AVAST-Message: Worm MOTA113.exe

[Avastfan1]

Dear Avast Forum Users,

Today I too received the report of the MOTA113.exe infection and the SUPER infection as mentioned earlier in this thread. Did a boot time scan and the details are as follows:

02/22/2009 12:54
Scan of all local drives

File C:\Program Files\eRightSoft\SUPER\spk\Movawin.spk\[tElock]\[PECompact]\[Embedded_I#15e7bc]\[tElock] is infected by Win32:Trojan-gen {Other}
File C:\WINDOWS\MOTA113.exe\[tElock] is infected by Win32:Trojan-gen {Other}

I scanned my system with:
- Blacklight anti-rookit - no infections or other items found
- MBAM - no infections or other items found
- Spybot - no infections or other items found
- Rootalyzer - no infections or other items found
- ZA Anti-Spyware - no infections or other items found
- SuperantiSpyware - no infections or other items found
- Hijackthis Log submitted to http://www.hijackthis.de/ - no items marked as dangerous

I believe these two items are false positives.

I managed to submit the SUPER file (Movawin.spk) to virustotal and jotti.org and only Avast and one other recognised an infection. Although it said the other virus scanner was only a heuristic detection.

I tried to submit the MOTA113.exe file to both but Avast went mental with the warning things and I clicked 'no action' which subsequently resulted in Avast preventing me from uploading them.

In an ironic way I am glad that others have got this message - as it strengthens the possibility that it will be a false positive. Purely for the reason that if everyone reports the same infection at the same time!!

Hope this will be a false positive and hope it will be corrected in the next VPS.

Avastfan1

[Lisandro]

Aren't you asking twice the same? Haven't you open another thread with the same problem?

[Avastfan1]

Hi Tech,

No, this is the first post I have made on this topic. This issue only started for me a few days ago.

Thanks,

Avastfan1

[Lisandro]

Sorry.
You can search the board for MOTA113.exe and you'll find more info.

[Avastfan1]

Hi Tech,

Thanks for the response. I searched this forum for MOTA113.exe as you suggested. The only thread it returned was this one.

I'm a little unsure how I should proceed on this issue

Yours sincerely,

Avastfan1

[Lisandro]

I searched this forum for MOTA113.exe as you suggested.

http://forum.avast.com/index.php?topic=34709.msg310168#msg310168
http://forum.avast.com/index.php?topic=42852.msg358088#msg358088

[billman1037]

Dear Avast Forum Users,

Today I too received the report of the MOTA113.exe infection and the SUPER infection as mentioned earlier in this thread. Did a boot time scan and the details are as follows:

02/22/2009 12:54
Scan of all local drives

File C:\Program Files\eRightSoft\SUPER\spk\Movawin.spk\[tElock]\[PECompact]\[Embedded_I#15e7bc]\[tElock] is infected by Win32:Trojan-gen {Other}
File C:\WINDOWS\MOTA113.exe\[tElock] is infected by Win32:Trojan-gen {Other}

I scanned my system with:
- Blacklight anti-rookit - no infections or other items found
- MBAM - no infections or other items found
- Spybot - no infections or other items found
- Rootalyzer - no infections or other items found
- ZA Anti-Spyware - no infections or other items found
- SuperantiSpyware - no infections or other items found
- Hijackthis Log submitted to http://www.hijackthis.de/ - no items marked as dangerous

I believe these two items are false positives.

I managed to submit the SUPER file (Movawin.spk) to virustotal and jotti.org and only Avast and one other recognised an infection. Although it said the other virus scanner was only a heuristic detection.

I tried to submit the MOTA113.exe file to both but Avast went mental with the warning things and I clicked 'no action' which subsequently resulted in Avast preventing me from uploading them.

In an ironic way I am glad that others have got this message - as it strengthens the possibility that it will be a false positive. Purely for the reason that if everyone reports the same infection at the same time!!

Hope this will be a false positive and hope it will be corrected in the next VPS.

Avastfan1

You're not alone.  I just got the same thing.  I scan every night before going to bed.  This popped up last night for me.  Also, I looked at the file's date was in 2005.  Super is a known false positive.

[polonus]

Hi posters in this thread,

As the find is generic, that means the flagging is because of a find of generic malware-like characteristics, and it is flagged by 5 scanners at virustotal.com it would be a coincidence that all av products flagged the same FP, it would hold this in quarantine for the time being,
SAS flagged this file December of last year, and the discussion then went along the following lines:

If this is associated with the file Windows\MOTA113.EXE, I am FAIRLY sure AT THIS POINT that it is also a false positive. I am keeping up with the SAS discussion forum on this topic.

I have quarantined the file MOTA113.EXE and have seen no different behavior from my computer -- but I am ready to restore the file if the folks at SAS determine that it is actually a FP.

You could do a full SAS scan and see if it flags it: http://www.superantispyware.com/superantispywarefreevspro.html

polonus

[Avastfan1]

False positive has now been confirmed.

Fixed with the latest VPS update - 090224-0.

Thanks Avast!!!

[Maxx_original]

anyway, it is not good to pack legit software under three layers (1× PECompact and 2× tElock)

[Avastfan1]

Hello Maxx_Original,

Thank you for your response. I'm not sure if you are an Avast employee. I am extremely satisfied with Avast Anti-virus.

Could you possibly elaborate on the tElock layer a little? I remember seeing that word in the false positive.

Unfortunately I am not that up to speed with computers.

Thanks for your time.

Avastfan1

[Maxx_original]

bullseye, i'm the member of avast viruslab..

tElock is a PE packer+protector written by one of the greatest scene rockers - tHE EGOiSTE (tE!) from TMG - more than 9 years ago.. it was publicly available for download (there were also some private versions) and offered a high level of protection for those users, which were not able to protect their applications with own scheme... also malware authors noticed the strength of tElock protection and started to using it to hide their nasty work.. tElock itself is not malicious (even when some AV engines detect it as malware packer), but i can't see any reason to pack legit software in multiple layers (one strong is enough imho) and i consider these files as potentially riskful (off course when i have no relation to the source of the file)..

this link http://en.wikipedia.org/wiki/Executable_compression could give you some general informations..