Avast WEBforum

Other => Viruses and worms => Topic started by: Rappaping on July 06, 2011, 07:52:02 AM

Title: Malware or false positive?
Post by: Rappaping on July 06, 2011, 07:52:02 AM
Dear staff,
first of all compliments for the fine avast antivirus free, the most complete antivirus of all free antiviruses.
Now, I've got a question about a little program I've downloaded. You can find it here:
http://www.mediafire.com/?tjz4uljz2vn
This program is a patch for Acer Launch manager written by a such Morris, as hemself describes in his blog at this web-page:
http://www.theacerguy.com/2009/05/aspire-5920g-launch-manager-patch/
The original Acer program have a "bug" that can't permit the program to recognize a button (bluetooth button) of the laptop, so that such button can't be used.
To fix this bug (and to add some other features), the patch need to do many changes to the system, so that Avast Antivirus Free recognize the program as a "Win32:Malware-gen". Also, I've scanned the file with Mcafee antivirus and it doesn't detect any malware.
My question it:
is this Morris' Launch Manager safe (in this cafe the Avast's alert would be a false positive detected, I think, with the heuristic method and caused by the changes that the patch would make in the system) or is it a real malware?
Thank you very much.
Best regards.
Title: Re: Malware or false positive?
Post by: Pondus on July 06, 2011, 08:02:12 AM
well it is not only avast! that does not like it


VirusTotal - Morris' Launch Manager V11.0 x86+64-bit.exe - 29/43
http://www.virustotal.com/file-scan/report.html?id=f25873d7db340fa0618c7390527746515f2ea08aae341ab8598c3687eeb7514f-1309931650
Title: Re: Malware or false positive?
Post by: Rappaping on July 06, 2011, 01:06:56 PM
It is not a sufficient reason to say it's a malware. The patch, infact, acts deeply in the system files, so it could be possible (if not probable) that it is recognized as a malware but it isn't.
When a file scanned with an antivirus heuristic method is marked as a malware, it will be deeply analyzed from the antivirus programmers team to understand if it is a real malware or not, so that they will update heuristic alghorithm and implement it in the next realease of the antivirus program: in this way, AV programmers decrease the number of false-positive results, hence improving the product.
So, I'm asking some moderator for know if my file is a real malware or not.
However, any other kind of comment by forum's users is well appreciated (thank you Pondus for your very useful comment!).
Best regards.
Title: Re: Malware or false positive?
Post by: Altarir. on July 06, 2011, 02:02:42 PM
Threatexpert doesn't like it either -> http://www.threatexpert.com/report.aspx?md5=174696be651a15cad2d2b4757f873970
Title: Re: Malware or false positive?
Post by: DavidR on July 06, 2011, 02:44:24 PM
@ Rappaping
I sympathise with your dilemma, but you appear to have made your mind up already, so I wonder why you bothered to ask about the file.

With such a high number of scanners finding this at the very least suspicious, I would be in no rush to use it. I would however be checking out Acer, surely they themselves have released this patch officially on the Acer website (since the Blog article is over two years old) ?

Not the unofficial Acer Blog, by someone on the inside, as they say it isn't UAC friendly and all of that is going to get many AVs twitching from all of these changes. So I rather doubt they are going to change their signatures based on what it does to system being very much like malware activity. The problem is one of intent, an AV has no way of knowing if these modifications are for good or evil purposes.

So the decision and acceptance of risk would have to be yours.
Title: Re: Malware or false positive?
Post by: polonus on July 06, 2011, 02:56:19 PM
Hi Rappaping and DavidR,

The main concern here is the presence of x32.exe here, Application Layer Gateway Service, which is been looked upon as undesirable to say the least here: http://www.bleepingcomputer.com/startups/x32.exe-24090.html
x32.exe is considered to be a spyware trojan
So as DavidR says I would reconsider using the executable. Did you analyze the file through FileAlyzer and how was the file certified?

polonus
Title: Re: Malware or false positive?
Post by: Rappaping on July 06, 2011, 06:21:15 PM
Thank you all for your help!

