Avast WEBforum

Other => Viruses and worms => Topic started by: anaigeon on October 21, 2009, 10:59:47 PM

Title: False warning ?
Post by: anaigeon on October 21, 2009, 10:59:47 PM

Hi,

This evening, while executing my weekly light scan (I run a deeper one on Sunday), I got this virus alert :

avast! [REZ-DE-CHAUSSEE] : Fichier "C:\Documents and Settings\Admin\Mes documents\Arrivages\Installés\Images\virtualdubmod_virtualdubmod_1.5.10.1_francais_45486.exe" est infecté par "Win32:Adware-gen [Adw]" virus.
"_ Mon analyse légère" tâche utilisée


The mentioned file is the installation program of the french version of virtualdub (or an add-on to localize it).
This is a well known video program.
What's more surprising is the fact that it has been present for months on my disk, without any warning till today !

I'm not sure it's possible to post files somewhere, in case someone would like to analyse it more thoroughly - in any case I wouldn't post without having being invited to do so.
I doubt it contains really a virus - but I don't use this program, I've just run it a few times just after installation, to see what it can do, and never again since this moment.

Title: Re: False warning ?
Post by: harman123 on October 21, 2009, 11:09:04 PM

Can you submit the file to www.virustotal.com and check?

Title: Re: False warning ?
Post by: anaigeon on October 21, 2009, 11:22:29 PM

Thanks for this jet answer :-)

I was to www.virustotal.com.
My first attempts were without success, since the site answered it received 0 bytes...
till I realized that I had to stop Avast  LOL

Here is the link to the result (or I'm supposed to post the text?)

http://www.virustotal.com/fr/analisis/d0de62c5114fa4310484d174afab80a443684a8054a116b3358c7b0c888bb85a-1256023016 (http://www.virustotal.com/fr/analisis/d0de62c5114fa4310484d174afab80a443684a8054a116b3358c7b0c888bb85a-1256023016)

Title: Re: False warning ?
Post by: harman123 on October 21, 2009, 11:27:23 PM

wow 17 out of 41  :o
definitely is malware not false positive
 

Title: Re: False warning ?
Post by: polonus on October 21, 2009, 11:33:51 PM

Hi anaigeon,

Wasn't the developer aware of this, read this link where he reported some work-arounds on the code and started flaming av vendors for detection: http://www.virtualdub.org/blog/pivot/entry.php?id=245
At least the issue is a little controversial, here where they report a worm:
http://www.prevx.com/filenames/1920631375628518756-X1/VIRTUALDUB-V1.6.17.EXE.html
This because of heuristics being used more and more and simply because in the software
UPX executable compressor was being used it is detected as a worm trojan.

You could check this at avast or ask this actually is the reason for it to be flagged,
typical for this is the flag "AdWare.Rabio.db (Not a Virus)" and Comodo's
 "Unclassified Malware" , all typical for a heuristic find.

According to google Virtual Dub might be bundled with malware,
but at unmasked parasites the site is given as clean...
This source may be secure: http://virtualdub.sourceforge.net/
Or use an alternative like: http://sourceforge.net/projects/camstudio/

polonus

Title: Re: False warning ?
Post by: anaigeon on October 22, 2009, 12:03:18 AM

Thank you very much  I'll probably delete this file, or consider getting the last (English) version, in which they seem to have taken this problem in account, if I understand correctly a comment on the sourceforge page.
Alain

Title: Re: False warning ?
Post by: polonus on October 22, 2009, 12:09:45 AM

Hi anaigeon,

Glad we could help with the additional info, welcome to the forums here,
stay safe and secure is the wish of,

polonus

Title: Re: False warning ?
Post by: llariel on October 22, 2009, 02:00:30 AM

Can be Notepad.exe false positive from Malwarebytes?

Here the logs:

Malwarebytes' Anti-Malware 1.41
Database version: 3001
Windows 6.0.6002 Service Pack 2

10/20/2009 10:38:34 PM
mbam-log-2009-10-20 (22-38-30).txt

Scan type: Quick Scan
Objects scanned: 31578
Time elapsed: 3 minute(s), 29 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 2
Folders Infected: 0
Files Infected: 0

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
HKEY_CLASSES_ROOT\scrfile\shell\open\command\(default) (Broken.OpenCommand) -> Bad: (NOTEPAD.EXE %1) Good: ("%1" /S) -> No action taken.
HKEY_CLASSES_ROOT\regfile\shell\open\command\(default) (Broken.OpenCommand) -> Bad: (NOTEPAD.EXE %1) Good: (regedit.exe "%1") -> No action taken.

Folders Infected:
(No malicious items detected)

Files Infected:
(No malicious items detected)


 

Title: Re: False warning ?
Post by: Lisandro on October 22, 2009, 02:34:31 AM

Submit it to www.virustotal.com to check.

Title: Re: False warning ?
Post by: YoKenny on October 22, 2009, 06:27:03 AM

Update MBAM to 3009 as it could be a False positive in your update but may have to be ignored:
http://www.malwarebytes.org/forums/index.php?showtopic=26770&hl=notepad