Possible False Positive?

I’ve been using SlimFTP (lightweight Win32 FTP server from Matt Whitlock) for many years and suddenly, Avast! Home is telling me that it’s actually a trojan. I thought perhaps my installed server was infected somehow, so I tried to download it again, and Avast! says the new version is a trojan too. This cannot be right. Can anybody double check this for me?

http://i114.photobucket.com/albums/n256/evilsupahfly/Help/Avast.png

And in case you’re wondering:

SlimFTPd is a fully standards-compliant FTP server implementation with an advanced virtual file system. It is extremely small, but don't let its file size deceive you: SlimFTPd packs a lot of bang for the kilobyte. It is written in pure Win32 C++ with no external dependencies and no messy installer. SlimFTPd is a fully multi-threaded application that runs as a system service on Windows 98/ME or Windows NT/2K/XP, and it comes with a tool to simplify its installation or uninstallation as a system service. Once the service is started, SlimFTPd runs quietly in the background. It reads its configuration from a config file in the same folder as the executable, and it outputs all activity to a log file in the same place. The virtual file system allows you to mount any local drive or path to any virtual path on the server. This allows you to have multiple local drives represented on the server's virtual file system or just different folders from the same drive. SlimFTPd allows you to set individual permissions for server paths. Open slimftpd.conf in your favorite text editor to set up SlimFTPd's configuration. The format of SlimFTPd's config file is similar to Apache Web Server's for those familiar with Apache. Supports passive mode transfers and allows resume of failed transfers. Small memory footprint; won't hog system resources. Easy configuration of server options through configuration file. All activity logged to file. Support for binding to a specific interface in multihomed environments. User definable timeouts. No installation routine; won't take over your system. Executable is tiny! Supports all standard FTP commands: ABOR, APPE, CDUP/XCUP, CWD/XCWD, DELE, HELP, LIST, MKD/XMKD, NOOP, PASS, PASV, PORT, PWD/XPWD, QUIT, REIN, RETR, RMD/XRMD, RNFR/RNTO, STAT, STOR, SYST, TYPE, USER. Supports these extended FTP commands: MDTM, NLST, REST, SIZE. Supports setting of file timestamps. Conforms to RFC 959 and RFC 1123 standards.

You would need to pause the web shield to be able to download it, but the standard shield would then alert, select no action (don’t install) and check out the info below.

You could also check the offending/suspect file at: VirusTotal - Multi engine on-line virus scanner and report the findings here. You can’t do this with the file securely in the chest, you need to extract it to a temporary (not original) location first, see below.

Create a folder called Suspect in the C:\ drive, e.g. C:\Suspect. Now exclude that folder in the Standard Shield, Customize, Advanced, Add, type (or copy and paste) C:\Suspect* That will stop the standard shield scanning any file you put in that folder. You should now be able to export any file in the chest to this folder and upload it to VirusTotal without avast alerting.

If it is indeed a false positive, see http://forum.avast.com/index.php?topic=34950.msg293451#msg293451, how to report it to avast! and what to do to exclude them until the problem is corrected.

So - uh - can somebody translate for me?

http://www.virustotal.com/analisis/283e7ee5cbfc184b7fc4a473e293035c

Virus Total 	
Virustotal is a service that analyzes suspicious files and facilitates the quick detection of viruses, worms, trojans, and all kinds of malware detected by antivirus engines. More information...
File SlimFTPd.exe received on 08.30.2008 15:22:12 (CET)
Current status: finished
Result: 14/36 (38.89%)


