Maybe our good forum friend Pondus may know more about this detection.
File name: Karen.exe..... i was about say it is my wife. ;D
not that old. First submission 2013-12-21 19:30:56 UTC ( 2 weeks, 5 days ago )
i am at the airport now, so i will check later today … guess i have a reply from Norman tomorrow
htxp://www.televeresystems.com/support-desk/Karen.exe/script.bin - Ok
htxp://www.televeresystems.com/support-desk/Karen.exe/_=9A=80\Splash.dll - Ok
htxp://www.televeresystems.com/support-desk/Karen.exe/DD_69.21.166.242_5112.exe - archive NSIS
htxp://www.televeresystems.com/support-desk/Karen.exe/DD_69.21.166.242_5112.exe/script.bin - Ok
htxp://www.televeresystems.com/support-desk/Karen.exe/DD_69.21.166.242_5112.exe/=99=80\nsisdt.dll - Ok
htxp://www.televeresystems.com/support-desk/Karen.exe/DD_69.21.166.242_5112.exe/=9A=80\NSISdl.dll - Ok
htxp://www.televeresystems.com/support-desk/Karen.exe/DD_69.21.166.242_5112.exe/=9A=80\dialogsEx.dll - Ok
htxp://www.televeresystems.com/support-desk/Karen.exe/DD_69.21.166.242_5112.exe/=9A=80\nsExec.dll - Ok
htxp://www.televeresystems.com/support-desk/Karen.exe/DD_69.21.166.242_5112.exe/DualDesk.exe - Ok
htxp://www.televeresystems.com/support-desk/Karen.exe/DD_69.21.166.242_5112.exe/cad.exe - Ok
htxp://www.televeresystems.com/support-desk/Karen.exe/DD_69.21.166.242_5112.exe/ddUninst.exe - archive NSIS
htxp://www.televeresystems.com/support-desk/Karen.exe/DD_69.21.166.242_5112.exe/ddUninst.exe/script.bin - Ok
htxp://www.televeresystems.com/support-desk/Karen.exe/DD_69.21.166.242_5112.exe/ddUninst.exe/_=9A=80\nsExec.dll - Ok
htxp://www.televeresystems.com/support-desk/Karen.exe/DD_69.21.166.242_5112.exe/ddUninst.exe - Ok
htxp://www.televeresystems.com/support-desk/Karen.exe/DD_69.21.166.242_5112.exe - Ok
htxp://www.televeresystems.com/support-desk/Karen.exe/DD.txt - Ok
htxp://www.televeresystems.com/support-desk/Karen.exe/Splash.bmp - Ok
htxp://www.televeresystems.com/support-desk/Karen.exe/Logo.bmp - Ok
htxp://www.televeresystems.com/support-desk/Karen.exe/Icon1.ico - Ok
htxp://www.televeresystems.com/support-desk/Karen.exe/Icon2.ico - Ok
htxp://www.televeresystems.com/support-desk/Karen.exe/Blank.bmp - Ok
htxp://www.televeresystems.com/support-desk/Karen.exe/Ring.wav - Ok
htxp://www.televeresystems.com/support-desk/Karen.exe/Alex.txt - Ok
htxp://www.televeresystems.com/support-desk/Karen.exe/Barb.txt - Ok
htxp://www.televeresystems.com/support-desk/Karen.exe/EricR.txt - Ok
htxp://www.televeresystems.com/support-desk/Karen.exe/EricS.txt - Ok
htxp://www.televeresystems.com/support-desk/Karen.exe/Jeff.txt - Ok
htxp://www.televeresystems.com/support-desk/Karen.exe/Karen.txt - Ok
htxp://www.televeresystems.com/support-desk/Karen.exe/Kyle.txt - Ok
htxp://www.televeresystems.com/support-desk/Karen.exe/Rhea.txt - Ok
htxp://www.televeresystems.com/support-desk/Karen.exe/Sam.txt - Ok
htxp://www.televeresystems.com/support-desk/Karen.exe/Stacy.txt - Ok
htxp://www.televeresystems.com/support-desk/Karen.exe - Ok
The FP is because of an alert here -Injection Check
Suspicious Text before HTML
mzÿÿ¸////@øº´í!¸lí!this program cannot be run in dos mode.////$ïäsususurusuéusususu½////£xusu½£yusuluusurichsupelðkà^ô¸////@p@à0s´à p .textæ]^ ///.rdata¢pb@@.data¬¯t@à.n////data@à.rsrc àx@@ájl$zóâl$jàj$zóâl$hl$jpâuìì svw}ñwnèa~ggff»f~ ¹°ãó«àè#ðçej?/////úyãâÿmó«uìjr¾ìyó«j¾¸////yó«ôèbüèwej3ÿx2ûeàeäeèeì}üë}øeüï#ááeøáneðql è\ࡶ r@}eøtrfn+eà;áráàneôbÿuôz#}üq/////±è¶ãóèjóçç@ááèeøë5äànzq#}ü±è¶ãóèjóçç@ááè?øfëd^/////¾ sæeèàãs¾pèàsumeð èvàu5¶är@vneøâ+eà;áráÿfîè°ÿeüé^////]àëc¾è,àu]äë%s¾°èàu]èëeè]ìeìeäeèeà]àeäÿuøfüpèﶸ/////r@møéÿuøôs豶¬r@øeðmø|jxáàs0ìèø|ièøñùãiëóãø}pfpìèaøë#//////áü~qïèáàw///
quote from Web Security Test.
This is a typical false positive on a NSIS installer - it became flagged in the past as Adware Punisher, AVG and Kaspersky and Sophos flagged this new installer as trojan and found out later it was a false positive, so I think Norman will soon fix this fale positive.
So when we see archive NSIS we have to blink twice before saying it is malcode
That means, dear Pondus, that they are vulnerable amongst other things to clickjacking.
htxp://www.televeresystems.com/wordpress/wp-content/themes/elogix/
For code hick-ups and insecurity see: http://jsunpack.jeek.org/?report=f466bffd2353189a4b029d9b7d2d14ffa583291a
On the elogix theme, read on the insecurity of such themes - web-applications-security/ error: undefined function $
and problems with the Stylesheet etc.
pingback goes here: htxp://www.televeresystems.com/wordpress/xmlrpc.php
vulnerable to WP pingback vulnerability in version 3.5 and RCI exploit: http://www.securityfocus.com/bid/14088/exploit
→ credit references, see: http://www.securityfocus.com/bid/14088/references