Win32:PureMorph [Cryp]-inet_gethost.exe - False Positive?

I did a thorough scan of my PC (Win XP Home-SP3) with Avast 4.8.1229 Home (Definition 081109-0, 11/09) and it detected a virus:

11/8/2008 5:43:32 PM User 3736 Sign of “Win32:PureMorph [Cryp]” has been found in “C:\Program Files\wings3d_0.98.36\bin\inet_gethost.exe” file.

inet_gethost was installed by the Wings3D installer which I downloaded from www.wings3d.com around 12/2007.

I uploaded the file to virustotal and got the result:
http://www.virustotal.com/analisis/cb68988ad28778a13832b82204ebe81b

Antivirus Version Last Update Result
AhnLab-V3 2008.11.7.1 2008.11.08 -
AntiVir 7.9.0.26 2008.11.07 -
Authentium 5.1.0.4 2008.11.08 -
Avast 4.8.1248.0 2008.11.08 Win32:PureMorph
AVG 8.0.0.161 2008.11.08 -
BitDefender 7.2 2008.11.09 -
CAT-QuickHeal 9.50 2008.11.08 -
ClamAV 0.94.1 2008.11.09 -
DrWeb 4.44.0.09170 2008.11.09 -
eSafe 7.0.17.0 2008.11.06 -
eTrust-Vet 31.6.6198 2008.11.07 -
Ewido 4.0 2008.11.08 -
F-Prot 4.4.4.56 2008.11.08 -
F-Secure 8.0.14332.0 2008.11.09 -
Fortinet 3.117.0.0 2008.11.08 -
GData 19 2008.11.09 Win32:PureMorph
Ikarus T3.1.1.45.0 2008.11.09 Virus.Win32.PureMorph
K7AntiVirus 7.10.520 2008.11.08 -
Kaspersky 7.0.0.125 2008.11.09 -
McAfee 5428 2008.11.08 -
Microsoft 1.4104 2008.11.09 -
NOD32 3597 2008.11.08 -
Norman 5.80.02 2008.11.07 -
Panda 9.0.0.4 2008.11.08 -
PCTools 4.4.2.0 2008.11.08 -
Prevx1 V2 2008.11.09 -
Rising 21.02.52.00 2008.11.08 -
SecureWeb-Gateway 6.7.6 2008.11.09 -
Sophos 4.35.0 2008.11.08 -
Sunbelt 3.1.1785.2 2008.11.08 -
Symantec 10 2008.11.09 -
TheHacker 6.3.1.1.146 2008.11.08 -
TrendMicro 8.700.0.1004 2008.11.07 -
VBA32 3.12.8.9 2008.11.09 -
ViRobot 2008.11.7.1457 2008.11.07 -
VirusBuster 4.5.11.0 2008.11.08 -
Additional information
File size: 24576 bytes
MD5…: 752b0a75f367ab802557c353b002e041
SHA1…: 45aa3b099045167488611cd2e2a6e6f456472577
SHA256: ff0d2746092f50fb594cfe6448f804f77c201804e4b220bf56e7e287a67de20a
SHA512: 611b14d1949f027133ad8f6cb9eb0decf089357e6341e90337750cb30c35dc84
66ad5bcae58b5b3e83e37b79de3ec39c9ee410a04a9cbfd84f8f1ff3d781ea4a
PEiD…: -
TrID…: File type identification
Windows Screen Saver (39.4%)
Win32 Executable Generic (25.6%)
Win32 Dynamic Link Library (generic) (22.8%)
Generic Win/DOS Executable (6.0%)
DOS Executable Generic (6.0%)
PEInfo: PE Structure information

( base data )
entrypointaddress.: 0x403580
timedatestamp…: 0x455070fa (Tue Nov 07 11:41:46 2006)
machinetype…: 0x14c (I386)

( 3 sections )
name viradd virsiz rawdsiz ntrpy md5
.text 0x1000 0x2700 0x3000 5.47 d7067c5f0957609a20a80d0b20e5742b
.rdata 0x4000 0x4c4 0x1000 1.89 1e894b9f1bfa50fc01096762b5390f09
.data 0x5000 0xd58 0x1000 4.36 143631fd488f0fbf134c8f5655c814fb

( 3 imports )

MSVCRT.dll: _adjust_fdiv, __p__commode, __p__fmode, __set_app_type, __setusermatherr, _controlfp,

_initterm, __getmainargs, __p___initenv, _XcptFilter, _exit, realloc, malloc, vsprintf, sprintf,

_errno, exit, strncpy, _beginthreadex, free, _iob, fprintf, getenv, _except_handler3, atoi, _getpid

KERNEL32.dll: SetConsoleCtrlHandler, DeleteCriticalSection, CloseHandle, ResetEvent,

EnterCriticalSection, LeaveCriticalSection, SetEvent, CreateEventA, InitializeCriticalSection,

GetCurrentThreadId, WriteFile, ReadFile, GetStdHandle, WaitForSingleObject, GetLastError,

WaitForMultipleObjects, AllocConsole, GetEnvironmentVariableA

WS2_32.dll: -, -, -, -, -

( 0 exports )

According to the Wings3D forum, inet_gethost.exe is necessary to run Wings3D:
http://nendowingsmirai.yuku.com/reply/2263/t/inet-gethost-exe-to-run-Wings3D.html

I’ve put the file in the Virus Chest, and I’ve already e-mailed it to Avast. Since virustotal only showed 3 positives, is it a false positive?

It’s an FP. I hope they fix it.

If it is indeed a false positive and it looks that way, see http://forum.avast.com/index.php?topic=34950.msg293451#msg293451, how to report it to avast! (which you have done) and what to do to exclude them until the problem is corrected.

GData uses avast as one of its two scanners, so combined that is 1 detection not 2, so more likely an FP 2/35 not 3/36.