Real detection or false positive?
See: https://www.virustotal.com/nl/url/ed6555bef22ed55d6fa9e7c3f255df6535800407676a9f72b0bff272800bf05b/analysis/1384096350/
See: https://www.virustotal.com/nl/file/d3725802596604cd5594387f09c1e7b2c56d6f4b4429c1a8b6441aecd28f4faf/analysis/1384096352/
IDS alerts here: http://urlquery.net/report.php?id=7586815
DrWeb detects this as htxp://msp.wodonnell.com/install/VSA-default-62056423/KcsSetup.exe infected with Trojan.MulDrop4.17260
Blocked by Bitdefender’s TrafficLight.
I get this via an asafaweb scan: It looks like custom errors are not correctly configured as the requested URL contains the heading “Server Error in”.
The address you entered is unnecessarily exposing the following response headers which divulge its choice of web platform:
Server: Microsoft-IIS/7.5
X-Powered-By: ASP.NET
X-AspNet-Version: 2.0.50727
Clickjacking warning: Websites are at risk of a clickjacking attack when they allow content to be embedded within a frame. An attacker may use this risk to invisibly load the target website into their own site and trick users into clicking on links which they never intended to. An “X-Frame-Options” header should be sent by the server to either deny framing of content, only allow it from the same origin or allow it from a trusted URIs.
On the executable blocking read: http://community.kaseya.com/xsp/f/26/p/13459/65740.aspx
Read: http://systemexplorer.net/file-database/file/kcssetup-exe &
executable as background task: http://www.computer-support.nl/Systeemtaken/taakinfo/103297/kcssetup.exe/
American → http://www.backgroundtask.eu/Systeemtaken/taakinfo/103297/kcssetup.exe/

Eventual removal instructions: http://www.ehow.com/how_5684355_remove-kaseya-agent-computer.html

pol

Im getting an file reputation warning when downloading it.

First submission 2013-11-09 22:20:22 UTC ( vor 17 Stunden, 15 Minuten )

Maybe Kaspersky was faster than Avast this time.

Hi Steven Winderlich,

“Ausgezeichnet”, and I am glad, they question it on download.
So there are some risks involved as what it does on the OS.

pol

File reputation warnings does not mean that the file is dangerous.

This one means that the file is unknown or pretty new to Avast users.

Thats not a this is a dangerous file dont download it warning.

Malwr: https://malwr.com/analysis/MjgxYzI3MzBlNGFkNDBmOGExNTg3Y2RmNzYwNDg1ZTU/

The file is also unknown to Symantec at the moment.

Nothing from Avast when executing the file.

The VM just hung up.

The Tray icon leads to this website: hxxps://connect.wodonnell.com/v4_6_release/services/system_io/customerportal/portal.html?company=wodc&locale=en

I cannot find something suspicious on this file.

Its just installing like a normal program and is sitting in system tray and starts on every system start.

Also nothing detected from Malwarebytes and Hitman Pro.