Avast WEBforum

Other => Viruses and worms => Topic started by: polonus on February 04, 2009, 08:43:38 PM

Title: Again FP's a year later...
Post by: polonus on February 04, 2009, 08:43:38 PM

Hi malware fighters,

Sometimes malware scanners can come up with similar fake finds, or are they genuine this time.
To-day I launched SAS to do a quick-scan (I do that once in a while) and it flagged Trojan.Unknown Origin thrice:
Once in C:\Documents and Settings \My Documents\KILL1211.EXE
Once in C:\WINDOWS\SYSTEM32\KCMDNIns.EXE
Once in C:\WINDOWS\SYSTEM32\KILL1211.EXE
At virustotal I was informed I had a clean scan on these executables Febr. 27th 2008
The momentary results for virustotal and for anubis are given in the links below..
http://www.virustotal.com/analisis/39545e387d07f20945703001951eb87b
http://www.virustotal.com/analisis/2886e040824ff4a438bd92057e16533b
http://www.virustotal.com/analisis/bd4cea493a845a4677bea3f7abcb9b33

http://anubis.iseclab.org/?action=result&task_id=15944840605c2fef48d905242f24dd5e1
http://anubis.iseclab.org/?action=result&task_id=1d9ebeecc9297c18409b34ae7e42a51ed&format=txt

KILL1211.EXE seems a FP, the other one also? If actually malware this would be TrojanWiFiKill or Trojan/W32.Agent24576.BI or Worm or Spyware.WiFiKill24576.

Your insights are valuable for me, so I can decide what file to (temporarily quarantine through SAS),

polonus

Title: Re: Again FP's a year later...
Post by: DavidR on February 04, 2009, 09:32:26 PM

The question I would be asking is how did it get there, e.g. what do you know about it ?

Do you not remember you reported this before, my friend google does ;D
http://forum.avast.com/index.php?topic=30355.0 (http://forum.avast.com/index.php?topic=30355.0)

And another one from the forums from around that period, http://forum.avast.com/index.php?topic=29263.0 (http://forum.avast.com/index.php?topic=29263.0).

Title: Re: Again FP's a year later...
Post by: polonus on February 04, 2009, 10:03:41 PM

Hi DavidR,

Your memory is as good as mine, added-Google-brain, and reading again through this thread, it is an acer file, and I am working on an acer.
Re: http://discussions.virtualdr.com/showthread.php?t=230207

Good old castlecops cannot back me up here, I am afraid, but I put my cards now on a SAS FP here,
KILL1211.EXE seems to come with Acer pc's (Acer ePower Management suite) and not to be malicious, and because I have an Acer it is probably so, 
re: http://www.nationaalcomputerforum.nl/showthread.php?t=32419

The other one flagged executable,  KCMDNIns.EXE,  has to do with Acer Empowering Technology Monitor
C:\WINDOWS\system32\SysMonitor.exe and I experienced it would make [eRecoveryService]
C:\Acer\Empowering Technology\eRecovery\eRAgent.exe stop working and that would
not be good so, that's why I was asking about KCMDNIns.exe TR/Inject.aed then, and about this re-flagged as Trojan.Unknown.Origin by SAS.

So more than likely final verdict to both: False Positive,

polonus

Title: Re: Again FP's a year later...
Post by: DavidR on February 04, 2009, 11:24:10 PM

Looks that way.