Dear staff,
first of all compliments for the fine avast antivirus free, the most complete antivirus of all free antiviruses.
Now, I’ve got a question about a little program I’ve downloaded. You can find it here:
http://www.mediafire.com/?tjz4uljz2vn
This program is a patch for Acer Launch manager written by a such Morris, as hemself describes in his blog at this web-page:
http://www.theacerguy.com/2009/05/aspire-5920g-launch-manager-patch/
The original Acer program have a “bug” that can’t permit the program to recognize a button (bluetooth button) of the laptop, so that such button can’t be used.
To fix this bug (and to add some other features), the patch need to do many changes to the system, so that Avast Antivirus Free recognize the program as a “Win32:Malware-gen”. Also, I’ve scanned the file with Mcafee antivirus and it doesn’t detect any malware.
My question it:
is this Morris’ Launch Manager safe (in this cafe the Avast’s alert would be a false positive detected, I think, with the heuristic method and caused by the changes that the patch would make in the system) or is it a real malware?
Thank you very much.
Best regards.
well it is not only avast! that does not like it
VirusTotal - Morris’ Launch Manager V11.0 x86+64-bit.exe - 29/43
http://www.virustotal.com/file-scan/report.html?id=f25873d7db340fa0618c7390527746515f2ea08aae341ab8598c3687eeb7514f-1309931650
It is not a sufficient reason to say it’s a malware. The patch, infact, acts deeply in the system files, so it could be possible (if not probable) that it is recognized as a malware but it isn’t.
When a file scanned with an antivirus heuristic method is marked as a malware, it will be deeply analyzed from the antivirus programmers team to understand if it is a real malware or not, so that they will update heuristic alghorithm and implement it in the next realease of the antivirus program: in this way, AV programmers decrease the number of false-positive results, hence improving the product.
So, I’m asking some moderator for know if my file is a real malware or not.
However, any other kind of comment by forum’s users is well appreciated (thank you Pondus for your very useful comment!).
Best regards.
Threatexpert doesn’t like it either → http://www.threatexpert.com/report.aspx?md5=174696be651a15cad2d2b4757f873970
@ Rappaping
I sympathise with your dilemma, but you appear to have made your mind up already, so I wonder why you bothered to ask about the file.
With such a high number of scanners finding this at the very least suspicious, I would be in no rush to use it. I would however be checking out Acer, surely they themselves have released this patch officially on the Acer website (since the Blog article is over two years old) ?
Not the unofficial Acer Blog, by someone on the inside, as they say it isn’t UAC friendly and all of that is going to get many AVs twitching from all of these changes. So I rather doubt they are going to change their signatures based on what it does to system being very much like malware activity. The problem is one of intent, an AV has no way of knowing if these modifications are for good or evil purposes.
So the decision and acceptance of risk would have to be yours.
Hi Rappaping and DavidR,
The main concern here is the presence of x32.exe here, Application Layer Gateway Service, which is been looked upon as undesirable to say the least here: http://www.bleepingcomputer.com/startups/x32.exe-24090.html
x32.exe is considered to be a spyware trojan
So as DavidR says I would reconsider using the executable. Did you analyze the file through FileAlyzer and how was the file certified?
polonus
Thank you all for your help!
To David:
“I sympathise with your dilemma, but you appear to have made your mind up already, so I wonder why you bothered to ask about the file.”
I haven’t made my mind up already, because if I had, I’d have installed the patch on my system, but I’ve not.
“Not the unofficial Acer Blog, by someone on the inside, as they say it isn’t UAC friendly”
I’ve looked for an official patch already, but there isn’t, so the unofficial patch would be very useful for me.
UAC unfriendly is not synonym of malware.
“I rather doubt they are going to change their signatures based on what it does to system being VERY MUCH LIKE malware activity. The problem is one of intent, an AV has no way of knowing if these modifications are for good or evil purposes.”
