I think I submitted a file that Avast prevented from fully downloading last time, and therefore, it wasn’t a true representative of the problem. This time, I turned off Avast before downloading the file, and resubmitted it to VirusTotal. This is the result I got:
`Antivirus Version Last Update Result
AhnLab-V3 2008.10.27.3 2008.10.27 -
AntiVir 7.9.0.9 2008.10.27 -
Authentium 5.1.0.4 2008.10.27 -
Avast 4.8.1248.0 2008.10.27 Win32:Trojan-gen {Other}
AVG 8.0.0.161 2008.10.27 -
BitDefender 7.2 2008.10.27 -
CAT-QuickHeal 9.50 2008.10.27 -
ClamAV 0.93.1 2008.10.27 -
DrWeb 4.44.0.09170 2008.10.27 -
eSafe 7.0.17.0 2008.10.26 -
eTrust-Vet 31.6.6168 2008.10.25 -
Ewido 4.0 2008.10.27 -
F-Prot 4.4.4.56 2008.10.27 -
Fortinet 3.113.0.0 2008.10.27 -
GData 19 2008.10.27 Win32:Trojan-gen {Other}
Ikarus T3.1.1.44.0 2008.10.27 -
K7AntiVirus 7.10.509 2008.10.27 -
Kaspersky 7.0.0.125 2008.10.27 -
McAfee 5415 2008.10.25 -
Microsoft 1.4005 2008.10.27 -
NOD32 3559 2008.10.27 -
Norman 5.80.02 2008.10.24 -
Panda 9.0.0.4 2008.10.27 Suspicious file
PCTools 4.4.2.0 2008.10.27 -
Prevx1 V2 2008.10.27 -
Rising 21.01.02.00 2008.10.27 -
SecureWeb-Gateway 6.7.6 2008.10.27 Trojan.Agent.1187840
Sophos 4.35.0 2008.10.27 -
Sunbelt 3.1.1753.1 2008.10.25 -
Symantec 10 2008.10.27 -
TheHacker 6.3.1.1.131 2008.10.27 -
TrendMicro 8.700.0.1004 2008.10.27 -
VBA32 3.12.8.8 2008.10.27 -
ViRobot 2008.10.27.1438 2008.10.27 -
VirusBuster 4.5.11.0 2008.10.27 -
Additional information
File size: 3096576 bytes
MD5...: 9b584bd0a289c8062096d3028b8f7aa3
SHA1..: 1c79471979c4b7ffb12baa3e5ebfd36afd20fc34
SHA256: 675cc8cef5a5cc1907cb6f7fd7a512f362056b62e77042871a1270a445e0d833
SHA512: 17d9b04d254c2159b69d2783dfe55072fea4d83e582a2b3f0d2c67710170a9c4
5a43448d3e406f6a4ab0b40835b4ddc082095ae09f2685cd92894d1f45e8a701
PEiD..: Armadillo v1.71
TrID..: File type identification
Win32 Executable MS Visual C++ (generic) (65.2%)
Win32 Executable Generic (14.7%)
Win32 Dynamic Link Library (generic) (13.1%)
Generic Win/DOS Executable (3.4%)
DOS Executable Generic (3.4%)
PEInfo: PE Structure information
( base data )
entrypointaddress.: 0x4278cb
timedatestamp.....: 0x3f68a4de (Wed Sep 17 18:15:58 2003)
machinetype.......: 0x14c (I386)
( 4 sections )
name viradd virsiz rawdsiz ntrpy md5
.text 0x1000 0x314f5 0x32000 6.59 6bc6e9b9073df6efcf06f61ea9c82869
.rdata 0x33000 0x5052 0x6000 3.54 4f93ec0392eabc9e73103ba7508a69b8
.data 0x39000 0x3c1e8 0x13000 5.48 5a474b42d3cba5083c2ef3db47981a19
.rsrc 0x76000 0x2a7a40 0x2a8000 7.99 1813f91973e1f474255d07b597b9c65b
( 5 imports )
> KERNEL32.dll: SetCurrentDirectoryA, GetCurrentDirectoryA, GetTickCount, GetTempPathA, GetTempFileNameA, DeleteFileA, SetEnvironmentVariableA, CompareStringW, CompareStringA, SetEndOfFile, SetStdHandle, LoadLibraryA, GetOEMCP, GetACP, GetCPInfo, IsBadCodePtr, SetUnhandledExceptionFilter, LCMapStringW, LCMapStringA, GetProcAddress, GetStringTypeW, GetStringTypeA, FlushFileBuffers, IsBadWritePtr, VirtualAlloc, VirtualFree, HeapCreate, HeapDestroy, GetFileType, GetStdHandle, SetHandleCount, GetEnvironmentStringsW, GetEnvironmentStrings, FreeEnvironmentStringsW, FreeEnvironmentStringsA, CloseHandle, CreateFileA, MoveFileA, SystemTimeToFileTime, GetLocalTime, FileTimeToDosDateTime, DosDateTimeToFileTime, GetFileAttributesA, CompareFileTime, SetFileAttributesA, CreateFileW, SetFileTime, LocalFileTimeToFileTime, WriteFile, WideCharToMultiByte, MultiByteToWideChar, ReadFile, GetFileSize, GetLastError, LocalFree, FormatMessageA, GetFileTime, GetCurrentThreadId, IsBadReadPtr, MapViewOfFile, CreateFileMappingA, GetModuleFileNameA, SetFilePointer, UnmapViewOfFile, CreateDirectoryA, CreateDirectoryW, SetCurrentDirectoryW, SetFileAttributesW, GetFileAttributesW, DeleteFileW, GetSystemTime, RtlUnwind, GetModuleHandleA, GetStartupInfoA, GetCommandLineA, GetVersion, ExitProcess, GetTimeZoneInformation, HeapAlloc, HeapFree, HeapReAlloc, TerminateProcess, GetCurrentProcess, HeapSize, UnhandledExceptionFilter
> USER32.dll: SendMessageA, GetDlgItem, GetDlgItemTextA, DefWindowProcA, DestroyWindow, BeginPaint, EndPaint, CreateWindowExA, EndDialog, PostQuitMessage, PostMessageA, SetDlgItemTextA, SendDlgItemMessageA, SetTimer, LoadCursorA, RegisterClassExA, GetDesktopWindow, GetWindowRect, CopyRect, OffsetRect, SetWindowPos, LoadStringA, GetMessageA, TranslateMessage, DispatchMessageA, DialogBoxParamA, MessageBoxA
> SHELL32.dll: SHGetMalloc, SHGetPathFromIDListA, ShellExecuteA, SHBrowseForFolderA
> ole32.dll: CoInitialize, CoCreateInstance, CoUninitialize
> OLEAUT32.dll: -, -
( 0 exports )
packers (Kaspersky): Armadillo
packers (F-Prot): Armadillo`
It is identified as the same trojan by another service, and Panda considers it a “suspicious” file. I still think it is a false positive, but I wanted to hear a more expert opinion. It is part of a program for running macros, so perhaps it contains some code that operates at a low level on the computer that looks suspicious.
Thanks!