP. I can try again tonight.

Again, i scanned the files with jotti and virustotal, and there were a couple of hits (Avast of course) but the majority found the files to be clean. If you can tell me how to post the images, i can.

This GIMP installation package has been sitting on my PC for months now, and had not been detected until 10/28. If these were real detections, and assuming that PortableApps.com is not distributing viral programs, then does it seem possible that some other virus deployment attached itself to these two files only, yet went undetected itself?

PK

No, it isn’t meaningless, something that avast unpacked was infected that should have fired an alert, but that .tmp file should have subsequently removed.

What that alert was is the point in question, probably one of the files extracted from the Gimp installation archive, since you say it was for the same malware name.

The fact it was left behind (is the problem) in the avast4 temp folder, it would consequently detected again on subsequent scans.

You don’t have to post an image, when you use VT when the results are displayed, just copy and paste the URL in the address window into a post. However, when you post, there is an Additional Options link, clicking on that expands the reply window and you can attach files, image or text depending on a) the file type and b) their file size.

The “last changed” date on the unp191624958.tmp file is an odd time. 5:34 on 11/2 (Sunday). I have configured the scheduled scan “cheat” (quick scan in Windows Scheduled Tasks) to scan at 1:00 am on Tues and Sun, so I am sure that this file was created during this scan.

I do not remember waking up to any alerts on Sunday morning. So the file was left over from that scan, though not hot at the time, and then the Tuesday night scan found it to be viral? Does this make sense?

Here are psp.exe results: http://www.virustotal.com/analisis/6375750340803c1e69fb519862f919d5

video.exe : http://www.virustotal.com/analisis/5e6abb00828adebee721888871050c6a

unp191624958.tmp : http://www.virustotal.com/analisis/bcb80267142b7b9fe8dde81e780002f3

Entire Gimp_Portable_2.2.17.paf.exe package: http://www.virustotal.com/analisis/6b33c2b35fd2a5b04e41e38a711454e6

Does this help?

Paul

From the VT results on all the detections, the avast Win32:Fabot [trj] is as has been explained in another topic a Algorithmic detection so it is possible that this is more prone to mis-detection. Given that where other scanners detect (GData has avast as one of its two scanners) this as suspicious (heuristic) or Generic which are also more prone to false positive detection.

I would totally ignore the unp detection as it really isn’t worth chasing.

The same is true of the complete installation package as a) the detection doesn’t say what file within the installation file and b) it can only report on one detection no multiple detection. As you already know there were two detections within this file, psp.exe and video.exe.

So you should submit the psp.exe and video.exe zipped and password protected for further analysis.

Send the sample to virus@avast.com zipped and password protected with the password in email body, a link to this topic (and VT results for psp.exe and video.exe) might help and possible false positive in the subject.

Or you can also add the file to the User Files (File, Add) section of the avast chest (if it isn’t already in the chest) where it can do no harm and send it from there (select the file, right click, email to Alwil Software). No need to zip and PW protect when the sample is sent from chest. A copy of the file/s will remain in the original location, so any further action you take can remove that.

I actually already did send the files to Alwil from the Chest on the first day they were detected. I will send again using the other method.

Thanks.

PK

fixed internally…