MBAM False Positive? MBAM detected GIMP Files as Trojan.Dropper

Did a full scan with a up-to-date MBAM today and it found 15 infected files.
However once the scan was over with, the files it thought was infected was from GIMP, a graphics/photo editing program.
I haven’t updated GIMP in a long time either and never had any problems before. So it shouldn’t be GIMP?

False positive? Or not?

Malwarebytes’ Anti-Malware 1.50.1.1100
www.malwarebytes.org

Database version: 5965

Windows 6.0.6001 Service Pack 1
Internet Explorer 8.0.6001.19019

3/5/2011 1:29:19 PM
mbam-log-2011-03-05 (13-29-16).txt

Scan type: Full scan (C:|D:|)
Objects scanned: 327698
Time elapsed: 1 hour(s), 28 minute(s), 11 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 15

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
c:\program files\GIMP-2.0\lib\gimp\2.0\plug-ins\alien-map.exe (Trojan.Dropper) → No action taken.
c:\program files\GIMP-2.0\lib\gimp\2.0\plug-ins\cartoon.exe (Trojan.Dropper) → No action taken.
c:\program files\GIMP-2.0\lib\gimp\2.0\plug-ins\cubism.exe (Trojan.Dropper) → No action taken.
c:\program files\GIMP-2.0\lib\gimp\2.0\plug-ins\file-csource.exe (Trojan.Dropper) → No action taken.
c:\program files\GIMP-2.0\lib\gimp\2.0\plug-ins\file-gbr.exe (Trojan.Dropper) → No action taken.
c:\program files\GIMP-2.0\lib\gimp\2.0\plug-ins\file-html-table.exe (Trojan.Dropper) → No action taken.
c:\program files\GIMP-2.0\lib\gimp\2.0\plug-ins\help.exe (Trojan.Dropper) → No action taken.
c:\program files\GIMP-2.0\lib\gimp\2.0\plug-ins\oilify.exe (Trojan.Dropper) → No action taken.
c:\program files\GIMP-2.0\lib\gimp\2.0\plug-ins\file-sgi.exe (Trojan.Dropper) → No action taken.
c:\program files\GIMP-2.0\lib\gimp\2.0\plug-ins\fractal-trace.exe (Trojan.Dropper) → No action taken.
c:\program files\GIMP-2.0\lib\gimp\2.0\plug-ins\noise-solid.exe (Trojan.Dropper) → No action taken.
c:\program files\GIMP-2.0\lib\gimp\2.0\plug-ins\photocopy.exe (Trojan.Dropper) → No action taken.
c:\program files\GIMP-2.0\lib\gimp\2.0\plug-ins\polar-coords.exe (Trojan.Dropper) → No action taken.
c:\program files\GIMP-2.0\lib\gimp\2.0\plug-ins\ripple.exe (Trojan.Dropper) → No action taken.
c:\program files\GIMP-2.0\lib\gimp\2.0\plug-ins\van-gogh-lic.exe (Trojan.Dropper) → No action taken.

To be honest I would plumb for FP and you should check a few of them out at virustotal.

Check the offending/suspect file at: VirusTotal - Multi engine on-line virus scanner and report the findings here the URL in the Address bar of the VT results page.

If they prove to be FPs then you would have to report them as FPs on the MBAM forums.

http://forums.malwarebytes.org/index.php?showforum=42

Sorry for getting back to you so late.

http://www.virustotal.com/file-scan/report.html?id=8a1712e01ad42eacaeb13ca38249dcbf312b584911edbe92c8236299db3b6c90-1299389075
http://www.virustotal.com/file-scan/report.html?id=10efd3dd4efc24f352105986190e262467aac596de688de59d656502bcad0861-1299386583
http://www.virustotal.com/file-scan/report.html?id=2b161161148ce53f07b40a3d2ff5210cf4befae36d0cea3d1aa3b8b18bb70f82-1299387948
http://www.virustotal.com/file-scan/report.html?id=8ec85eff2bf12138142cf982a748879782fd4afd441ce605eb56cdc89adc5df7-1260954423

The last link I scanned the file: “help.exe”

So far MBAM is the only program that has detected these as malware and I haven’t scanned with it after finding the “trojan.droppers”.

Thanks in advance! ^^

Report them here: http://forums.malwarebytes.org/index.php?showforum=42

That would certainly support my thoughts on it being an FP and one that should be reported on the MBAM false positive board (link in my post above). I would say that given that this is from a popular graphics application, I would imagine that there are already some reports there.

The VT results would be uses to support your argument, given that these detections are all Trojan.Dropper that I believe is a generic/heuristic detection, which are more prone to FP.

@DavidR: Sorry, I did not notice you have had posted link :-[ ::slight_smile:

I thought they was FPs because Avast! or MBAM hasn’t detected them before I updated MBAM. (And I’ve had GIMP for a long time)

I’m going to try updating MBAM and doing another Full Scan first.
Hopefully, if this is FP, it’s been fixed already.

Thanks guys! :slight_smile:

It has been fixed, you have to watch the relevant forum for the fix. This was reported and confirmed fixed

http://forums.malwarebytes.org/index.php?showtopic=77127

Yes, I rather thought Misuzu wouldn’t be the only one effected and reporting it.