Avast WEBforum
Other => Viruses and worms => Topic started by: DoobieBrosFan on March 31, 2010, 04:45:28 PM
-
Hi,
In this Forum I took notice from the frequently mentioned site novirusthanks.org . They offer a product called 'Hijack Hunter' (hXXp://www.novirusthanks.org/products/hijack-hunter/). I downloaded Hijack Hunter v1.4.0 binary 'hijackhunter_setup.exe' and sent it to virustotal.com -you never know ....
Result:
(http://www.virustotal.com/de/analisis/a8278366052a95947c9c83a8ea3edbbe7e97b8f34f27d784e607c12812f3130d-1270019047)
Symantec 20091.2.0.41 2010.03.31 Suspicious.Insight
search at google (hijackhunter_setup.exe infected) found one interesting entry (http://www.giveawayoftheday.com/forums/topic/6940), but I can´t read the Italian language. I only understood:
Hijack Hunter v1.2.0
Status: INFECTED
Dr.Web - DLOADER.Trojan
What do You think about this ?
[Music is a Doctor, 1989]
-
Regarding novirusthanks.org: http://www.mywot.com/en/scorecard/novirusthanks.org
I'd say it can be trusted.
Regarding the file, it may be false positive by Symantec.
I sent the file to camas.comodo.com. Link to analysis: http://camas.comodo.com/cgi-bin/submit?file=a8278366052a95947c9c83a8ea3edbbe7e97b8f34f27d784e607c12812f3130d
Doesn't seem it does anything malicious... not sure, though, it says "undetected". That's weird.
-
The detection in VT by Symantec uses heuristics that are more prone to false positive, if that is the only one making the detection of 42 scanners than it is more likely to be an FP.
-
Hi DoobieBrisFan,
Here they give it clean: http://safeweb.norton.com/report/show?url=%2Fwww.novirusthanks.org%2Fproducts%2Fhijack-hunter&x=13&y=8
Same Symantec boys give it a clean slate, very likely it is a generic False Positive....
Look here: http://jsunpack.jeek.org/dec/go?report=1cdb67a089eed849a152f8d166b4dce25c5c1726
As clean as a baby's b*ttock in the moonshine,
polonus
-
@polonus
thanks for checking.
As I understand, 'Here they give it clean:' states the site to be clean - not the downloaded file itself. As mentioned: no single AV discovers 100% of malware. Norton is one of many.
'Look here:' (good stuff though): if I get it right, jsunpack.jeek.org checks JavaScripts. But what, if the malicious code is in the binary itself (i.e. hijackhunter_setup.exe) ?
@DavidR,
Thank You,
but this does not really calm me.
If someone tries to spread malware - offering a diagnostic tool might be a good way. The idea, that many people, who are looking for help in their crisis blindly trust a (this) tool and this way might catch the next worm or bot, scares me ...
So I decided to give both - novirusthanks.org and Symantec - a chance to explain about the dissidence. I will write an e-Mail to both of them tomorrow. And report about the result here.
In the meantime - if someone else has an idea ... I´m locking foreward to it.
Thanks to all so far.
DoobieBrosFan
[What a Fool believes, 1978]
-
You're welcome, happy hunting ;D
-
Hi DoobieBrosFan,
That is the right attitude, do not trust anything at face value and go to the bottom of the issue. I expect you come back to this thread if you have cleared this. Well I know Germans are known for their "deutsche Gründlichkeit". On the other hand I have read quite a bit about this "suspicious.Insight" flag and it is really a generic find and can stand for a load of suspicious code characterized by this detection pattern, could be the particular way the software has been packed that is flagged. The online DrWeb url scanner gives it all clean for me.
It could well be that a particular external download site for the software has malcode on or has been hacked to redirect to malicious software and so spreads this, but I would only download from the makers of particular software, and check it before download. My hunch is still a False Positive, but surprise me...
Well anxious to hear what you finally will find,
Schönen Gruß,
Damian
P.S. Update the code to WepaWet Wien: http://wepawet.iseclab.org/ They are off for maintanance until 2/4 but then you will get the results from their Austrian Uni Labs, or go here: http://anubis.iseclab.org/
-
Hi DoobieBrosFan,
Hijack Hunter is totally clean and the Suspicious.Insight of Symantec AV is a false positive, you can read more about Suspicious.Insight from these link (http://www.symantec.com/connect/blogs/reputation-based-security-suspiciousinsight-detections-virus-total) / link (http://www.symantec.com/security_response/writeup.jsp?docid=2010-021223-0550-99) from Symantec. Basically the Suspicious.Insight can display a warning whenever you try to run in your PC a unknown application (from the Symantec Community) and it can easily generate warnings on "not yet known software".
If you have other questions do not esitate to ask ;)
Regards,
Robert
NoVirusThanks.org
-
@Robert
Thank You very much for clarifying.
Reading the Symantec description supplied by Your link about Suspicious.Insight turns my doubt towards zero.
Quota from Symantec´s site regarding Suspicious.Insight:
... When detections of this type are triggered in Norton products the user may be warned that the application is unproven, thus allowing the user to make the final decision ..
... The warning typically indicates that the file has very few users or is very new, and therefore has not developed a reputation.
... Symantec recommends software publishers ... Digitally sign all software application binaries.
...Software developers who want to accelerate the reputation building process for their new software applications should submit new applications to the Symantec white-listing program.
Quota end
So I learned: before posting to this forum, I should have checked Symantec´s site for Information about Suspicious.Insight. This would have been the easier / time saving way ...
Advantage for 'Hijack Hunter' from NoVirusThanks.org: Now it has a better reputation ;)
Finally I can devote to my original problem (my first post), the USB Memory Stick, which is probably corrupted. The OS wants to format it on each access. First I will install and run 'Hijack Hunter' to inspire my system. By the way, Robert: Many thanks to NoVirusThanks.org for providing such a powerful tool - for free.
@All
Thanks and have a nice time.
Regards,
DoobieBrosFan
[Spirit, 1974]
-
Doesn't seem to be dangerous. TE report:
http://www.threatexpert.com/report.aspx?md5=35bbbc16d99beb7a1d0cc916692e33bf
-
Hi malware fighters,
@rob_
Thank you for coming here to clarify Hijack Hunter's position. I hope lots of users will "discover" the valuable services of novirusthanks.org thanks to this thread.
In a time where websites will get infected every 3.6 secs, we cannot stress this enough.
I know a lot of avast users will share our experiences with "Hijack Hunter".
@DoobieBrosFan, again thanks for posting,
polonus
-
Thanks also to You, 13thSlayer, for Your verification. Interesting site.
@Polonus
You are wellcome. I´m glad, a serious Forum like this one exist, congratulations. There are plenty others with little depth.
My doubt has finally dropped to zero. I trust NoVirusThanks.org and it´s 'Hijack Hunter' by now (See modified topic headline).
Regards
DoobieBrosFan
[Takin´ It To The Streets, 1976]
-
DoobieBrosFan, no problem, thank you for using our program and polonus, thank you for your feedbacks :)