To David:
"I sympathise with your dilemma, but you appear to have made your mind up already, so I wonder why you bothered to ask about the file."

I haven't made my mind up already, because if I had, I'd have installed the patch on my system, but I've not.

"Not the unofficial Acer Blog, by someone on the inside, as they say it isn't UAC friendly"

I've looked for an official patch already, but there isn't, so the unofficial patch would be very useful for me.
UAC unfriendly is not synonym of malware.

"I rather doubt they are going to change their signatures based on what it does to system being VERY MUCH LIKE malware activity. The problem is one of intent, an AV has no way of knowing if these modifications are for good or evil purposes."

Actually, I don't understand you when you say "VERY MUCH LIKE malware activities", because a malware is, substantially, a program that offer an unauthorized service to itself (a worm, for example) or to an unauthorized person (backdoors give remote access, spywares collect and send private data, etc.), so a program is a malware or it is not! The only kind of "VERY MUCH LIKE malware activity" I can think to, is an easily exploitable program (for example because it was bad-coded), but it is not my interest in this topic. Also, when an antivirus find a malware with the heuristic method, the only way to know if it is a real malware or a false-positive is to analize the program's activity to understand what it really does. It is an important job for AV software houses, because if the program is a false-positive, they can understand where alghorithms used to detect the file are wrong and then they can improve them, so that false-positive detection will improve. At last, it is very important for a software house to improve false-positives detection by its Antivirus, for two main reasons:
1) false-positive programs are safe and probably useful programs that can't be used because labelled (by AV) as malicious software
2) antivirus software testers use to rate products also considering false-positive detection(you can see "Antivirus Comparatives Summary Report 2010", section D "False Positives winners" in the PDF at http://www.av-comparatives.org/comparativesreviews/summary-reports ): of course it is interest of software houses to reach the best possible rate in thouse tests.

What I asked for in this topic, is to know if my patch contains REAL malicious software.
Altarir (thank you very much!) offered us a great help, because he scanned every single file from the archive, so we now know what are safe files and what COULD BE malicious.
Polonus (thanks you too!) has confirmed that x32.exe IS a malware.

Now, I think I'd have to
1) look for the other suspicious files reports in internet to confirm or deny that they are malicious
2) delete confirmed malicious files from the archive
Then, it would become much more reasonable trying to install the patch, even though an analysis of files I couldn't confirm or deny by Avast programmers would be the top.

Note that not all TotalVirus Antiviruses has detected malware and that some of them are very good AV programs with (BETTER THAN OTHER?) heuristic visus scanneing feature implementedin the AV engine.
Best regards
Title: Re: Malware or false positive?
Post by: polonus on July 06, 2011, 07:00:43 PM
Hi Rappaping,

What I should do is to load up the file to Anubis http://anubis.iseclab.org/ and report the analysis report url back here.
Now going over the whole discussion in your thread your final evaluation turns around the point: "Is this a risktool with malware-like aspects, but created by a developer with the best of intentions for it to be a desirable genuine software solution or is it a genuine looking software solution created to pose as such but with hidden malicious intent?"

If it was your intention to install this and you were aware of the risks and vulnerabilities involved, you could classify the whole issue as: Ïs this a PUP or not?"
A piece of software that is also being qualified as heuristic malware because of the way it behaves.

While malcreants and genuine software developers alike use the same methods for their creations like similar  genuine protection methods and in the case of malcreants stolen software certifications, it is rather difficult to rubber stamp it for what it really is.

An official mention by Acer's that this third party software is harmless and free of malcode would help you enormously here.