Antivirus 	 Version 	 	Last Update 	 Result
--------------------------------------------------------------------------------------------------------------------
AhnLab-V3 	2008.8.29.0 	2008.08.29 	Win-Trojan/Genlot.54272
AntiVir 	 	7.8.1.23 	 	2008.08.29 	-
Authentium 	5.1.0.4 	 	2008.08.30 	W32/HackTool.BUY
Avast 	 	4.8.1195.0 	2008.08.30 	Win32:Trojan-gen {Other}
AVG 	 	8.0.0.161 	2008.08.29 	-
BitDefender 	7.2 	 	2008.08.30 	Trojan.Genlot.ALM
CAT-QuickHeal 	9.50 		2008.08.29 	-
ClamAV 	 	0.93.1 		2008.08.30 	-
DrWeb 	 	4.44.0.09170 	2008.08.30 	-
eSafe 	 	7.0.17.0 		2008.08.28 	-
eTrust-Vet 	31.6.6057 	2008.08.29 	-
Ewido 	 	4.0 		2008.08.30 	-
F-Prot 	 	4.4.4.56 		2008.08.29 	W32/HackTool.BUY
F-Secure 	 	7.60.13501.0 	2008.08.30 	Server-FTP.Win32.SlimFTPd.318
Fortinet 	 	3.14.0.0 		2008.08.30 	Misc/SlimFTPd
GData 	 	19 		2008.08.30 	Win32:Trojan-gen
Ikarus 	 	T3.1.1.34.0 	2008.08.30 	not-a-virus:Server-FTP.Win32.SlimFTPd.318
K7AntiVirus 	7.10.433 		2008.08.30 	Non-Virus:Server-FTP.Win32.SlimFTPd.318
Kaspersky 	7.0.0.125 	2008.08.30 	not-a-virus:Server-FTP.Win32.SlimFTPd.318
McAfee 	 	5373 		2008.08.29 	-
Microsoft 	1.3807 		2008.08.25 	-
NOD32v2 		3401 		2008.08.30 	-
Norman 	 	5.80.02 		2008.08.29 	-
Panda 	 	9.0.0.4 		2008.08.30 	Generic Trojan
PCTools 	 	4.4.2.0 		2008.08.30 	-
Prevx1 	 	V2 		2008.08.30 	-
Rising 	 	20.59.51.00 	2008.08.30 	-
Sophos 	 	4.33.0 		2008.08.30 	-
Sunbelt 	 	3.1.1592.1 	2008.08.29 	-
Symantec 		10 		2008.08.30 	-
TheHacker 	6.3.0.6.068 	2008.08.30 	-
TrendMicro 	8.700.0.1004 	2008.08.29 	TROJ_ZEROML.JM
VBA32 	 	3.12.8.4 		2008.08.30 	-
ViRobot 	 	2008.8.30.1357 	2008.08.30 	Not_a_virus:ServerFTP.SlimFTPd.54272
VirusBuster 	4.5.11.0 		2008.08.29 	-
Webwasher-Gateway 	6.6.2 		2008.08.29 	-

Additional information
File size: 54272 bytes
MD5...: c76226da51e439a5e51bab3a2c61d953
SHA1..: 097f178fc2f89ad565253ed48d8cbfcc14265ba3
SHA256: 044283bb1ce6306b0228119c475d7d277bb35275291791f10f1e96f792285e3f
SHA512: a044154add14215dc5382e0d20f788ab02c3e9671a5c4923e89361c9b1e2a8ac
c228515cbe3f0acc41b8c05a9506f2c8cf71426be6a11c07d9d89c0391340d92
PEiD..: -
TrID..: File type identification
Win64 Executable Generic (59.6%)
Win32 Executable MS Visual C++ (generic) (26.2%)
Win32 Executable Generic (5.9%)
Win32 Dynamic Link Library (generic) (5.2%)
Generic Win/DOS Executable (1.3%)
PEInfo: PE Structure information

( base data )
entrypointaddress.: 0x4090d6
timedatestamp.....: 0x45387da6 (Fri Oct 20 07:41:26 2006)
machinetype.......: 0x14c (I386)

( 4 sections )
name viradd virsiz rawdsiz ntrpy md5
.text 0x1000 0x8ddc 0x8e00 6.21 b85193e407d76ce276b3cd108ecb6906
.rdata 0xa000 0x38e8 0x3a00 5.34 e6c487026105897bfd2904cd121b5061
.data 0xe000 0x484 0x200 2.31 e5fac039e8a7dd28ae034d9f96da1397
.rsrc 0xf000 0x460 0x600 4.63 79460209623f64dc5b358b7849efeb7a

