Universal Extractor 1.5 infected with Win32:Sohanad-I [Wrm], false positive?

On the Universal Extractor website, if you try to download the “UniExtract Binary Archive” version of the program, Avast! says that it is infected with the “Win32:Sohanad-I [Wrm]”. Would this be a false positive, as this is a “IM Worm”?

I have had the same problem. I installed the Universal program Extractor already days ago and I have used it without any problem until today. I have tried to search information about the virus in the Google and almost it does not go out on any web page. I have not found some even in the database of Avast!!

I have gone to the forum of the Extractor page of Universal and there is the message of a user who already had problems with the antivirus of Avast and Universal Extractor in January! Pity that nobody has answered him points his message.

I tend to believing that this is a false alarm, but I would like to confirm it. Anybody can help us? In the meantime, I’ve uninstalled Universal Extractor.

Thanks in advance

David

Ok, I’ve tried zipped version, without installer, and Avast, after scanning, doesn’t complain!!

David

It’s a false positive. Submitted it yesterday (khm today) at ~2:00 AM ;D

The DrWeb link scanner doesn’t find anything in the .rar file link.

So as RejZoR says looks like an FP.

Yes, it’s FP. This tool can unpack pretty much any archive, installer or SFX executable. Quiet useful :slight_smile:

It has to be, Maybe Avast could look at that tool more closely since it focuses on unpacking files which is an area where Antiviruses should improve on. :wink:

Al968

It’s not really that good. And certanly not as good as AV when it comes to packers (or archives).
AV can unpack lots of stuff for its scan engine but user cannot extract something for her/himself.
UE can do that. Nothing else.

Well, the inability to unpack the files (and keep them unpacked) is basically just an artificial limitation (it’s certainly not a problem for us to leave the unpacked file on disk, if we’d like ;)). The main difference I’d see here, however, is security. The unpackers in an antivirus engine make sure that the file being unpacked is not started by accident (speaking mostly about executable unpackers now… and about avast!, for which I can speak :)).

I’m not very familiar with Universal Extractor - but I know it’s not a standalone program, but rather a huge number of third party tools of various age, packed together and controlled by a simple(?) wrapper (which detects the format somehow and then calls the corresponding unpacker; I can see PEiD and TrID inside, so even the detection is performed by external tools).
Now, there are lots of “unpackers” out there, for various executable packers, that “work” by simply starting the program, stopping it at some point (if everything goes well), dumping it from memory to disk and then fixing the structure somehow. This is of course unacceptable for unpacking malicious files - you activate the malware this way.

I’m not sure if Universal Extractor includes any of those (but I think it does - I can see AspackDie.exe there, which is very likely exactly this type of tool for dumping ASPack). Because Universal Extractor “author” didn’t write these tools, he doesn’t know how they work. Some of these tools are also outdated (InstallExplorer, for example - very nice FAR plugin, but crashes on some newer versions of the supported archives) - so I’m sure there are vulnerabilities of some kind, if anybody bothered to look for them.

So, the conclusion is - it’s not safe to use things like Universal Extractor for unpacking malicious files. If you have to, do it in a virtual machine, at least.

Hi Me Update Today Avast But No Found Universal Extractor In Worm Why?

This is the latest file scan: https://www.virustotal.com/nl/file/ce6e10bb0af83ed061b41860c0277ff42dc90d6982dd8c17c57cf81da1eef054/analysis/

also see: http://f.virscan.org/uniextract161_noinst.exe.html
No detects here now: http://urlquery.net/report.php?id=3178731
But earlier: http://urlquery.net/report.php?id=3131784
On fine-tuning of the snort alert policy-violation IDS rule: http://seclists.org/snort/2010/q4/112

According to this report most malware from there is dead (not responding): http://62.67.194.183/clean-mx/viruses.php?domain=legroom.net&sort=email%20asc
This one excluded:
http://62.67.194.183/clean-mx/view_virusescontent.php?url=http%3A%2F%2Fwww.legroom.net%2Fscripts%2Fdownload.php%3Ffile%3Duniextract161

polonus