On the other hand we should all applaud a user here in the forums  that goes to such lengths as to establish the inevitable software fixes he needs are secure enough to use.
Reassuring was this scan: http://safeweb.norton.com/report/show?url=http%3A%2F%2Fwww.mediafire.com%2F%3Ftjz4uljz2vn

And this one: Checking: -http://connect.facebook.net/en_US/all.js#xfbml=1
File size: 126.14 KB
File MD5: 9c8ae137787710db4434da343b81ee4b

-http://connect.facebook.net/en_US/all.js#xfbml=1 - Ok

Checking: -http://www.mediafire.com//blank.html?tjz4uljz2vn
File size: 64 bytes
File MD5: 8257335b77d5beb3a4771a064a50518d

-http://www.mediafire.com//blank.html?tjz4uljz2vn - Ok

Checking: -http://cdn.mediafire.com/js/master_45144.js
File size: 234.54 KB
File MD5: a30e9e1bad3950a33b57edf6b08ba52b

-http://cdn.mediafire.com/js/master_45144.js - Ok

Checking: -https://ajax.googleapis.com/ajax/libs/jquery/1.5.2/jquery.js
File size: 214.09 KB
File MD5: 8c40d7e0c38ccbca24b7ba29a1db07e7

-https://ajax.googleapis.com/ajax/libs/jquery/1.5.2/jquery.js - Ok

Checking: -http://connect.facebook.net/en_US/all.js
File size: 126.14 KB
File MD5: 3e1aebc31749e591e771ea4f6eb9e33c

-http://connect.facebook.net/en_US/all.js - Ok

Checking: -http://www.facebook.com/plugins/likebox.php?href=http%3A%2F%2Fwww.facebook.com%2Fmediafire&width=210&colorscheme=light&connections=0&stream=false&header=true&height=62
File size: 7769 bytes
File MD5: d25e7b6651dcef405bbdffc084c5ee68

-http://www.facebook.com/plugins/likebox.php?href=http%3A%2F%2Fwww.facebook.com%2Fmediafire&width=210&colorscheme=light&connections=0&stream=false&header=true&height=62 - archive HTML
>-http://www.facebook.com/plugins/likebox.php?href=http%3A%2F%2Fwww.facebook.com%2Fmediafire&width=210&colorscheme=light&connections=0&stream=false&header=true&height=62/Script.0 - Ok
>-http://www.facebook.com/plugins/likebox.php?href=http%3A%2F%2Fwww.facebook.com%2Fmediafire&width=210&colorscheme=light&connections=0&stream=false&header=true&height=62/Script.1 - Ok
>-http://www.facebook.com/plugins/likebox.php?href=http%3A%2F%2Fwww.facebook.com%2Fmediafire&width=210&colorscheme=light&connections=0&stream=false&header=true&height=62/Script.2 - Ok
>-http://www.facebook.com/plugins/likebox.php?href=http%3A%2F%2Fwww.facebook.com%2Fmediafire&width=210&colorscheme=light&connections=0&stream=false&header=true&height=62/Script.3 - Ok
>-http://www.facebook.com/plugins/likebox.php?href=http%3A%2F%2Fwww.facebook.com%2Fmediafire&width=210&colorscheme=light&connections=0&stream=false&header=true&height=62/Script.4 - Ok
-http://www.facebook.com/plugins/likebox.php?href=http%3A%2F%2Fwww.facebook.com%2Fmediafire&width=210&colorscheme=light&connections=0&stream=false&header=true&height=62 - Ok

Checking: -http://www.mediafire.com/?tjz4uljz2vn
Engine version: 5.0.2.3300
Total virus-finding records: 2334176
File size: 57.13 KB
File MD5: 2a2940c7a67cd33188b6b570d6cd4b73

-http://www.mediafire.com/?tjz4uljz2vn - archive HTML
>-http://www.mediafire.com/?tjz4uljz2vn/Script.0 - Ok
>-http://www.mediafire.com/?tjz4uljz2vn/Script.1 - Ok
>-http://www.mediafire.com/?tjz4uljz2vn/Script.2 - Ok
>-http://www.mediafire.com/?tjz4uljz2vn/JavaScript.3 - Ok
>-http://www.mediafire.com/?tjz4uljz2vn/Script.4 - Ok
>-http://www.mediafire.com/?tjz4uljz2vn/JavaScript.5 - Ok
>-http://www.mediafire.com/?tjz4uljz2vn/Script.6 - Ok
>-http://www.mediafire.com/?tjz4uljz2vn/Script.7 - Ok
-http://www.mediafire.com/?tjz4uljz2vn - Ok

I will be waiting for that Anubis report link, I will gladly evaluate that for you  as best I can, if you like?

polonus
Title: Re: Malware or false positive?
Post by: Rappaping on July 06, 2011, 10:01:32 PM
Without doubts I like, Polonus!

