As of yesterday’s scan on my Compaq, avast! has started identifying C:\hp\bin\killwind.exe as Win32:Trojan-gen.[VC}. This file is the often confusing “Risk-Ware” that comes pre-installed on HP/Compaq machines.
In order to upload to Virus Total I had to rename the file killwind.old (suspicious, I know), and here are the results:
STATUS: FINISHEDComplete scanning result of "KillWind.old", received in VirusTotal at 06.30.2007, 16:54:28 (CET).Antivirus Version Update Result
AhnLab-V3 2007.6.30.0 06.29.2007 no virus found
AntiVir 7.4.0.37 06.29.2007 APPL/KillApplicat.A
Authentium 4.93.8 06.29.2007 no virus found
Avast 4.7.997.0 06.30.2007 Win32:Trojan-gen. {VC}
AVG 7.5.0.476 06.29.2007 no virus found
BitDefender 7.2 06.30.2007 no virus found
CAT-QuickHeal 9.00 06.30.2007 no virus found
ClamAV devel-20070416 06.30.2007 no virus found
DrWeb 4.33 06.30.2007 no virus found
eSafe 7.0.15.0 06.30.2007 no virus found
eTrust-Vet 30.8.3752 06.29.2007 no virus found
Ewido 4.0 06.30.2007 no virus found
FileAdvisor 1 06.30.2007 no virus found
Fortinet 2.91.0.0 06.30.2007 no virus found
F-Prot 4.3.2.48 06.29.2007 no virus found
F-Secure 6.70.13030.0 06.29.2007 no virus found
Ikarus T3.1.1.8 06.30.2007 not-a-virus:RiskTool.Win32.PsKill.p
Kaspersky 4.0.2.24 06.30.2007 not-a-virus:RiskTool.Win32.PsKill.p
McAfee 5064 06.29.2007 potentially unwanted program RemAdm-PSKill
Microsoft 1.2701 06.30.2007 no virus found
NOD32v2 2365 06.30.2007 no virus found
Norman 5.80.02 06.29.2007 no virus found
Panda 9.0.0.4 06.30.2007 no virus found
Sophos 4.19.0 06.24.2007 no virus found
Sunbelt 2.2.907.0 06.29.2007 no virus found
Symantec 10 06.30.2007 no virus found
TheHacker 6.1.6.140 06.28.2007 no virus found
VBA32 3.12.0.2 06.29.2007 no virus found
VirusBuster 4.3.23:9 06.29.2007 no virus found
Webwasher-Gateway 6.0.1 06.29.2007 Riskware.KillApplicat.A
Also, here is a old-ish quote from the author of the program
http://www.artima.com/forums/flat.jsp?forum=106&thread=44329&start=15
I am to blame for using ominous sounding names like "KillWind" and "Terminator" along with silly version comments -- and I have learned a lesson; I'm going to post a new blog (hopefully pretty soon) on that subject. It'll be something along the lines of "Choose your program names judiciously, even if you think they'll only ever be internal-use programs." When I wrote most of these programs, I wasn't expecting that they'd be released to a large audience, so I wasn't too careful about their names; later they got included in more general releases. (By the way, the name "Terminator" came from the fact that the program uses the Windows API call TerminateProcess() to close a program that won't close when it is sent a close request (which KillWind does, by sending a WM_CLOSE message)).In fact, if you look on a new HP machine, you’ll find the same programs, but the comments in the properties have been change to be much more innocuous.
Another problem that exacerbated the whole thing was that McAfee and Norton Antivirus both at different times have incorrectly flagged various of these utilities as suspicious (I’m not sure whether their virus-detecting “algorithm” simply triggers on certain words like “kill” or “terminate” or whether they are tipped off the fact that a program calls certain Windows API calls found in a program – either way, it doesn’t give me much confidence in the integrity of their scanning).
Anyway, as noted above, I’ll be posting a more detailed and complete treatment of the whole subject.
If avast! is going to continue to alert on this file maybe its time to include a new detection category so as not to cause deletion of files that may be necessary to the computer.