Interesting hit today?

Came back from dinner to find Avast! had found something. Moved it to chest, went to look at it:

[Chest] C:\ProgramData\AOL Downloads\triton_uk\6.1.17.1\migrator.exe

The strange part is:

[Last Changed] 09/09/2009 23:39:55

? Wut?

Im going to hazard a guess it’s a false positive? Avast! says it’s a Win32:Malware-gen.

Thoughts?

I suspect that because of the actions a migration tool may be capable of would make it seem suspicious.

Win32:Malware-Gen is a generic signature (the -gen at the end of the malware name), so that is trying to catch multiple variants of the same type of malware and is a fine balance between detecting a new variant and detecting something valid as infected.

So it looks like the Win32:Malware-gen signature has been tweaked and now picks up this old file:
You could also check the offending/suspect file at: VirusTotal - Multi engine on-line virus scanner and report the findings here, post the URL in the Address bar of the VT results page. You can’t do this with the file securely in the chest, you need to Open the chest and right click on the file and select ‘Extract’ it to a temporary (not original) location first, see below.

Create a folder called Suspect in the [b]C:[/b] drive. Now exclude that folder in the File System Shield, Expert Settings, Exclusions, Add, type (or copy and paste) C:\Suspect*
That will stop the File System Shield scanning any file you put in that folder.

If only GData and avast detect it - GData uses avast as one of its two scanners so counts as 1 detection and almost certainly an FP.
Send the sample to avast as a False Positive:
Open the chest and right click on the file and select ‘Submit to virus lab…’ complete the form and submit, the file will be uploaded during the next update. A link to this topic wouldn’t hurt.

VT Result http://tinyurl.com/7tgk6yt

It makes absoutely no sense to me but perhaps im missing something?

well…it is detected by…not the 3 most famous AV programs on that list

but the most important

First seen by VirusTotal 2008-03-20 23:33:57 UTC ( 3 år, 10 måneder ago )

so this old…then everyone should detect it if malware

Hence why I’m so bemused/confused at it.

Hello,
digital signtaure is valid. False positive, will be fixed in next VPS update. Sorry for inconvenience.

Milos

OK, it makes some sense to me though.

I suspect that avast has updated the signature again or virustotal has an old one, which is more likely given Milos’s (virus labs team) comment.

The other three aren’t major players as far as I’m aware and I would be loath to say that based on their findings it is definitely infected.

The first seen date is irrelevant as the last scan results were minutes ago, 2012-02-09 20:34:04 UTC ( 17 minutes ago )

aha! Thanks very much - I can not FP it with confidence.

Yes you can ;D