( 7 imports )
> WSOCK32.dll: -, -, -, -, -, -, -, -, -, -, -, -, -, -, -, -, -, -, -, -, -, -
> SHLWAPI.dll: StrToIntA
> KERNEL32.dll: GetCurrentProcessId, GetCurrentThreadId, GetTickCount, QueryPerformanceCounter, GetSystemTimeAsFileTime, SetUnhandledExceptionFilter, UnhandledExceptionFilter, GetCurrentProcess, TerminateProcess, GetStartupInfoA, InterlockedCompareExchange, InterlockedExchange, IsDebuggerPresent, DeleteFileA, GetSystemTime, FindNextFileA, MoveFileA, FindClose, RemoveDirectoryA, FindFirstFileA, CreateFileA, GetFileSize, SetFilePointer, SetEndOfFile, FreeLibrary, SystemTimeToFileTime, SetFileTime, WriteFile, GetCommandLineA, GetFileAttributesA, FileTimeToSystemTime, ReadFile, GetProcAddress, LoadLibraryA, GetModuleFileNameA, GetModuleHandleA, GetFileTime, GetVersionExA, CloseHandle, CreateThread, WaitForSingleObject, GetTimeFormatA, GetDateFormatA, CreateDirectoryA, Sleep
> USER32.dll: PeekMessageA, GetMessageA, TranslateMessage, DispatchMessageA, PostThreadMessageA, wsprintfA
> ADVAPI32.dll: SetServiceStatus, RegisterServiceCtrlHandlerA, StartServiceCtrlDispatcherA
> MSVCP80.dll: __4_$basic_string@DU_$char_traits@D@std@@V_$allocator@D@2@@std@@QAEAAV01@ABV01@@Z, __0_$basic_string@DU_$char_traits@D@std@@V_$allocator@D@2@@std@@QAE@PBD@Z, __0_$basic_string@DU_$char_traits@D@std@@V_$allocator@D@2@@std@@QAE@ABV01@@Z, __$_8DU_$char_traits@D@std@@V_$allocator@D@1@@std@@YA_NABV_$basic_string@DU_$char_traits@D@std@@V_$allocator@D@2@@0@PBD@Z, __$_MDU_$char_traits@D@std@@V_$allocator@D@1@@std@@YA_NABV_$basic_string@DU_$char_traits@D@std@@V_$allocator@D@2@@0@0@Z, _npos@_$basic_string@DU_$char_traits@D@std@@V_$allocator@D@2@@std@@2IB, _find_first_of@_$basic_string@DU_$char_traits@D@std@@V_$allocator@D@2@@std@@QBEIDI@Z, _push_back@_$basic_string@DU_$char_traits@D@std@@V_$allocator@D@2@@std@@QAEXD@Z, _clear@_$basic_string@DU_$char_traits@D@std@@V_$allocator@D@2@@std@@QAEXXZ, _begin@_$basic_string@DU_$char_traits@D@std@@V_$allocator@D@2@@std@@QAE_AV_$_String_iterator@DU_$char_traits@D@std@@V_$allocator@D@2@@2@XZ, _end@_$basic_string@DU_$char_traits@D@std@@V_$allocator@D@2@@std@@QAE_AV_$_String_iterator@DU_$char_traits@D@std@@V_$allocator@D@2@@2@XZ, _at@_$basic_string@DU_$char_traits@D@std@@V_$allocator@D@2@@std@@QAEAADI@Z, _substr@_$basic_string@DU_$char_traits@D@std@@V_$allocator@D@2@@std@@QBE_AV12@II@Z, _assign@_$basic_string@DU_$char_traits@D@std@@V_$allocator@D@2@@std@@QAEAAV12@PBD0@Z, _assign@_$basic_string@DU_$char_traits@D@std@@V_$allocator@D@2@@std@@QAEAAV12@PBDI@Z, __Y_$basic_string@DU_$char_traits@D@std@@V_$allocator@D@2@@std@@QAEAAV01@PBD@Z, _rbegin@_$basic_string@DU_$char_traits@D@std@@V_$allocator@D@2@@std@@QAE_AV_$reverse_iterator@V_$_String_iterator@DU_$char_traits@D@std@@V_$allocator@D@2@@std@@@2@XZ, __4_$basic_string@DU_$char_traits@D@std@@V_$allocator@D@2@@std@@QAEAAV01@PBD@Z, __1_$basic_string@DU_$char_traits@D@std@@V_$allocator@D@2@@std@@QAE@XZ, __0_$basic_string@DU_$char_traits@D@std@@V_$allocator@D@2@@std@@QAE@XZ, __$_HDU_$char_traits@D@std@@V_$allocator@D@1@@std@@YA_AV_$basic_string@DU_$char_traits@D@std@@V_$allocator@D@2@@0@ABV10@PBD@Z
> MSVCR80.dll: __p__fmode, _encode_pointer, __set_app_type, _CxxThrowException, _crt_debugger_hook, _terminate@@YAXXZ, __type_info_dtor_internal_method@type_info@@QAEXXZ, _unlock, __dllonexit, _lock, _onexit, _decode_pointer, _except_handler4_common, _invoke_watson, _controlfp_s, __CxxFrameHandler3, memset, __p__commode, _stricmp, _strnicmp, strchr, strcpy_s, __3@YAXPAX@Z, __2@YAPAXI@Z, __1exception@std@@UAE@XZ, __0exception@std@@QAE@XZ, __0exception@std@@QAE@ABV01@@Z, strstr, vsprintf_s, _invalid_parameter_noinfo, strrchr, strcat_s, strncpy_s, ___V@YAXPAX@Z, strcspn, _amsg_exit, __getmainargs, _cexit, _exit, _XcptFilter, _ismbblead, exit, _acmdln, _initterm, _initterm_e, _configthreadlocale, __setusermatherr, _adjust_fdiv

( 0 exports ) 

I think the problem is that it could possibly be used for good or evil, e.g. act as a server and download unwanted stuff.

But you should send it to avast for further analysis as a possible false positive, as I think that this is the likely conclusion. If nothing else it should possibly be re-classified as a tool, etc. Use the info in the link I gave to send it to avast.

The server’s source code is included in the download from Matt’s site, so I’m assuming if it was malicious, he wouldn’t be offering the source.

I’ve submitted the orginal archive from the author, but with a password added, to virus@avast.com and hopefully this will be resolved. I’ve also contacted Matt to report to him that his FTP daemon is being reported as a trojan, but I haven’t heard back from him yet.

Thanks for the update, hopefully it will be reclassified in a similar way to the other detections on VirusTotal.

If you have it in the chest, periodically scan it from within the chest (won’t work from outside) and see if it is either reclassified a tool, etc.