Also, really you understand all I've written.
Title: Re: Malware or false positive?
Post by: Pondus on July 06, 2011, 10:35:13 PM
I uploaded the file (Morris' Launch Manager V11.0 x86+64-bit.exe) to NORMAN lab as a false positive case since it was detected in the VT

and i can now see it in the list of confirmed False Positives
Title: Re: Malware or false positive?
Post by: polonus on July 06, 2011, 10:53:11 PM
Hi Pondus,

I think that Rappaping will be glad to hear this. As the Anubis report comes in later, because again at this moment it is again as slow as molasses, it could well be that at the end of the day avast only detects this in PUP-mode, but that is for them to decide. But the NORMAN lab results show that my first hunch and feeling about this as I explained to Rappaping was right: "Suspicious at first glance, but genuine under the hood when tested",

polonus
Title: Re: Malware or false positive?
Post by: Pondus on July 06, 2011, 10:57:13 PM
From NORMAN lab

Quote
Hi,

Since the file submitted is a false-positive our senior researcher confirmed it and removed that detection from our database.

The legit file was detected in the first case due to a heuristic detection in our engine. We have made necessary changes to rectify the same.

Thanks,
GD.
Title: Re: Malware or false positive?
Post by: Rappaping on July 07, 2011, 04:28:02 PM
Hi guys!
Can we trust Norman senior researchers? I don't know. If yes, is bleepingcomputer report an error because the file is a false-positive, or is it another file with the same name of ours (x32.exe)?
Polonus, have you been noticed from Anubis?
P.S.: I've open urlquery link with Firefox with NoScript addon active, avast antivirus and mcafee security center active, but without any sandbox. Must I be worried?
Title: Re: Malware or false positive?
Post by: polonus on July 07, 2011, 05:44:34 PM
Hi Rappaping,

I will give you the results as soon as they come in. With NoScript active in Fx and nothing specifically downloaded from that link, I would not worry about visiting that link at urlquery dot net. As long as you do not doubleclick or open things inside other software or download you will be OK.

What we have to look for in the first place is the functionality of that launch manager, and therefore I have based my evaluation on what we find in the ThreatExpert report that Altarir provided for us in the thread above.
1.
Packer nothing out of the ordinairy:  UPX

Now another scan to check against...
http://file.virscan.org/report/c877d2a75a5c33981b2820897f00fac5.html
latest results: http://file.virscan.org/report/8f84e6046e0273f9b8d06186e02eaeaa.html

2.
We also have this Dialer DNS Changer fuctionality to consider.
Rappaping will you please check this for us:
1) Start> Run> type in CMD and press Enter
2) At the command prompt, type IPCONFIG /ALL and press Enter
3) You should be presented with the bunch of information, find the section for your Internet connection. It may be entitled Ethernet Adapter Local Area Connection or something according to that line..
4) Find the DNS Server section and double-check the numbers.
Give them to us attached...
3.
What was further found at the analysis.. characteristics of a security risk, not necessary that it actually is such, I mean having trojan and bot like behaviour, that is will be executing unknown programs, like those 3 mentioned below as...
4.
as "bluetoothcfg.exe", interface,
5.
then "hidden start", and that hstart.exe was only found a threat in 6 procent of cases,
it is used to run console application and batch files,
not worth another thought then,
6.
and finally "nircmdc.exe" as malicious found in win32,agent,
for an evaluation of this esecutable see:
http://www.threatexpert.com/files/nircmdc.exe.html,
the nubmer of incidents where it was found to be a threat is zero,
so forget about that one too.