Actually, I don’t understand you when you say “VERY MUCH LIKE malware activities”, because a malware is, substantially, a program that offer an unauthorized service to itself (a worm, for example) or to an unauthorized person (backdoors give remote access, spywares collect and send private data, etc.), so a program is a malware or it is not! The only kind of “VERY MUCH LIKE malware activity” I can think to, is an easily exploitable program (for example because it was bad-coded), but it is not my interest in this topic. Also, when an antivirus find a malware with the heuristic method, the only way to know if it is a real malware or a false-positive is to analize the program’s activity to understand what it really does. It is an important job for AV software houses, because if the program is a false-positive, they can understand where alghorithms used to detect the file are wrong and then they can improve them, so that false-positive detection will improve. At last, it is very important for a software house to improve false-positives detection by its Antivirus, for two main reasons:
- false-positive programs are safe and probably useful programs that can’t be used because labelled (by AV) as malicious software
- antivirus software testers use to rate products also considering false-positive detection(you can see “Antivirus Comparatives Summary Report 2010”, section D “False Positives winners” in the PDF at http://www.av-comparatives.org/comparativesreviews/summary-reports ): of course it is interest of software houses to reach the best possible rate in thouse tests.
What I asked for in this topic, is to know if my patch contains REAL malicious software.
Altarir (thank you very much!) offered us a great help, because he scanned every single file from the archive, so we now know what are safe files and what COULD BE malicious.
Polonus (thanks you too!) has confirmed that x32.exe IS a malware.
Now, I think I’d have to
- look for the other suspicious files reports in internet to confirm or deny that they are malicious
- delete confirmed malicious files from the archive
Then, it would become much more reasonable trying to install the patch, even though an analysis of files I couldn’t confirm or deny by Avast programmers would be the top.
Note that not all TotalVirus Antiviruses has detected malware and that some of them are very good AV programs with (BETTER THAN OTHER?) heuristic visus scanneing feature implementedin the AV engine.
Best regards
Hi Rappaping,
What I should do is to load up the file to Anubis http://anubis.iseclab.org/ and report the analysis report url back here.
Now going over the whole discussion in your thread your final evaluation turns around the point: “Is this a risktool with malware-like aspects, but created by a developer with the best of intentions for it to be a desirable genuine software solution or is it a genuine looking software solution created to pose as such but with hidden malicious intent?”
If it was your intention to install this and you were aware of the risks and vulnerabilities involved, you could classify the whole issue as: Ïs this a PUP or not?"
A piece of software that is also being qualified as heuristic malware because of the way it behaves.
While malcreants and genuine software developers alike use the same methods for their creations like similar genuine protection methods and in the case of malcreants stolen software certifications, it is rather difficult to rubber stamp it for what it really is.
An official mention by Acer’s that this third party software is harmless and free of malcode would help you enormously here.
On the other hand we should all applaud a user here in the forums that goes to such lengths as to establish the inevitable software fixes he needs are secure enough to use.
Reassuring was this scan: http://safeweb.norton.com/report/show?url=http%3A%2F%2Fwww.mediafire.com%2F%3Ftjz4uljz2vn
And this one: Checking: -http://connect.facebook.net/en_US/all.js#xfbml=1
File size: 126.14 KB
File MD5: 9c8ae137787710db4434da343b81ee4b
-http://connect.facebook.net/en_US/all.js#xfbml=1 - Ok
Checking: -http://www.mediafire.com//blank.html?tjz4uljz2vn
File size: 64 bytes
File MD5: 8257335b77d5beb3a4771a064a50518d
-http://www.mediafire.com//blank.html?tjz4uljz2vn - Ok
Checking: -http://cdn.mediafire.com/js/master_45144.js
File size: 234.54 KB
File MD5: a30e9e1bad3950a33b57edf6b08ba52b
-http://cdn.mediafire.com/js/master_45144.js - Ok
Checking: -https://ajax.googleapis.com/ajax/libs/jquery/1.5.2/jquery.js
File size: 214.09 KB
File MD5: 8c40d7e0c38ccbca24b7ba29a1db07e7
-https://ajax.googleapis.com/ajax/libs/jquery/1.5.2/jquery.js - Ok