Overall personal conclusion -

Depending on the results of the above additional check,
my overall personal verdict would be:
-  "risktool" or "possible unwanted program",
 unless self-installed knowingly and intentionally
by the owner of the computer,

polonus
Title: Re: Malware or false positive?
Post by: polonus on July 07, 2011, 09:07:59 PM
Now we have to consider this report and the Wepawet scan of the link

-http://www.mediafire.com/?tjz4uljz2vn Rappaping gave, suspicious see:
http://wepawet.iseclab.org/view.php?hash=e72370fb8669182fe5310fb7d5f5de20&t=1310063241&type=js
Site ridden with sometimes dubious ad-trackers:

Various 0-0-0 hidden iFrames there, this one -http://cdn5.tribalfusion.com/media/common/pop/pop-11.js  reminding of data requested from a remote server of the Virut file infector and an Adware keygen; similar -http://trgca.opt.fimserve.com/ code (requested by Virut)

This is a bad request for a Fake-AV -http://audit.303br.net?anId=20&advId=1925&pubId=3346&campId=9685&vURL= (dead)

Link to malware domain -http://tracking.batanga.com/  adtracker
also CollectiveMedia.createAndAttachAd adtracker

code from -http://ad.turn.com Adtracking servers Security Benign

-UNDERDOGMEDIA Medium Rectangle MediaFire.com IFrame ADCODE START (bad WOT status)

polonus

Title: Re: Malware or false positive?
Post by: Rappaping on July 07, 2011, 09:59:51 PM
"We also have this Dialer DNS Changer fuctionality to consider."
What dialer DNS changer functionality?

Also:
http://www.threatexpert.com/files/nircmd.exe.html , threat in 60% of cases
Title: Re: Malware or false positive?
Post by: Rappaping on July 07, 2011, 10:03:43 PM
I've posted VirusTotal result to Morris Lee. Now I'm waiting for his answer.
Title: Re: Malware or false positive?
Post by: polonus on July 07, 2011, 11:04:34 PM
Hi Rappaping,

That is why I asked you to do that specific check after you installed the questionable launcher to establish if that launcher has DNS Changing functionality, like with a malcode dialer, and alters DNS server numbers in your configuration after install.

See also here: http://whatisprocess.com/x32-exe/1172/  67% will rate it as DANGEROUS

This gives us some insight in what we have to consider with this software before we can eventually give it the all clear. All intruiging considerations. Also my special thanks go out to forum friend, Pondus, for all his assistance and perseverance to clear this issue; and Altarir for giving the ThreatExpert report, very helpful indeed.  We all learn a lot during this process, good you presented it to us,

polonus
Title: Re: Malware or false positive?
Post by: Rappaping on July 08, 2011, 04:43:06 PM
Sorry polonus, but I haven't installed the patch and I will not before I can't know it's safe.
However, it would be useful launching the patch in a sandbox like BufferZone to see which system files are virtualized after the installation and if the patch full-works inside the virtual zone (a virtual zone that can't communicate with system files out of itself.

Another idea is to monitor the installation of the patch with a program like InCtrl5 to see which files the installation modify/create in the system.

I've formatted my laptop few years ago and in this days I can't risk to compromise my system with a malware.
Title: Re: Malware or false positive?
Post by: Pondus on July 08, 2011, 07:18:44 PM
Quote
Hi guys!
Can we trust Norman senior researchers? I don't know
why not....  ???

maybe this will help...


SOPHOS lab
Quote
Thank you for your submission. Here is the result of the analyze:
Morris_ Launch Manager~.0 x~.exe - clean and you are free to authorize
nircmd.ex0 - detected as NirCmd ()
nircmdc.ex0 - detected as NirCmd ()

All the other files are free from virus.


Avira lab
Quote
Thank you for your email to Avira's virus lab.
 Tracking number: INC00777947.