Checking: -http://connect.facebook.net/en_US/all.js
File size: 126.14 KB
File MD5: 3e1aebc31749e591e771ea4f6eb9e33c
-http://connect.facebook.net/en_US/all.js - Ok
Checking: -http://www.facebook.com/plugins/likebox.php?href=http%3A%2F%2Fwww.facebook.com%2Fmediafire&width=210&colorscheme=light&connections=0&stream=false&header=true&height=62
File size: 7769 bytes
File MD5: d25e7b6651dcef405bbdffc084c5ee68
-http://www.facebook.com/plugins/likebox.php?href=http%3A%2F%2Fwww.facebook.com%2Fmediafire&width=210&colorscheme=light&connections=0&stream=false&header=true&height=62/Script.0 - Ok
-http://www.facebook.com/plugins/likebox.php?href=http%3A%2F%2Fwww.facebook.com%2Fmediafire&width=210&colorscheme=light&connections=0&stream=false&header=true&height=62/Script.1 - Ok
-http://www.facebook.com/plugins/likebox.php?href=http%3A%2F%2Fwww.facebook.com%2Fmediafire&width=210&colorscheme=light&connections=0&stream=false&header=true&height=62/Script.2 - Ok
-http://www.facebook.com/plugins/likebox.php?href=http%3A%2F%2Fwww.facebook.com%2Fmediafire&width=210&colorscheme=light&connections=0&stream=false&header=true&height=62/Script.3 - Ok
-http://www.facebook.com/plugins/likebox.php?href=http%3A%2F%2Fwww.facebook.com%2Fmediafire&width=210&colorscheme=light&connections=0&stream=false&header=true&height=62/Script.4 - Ok
-http://www.facebook.com/plugins/likebox.php?href=http%3A%2F%2Fwww.facebook.com%2Fmediafire&width=210&colorscheme=light&connections=0&stream=false&header=true&height=62 - Ok
Checking: -http://www.mediafire.com/?tjz4uljz2vn
Engine version: 5.0.2.3300
Total virus-finding records: 2334176
File size: 57.13 KB
File MD5: 2a2940c7a67cd33188b6b570d6cd4b73
-http://www.mediafire.com/?tjz4uljz2vn - archive HTML
-http://www.mediafire.com/?tjz4uljz2vn/Script.0 - Ok
-http://www.mediafire.com/?tjz4uljz2vn/Script.1 - Ok
-http://www.mediafire.com/?tjz4uljz2vn/Script.2 - Ok
-http://www.mediafire.com/?tjz4uljz2vn/JavaScript.3 - Ok
-http://www.mediafire.com/?tjz4uljz2vn/Script.4 - Ok
-http://www.mediafire.com/?tjz4uljz2vn/JavaScript.5 - Ok
-http://www.mediafire.com/?tjz4uljz2vn/Script.6 - Ok
-http://www.mediafire.com/?tjz4uljz2vn/Script.7 - Ok
-http://www.mediafire.com/?tjz4uljz2vn - Ok
I will be waiting for that Anubis report link, I will gladly evaluate that for you as best I can, if you like?
polonus
Without doubts I like, Polonus!
Also, really you understand all I’ve written.
I uploaded the file (Morris’ Launch Manager V11.0 x86+64-bit.exe) to NORMAN lab as a false positive case since it was detected in the VT
and i can now see it in the list of confirmed False Positives
Hi Pondus,
I think that Rappaping will be glad to hear this. As the Anubis report comes in later, because again at this moment it is again as slow as molasses, it could well be that at the end of the day avast only detects this in PUP-mode, but that is for them to decide. But the NORMAN lab results show that my first hunch and feeling about this as I explained to Rappaping was right: “Suspicious at first glance, but genuine under the hood when tested”,
polonus
From NORMAN lab
Hi,Since the file submitted is a false-positive our senior researcher confirmed it and removed that detection from our database.
The legit file was detected in the first case due to a heuristic detection in our engine. We have made necessary changes to rectify the same.
Thanks,
GD.
Hi guys!
Can we trust Norman senior researchers? I don’t know. If yes, is bleepingcomputer report an error because the file is a false-positive, or is it another file with the same name of ours (x32.exe)?
Polonus, have you been noticed from Anubis?
P.S.: I’ve open urlquery link with Firefox with NoScript addon active, avast antivirus and mcafee security center active, but without any sandbox. Must I be worried?
Hi Rappaping,
I will give you the results as soon as they come in. With NoScript active in Fx and nothing specifically downloaded from that link, I would not worry about visiting that link at urlquery dot net. As long as you do not doubleclick or open things inside other software or download you will be OK.
What we have to look for in the first place is the functionality of that launch manager, and therefore I have based my evaluation on what we find in the ThreatExpert report that Altarir provided for us in the thread above.
1.
Packer nothing out of the ordinairy: UPX
Now another scan to check against…
http://file.virscan.org/report/c877d2a75a5c33981b2820897f00fac5.html
latest results: http://file.virscan.org/report/8f84e6046e0273f9b8d06186e02eaeaa.html
We also have this Dialer DNS Changer fuctionality to consider.
Rappaping will you please check this for us:
- Start> Run> type in CMD and press Enter
- At the command prompt, type IPCONFIG /ALL and press Enter
- You should be presented with the bunch of information, find the section for your Internet connection. It may be entitled Ethernet Adapter Local Area Connection or something according to that line…
- Find the DNS Server section and double-check the numbers.
Give them to us attached…
What was further found at the analysis… characteristics of a security risk, not necessary that it actually is such, I mean having trojan and bot like behaviour, that is will be executing unknown programs, like those 3 mentioned below as…
4.
as “bluetoothcfg.exe”, interface,
5.
then “hidden start”, and that hstart.exe was only found a threat in 6 procent of cases,
it is used to run console application and batch files,
not worth another thought then,
6.
and finally “nircmdc.exe” as malicious found in win32,agent,
for an evaluation of this esecutable see:
http://www.threatexpert.com/files/nircmdc.exe.html,
the nubmer of incidents where it was found to be a threat is zero,
so forget about that one too.
Overall personal conclusion -
Depending on the results of the above additional check,
my overall personal verdict would be:
- “risktool” or “possible unwanted program”,
unless self-installed knowingly and intentionally
by the owner of the computer,
polonus
Now we have to consider this report and the Wepawet scan of the link
-http://www.mediafire.com/?tjz4uljz2vn Rappaping gave, suspicious see:
http://wepawet.iseclab.org/view.php?hash=e72370fb8669182fe5310fb7d5f5de20&t=1310063241&type=js
Site ridden with sometimes dubious ad-trackers:
Various 0-0-0 hidden iFrames there, this one -http://cdn5.tribalfusion.com/media/common/pop/pop-11.js reminding of data requested from a remote server of the Virut file infector and an Adware keygen; similar -http://trgca.opt.fimserve.com/ code (requested by Virut)
This is a bad request for a Fake-AV -http://audit.303br.net?anId=20&advId=1925&pubId=3346&campId=9685&vURL= (dead)
Link to malware domain -http://tracking.batanga.com/ adtracker
also CollectiveMedia.createAndAttachAd adtracker
code from -http://ad.turn.com Adtracking servers Security Benign
-UNDERDOGMEDIA Medium Rectangle MediaFire.com IFrame ADCODE START (bad WOT status)
polonus
“We also have this Dialer DNS Changer fuctionality to consider.”
What dialer DNS changer functionality?
Also:
http://www.threatexpert.com/files/nircmd.exe.html , threat in 60% of cases
I’ve posted VirusTotal result to Morris Lee. Now I’m waiting for his answer.
Hi Rappaping,
That is why I asked you to do that specific check after you installed the questionable launcher to establish if that launcher has DNS Changing functionality, like with a malcode dialer, and alters DNS server numbers in your configuration after install.
See also here: http://whatisprocess.com/x32-exe/1172/ 67% will rate it as DANGEROUS
This gives us some insight in what we have to consider with this software before we can eventually give it the all clear. All intruiging considerations. Also my special thanks go out to forum friend, Pondus, for all his assistance and perseverance to clear this issue; and Altarir for giving the ThreatExpert report, very helpful indeed. We all learn a lot during this process, good you presented it to us,
polonus
Sorry polonus, but I haven’t installed the patch and I will not before I can’t know it’s safe.
However, it would be useful launching the patch in a sandbox like BufferZone to see which system files are virtualized after the installation and if the patch full-works inside the virtual zone (a virtual zone that can’t communicate with system files out of itself.
Another idea is to monitor the installation of the patch with a program like InCtrl5 to see which files the installation modify/create in the system.
I’ve formatted my laptop few years ago and in this days I can’t risk to compromise my system with a malware.
Hi guys! Can we trust Norman senior researchers? I don't knowwhy not.... ???
maybe this will help…
SOPHOS lab
Thank you for your submission. Here is the result of the analyze: Morris_ Launch Manager~.0 x~.exe - clean and you are free to authorize nircmd.ex0 - detected as NirCmd () nircmdc.ex0 - detected as NirCmd ()All the other files are free from virus.
Avira lab
Thank you for your email to Avira's virus lab. Tracking number: INC00777947.A listing of files alongside their results can be found below:
File ID
Filename
Size (Byte)
Result26211609
Morris’ Launch Ma…it.exe
738.5 KB
CLEAN26211946
nircmdc.exe
36 KB
FALSE POSITIVE26211947
nircmd.exe
36.5 KB
FALSE POSITIVE26211948
hstart.exe
16.5 KB
FALSE POSITIVE