A listing of files alongside their results can be found below:
File ID
Filename
Size (Byte)
Result

26211609
Morris' Launch Ma...it.exe
738.5 KB
CLEAN

26211946
nircmdc.exe
36 KB
FALSE POSITIVE

26211947
nircmd.exe
36.5 KB
FALSE POSITIVE

26211948
hstart.exe
16.5 KB
FALSE POSITIVE


Title: Re: Malware or false positive?
Post by: polonus on July 08, 2011, 07:48:06 PM
What Pondus finds here is supported what we read here about similar generic finds and false positives here: http://lupo.forumactif.net/t13-virus-detected
More in depth about hstart.exe read here: http://www.ntwind.com/software/utilities/hstart.html
and as Rappaping stated you will see UAC confirmation dialogs for this small,
only DrWeb finds this FP - >http://www.ntwind.com/download/hstart.zip/hstart.exe contains a potentially dangerous software Program.HiddenStart. The detection is because this program can be used to run programs without your knowledge, that is all.
nircmd.exe is also flagged by many anti-malware programs as part of Combo-fix, USB-disinfector, etc. etc., but this is due of using very aggressive heuristics. And this is all that Pondus here backed up with getting these reports. At first glance the tool is considered a pest because these very aggressive heuristic scanners pick something up that resembles real malware functionality.
And for nircmd.exe we had this FP discussion before here: http://forum.avast.com/index.php?topic=34916.0

pol
Title: Re: Malware or false positive?
Post by: Rappaping on July 08, 2011, 07:57:04 PM
nircmd.ex0 - detected as NirCmd ()
nircmdc.ex0 - detected as NirCmd ()

As you can read @ http://www.nirsoft.net/utils/nircmd2.html :
"NirCmd is a small command-line utility that allows you to do some useful tasks without displaying any user interface. By running NirCmd with simple command-line option, you can write and delete values and keys in the Registry, write values into INI file, DIAL TO YOUR INTERNET ACCOUNT OR CONNECT TO A VPN NETWORK (!!!), restart windows or shut down the computer, create shortcut to a file, change the created/modified date of a file, change your display settings, turn off your monitor, open the door of your CD-ROM drive, and more..."
 Could the patch use Nircmd to connect to a undesirable host? Or(according to what polonus said: "this program can be used to run programs without your knowledge"), can hstart.exe do a similar job?

P.S.: I'm more and more thinking to, at last, install the patch.
Title: Re: Malware or false positive?
Post by: polonus on July 08, 2011, 09:19:27 PM
Hi Rappaping,

What have we been investigating so far and to which conclusions has this investigation led us? We have been thoroughly investigating this tool with respects to its being malicious or suspicious, and this also for everything in there. I have reached the conclusion that this tool is neither suspicious and nor malicious and does not contain any malcode. Pondus has supported this through his investigations.

The functionality and the use of it should qualify this to be marked "riskware" for those first time users that are not familiar with the use of it and whenever it comes installed unto their computers without prior knowledge or consent of the user.

There is a lot of reputable software that matches the same characteristics as the one described in this thread. We mentioned some. For that group of files I would like that av solutions, that really use aggressive generic methods in their scans, will come to use a "whitelist" of tools and programs that would else be classified as FP or PUP, and now only are qualified as risktool.

Therefore the developer of such tools and software should sign their software accordingly to make it stand apart from malware clones or malicious counterparts, that normally cannot have these signatures. I think you could install now, I think this thread has shown it is free of malware,

polonus

Title: Re: Malware or false positive?
Post by: Pondus on July 08, 2011, 09:45:22 PM
Quote
I think this thread has shown it is free of malware,
yepp i think that is very clear now
Title: Re: Malware or false positive?
Post by: Rappaping on July 08, 2011, 10:52:20 PM
So, my starting doubts about the false-positive response of Avast AV about this patch seem to have been confirmed. We have three AV software houses that state the patch is safe and a good evidence (probability) that MANY OF (not all) the files tagged as "malware" are safe too.
I will install the patch!
However, it is a program that doesn't need an Internet access: I will tell you (if you want) if my firewall will detect any Internet access request from any file of the patch.
Thank you Pondus.
Thank you Polonus.
Thank you all.
It was a very nice conversation.
Title: Re: Malware or false positive?
Post by: polonus on July 08, 2011, 11:09:25 PM
Hi Rappaping,

You are welcome. We like to thank you as well for asking us all the inevitable appropriate questions that made these investigations really worth while. I hope a lot of users may find this thread and the conversation therin useful. I enjoyed the conversation as much as you did, and I also think Pondus will feel likewise.
If while using the software other questions pop up, do not hesitate to come here again and we'll see what we can do,

polonus