Trojan (?) Win32:Trojan-gen {VC}, false positive or genuine??

[Acco]

Relying on the relative download safety of www.Download.com, I downloaded a utility program (File Renamer Basic 4.0.3) at the following page:

http://www.download.com/File-Renamer-Basic/3000-2248_4-10703208.html

and installed it a few days ago. Avast did not alert on it at that time. Now Avast reports the downloaded file (filerenamerbasic.exe) to be a "Win32:Trojan-gen {VC}". I also tried downloading the file from it's creator, at:

http://www.sherrodcomputers.net/downloads/FileRenamerBasic.exe , but Avast also immediately alerted to this malware/trojan upon the download attempt.

I ran this file thru Jotti and VirusTotal, and they show only Avast and "TheHacker" A/V to identify this file as a trojan. None of the 30+ other A/V or malware detection programs appear to alert on this file.

PS: Although the program has high user ratings on Download.com, I  discovered the following user review, buried a few pages back in the user reviews. Does this user info hold merit (?) or is the Avast alert on this file a false positive??

  User Review:  POTENTIALLY DANGEROUS INSTALLATION!
  by: Deep Loner on 29-Jul-2007 12:44:04 PM
Cons: Use a program to monitor how the install program writes to the registry to see what I mean. File Renamer modifies the operating system to use its own custom versions of several .dll and .ocx system files, including Comdlg32.ocx, mscomctl.ocx, MSCOMCT2.ocx, Msvbvm60.dll, MSWINSCK.ocx, RICHTX32.ocx, vbscript.dll, and TABCTL32.ocx. At best, some programs will have compatibility problems or stop working, especially after File Renamer is uninstalled. At worst, no software that forces other programs to use its own versions of such critical system files can possibly be trusted to be safe.

Thanks in advance,
Acco

[Spiritsongs]

   Hi :

     I feel a better "2nd Opinion" would be a trustworthy antiSPYWARE/
     antiTROJAN program, like : 1) AVG AntiSpyware, most easily downloaded
     from www.ewido.net  AND/OR  2) FREE version of SUPERAntiSpyware
      from www.superantispyware.com ; do you have any such programs on
      your computer ?

      "High User Ratings" are worthless; and if all possible, I AVOID using
      download.com . As you subsequently did, ALWAYS BEST to download
      from the Author's Site, usually .

      I have never heard of this program; WHY would you want it on your
      computer ?

[Acco]

Hi S/S, 

I ran freshly updated SUPERAntiSpyware, and it came out clean. I also plan to install and run Webroot SpySweeper, (from my older computer), once I locate my product key.

I'm definitely not the type to simply download various programs, at the drop of a hat, cuz they "look cool/neat". I have very few programs on this computer and all the rest are "standards" and well known.

I downloaded this file renaming utility because it would be very useful to me, because I transfer  scores or even hundreds of digital photos (.jpg's) to my computer from my digital camera and also some audio inputs, all of which upload the files to my 'puter, with file naming as "Image0001, Image0002, Image0003, etc, etc...".
I was in need of a utility with a simple and easy user interface in which to batch rename a variety of files, batch convert extensions into lower case (.JPG to .jpg), and also have full control over amending and customizing file names with the useful tools in this program such as "replace ___ text with ___", and remove/add __ characters from start or end of file name, along with automatic renumbering.

But I'm not tech savvy enough to know that "if" this program uses altered .dll's and active-X files, is it due to honest program usability, or something more sinister. In any case, Avast alerted on the installation .exe, (although   it passed the majority of other A/V programs), and that raises my concern.

whatchathink?,
Acco

[DavidR]

Well DrWeb Link Checker doesn't find anything, though I wasn't to surprised at that considering you used VirusTotal, the packing method may have also played a part.

DrWeb reports it at 5333.7K, which seems a rather large application size for what is a file renamer (?)

The review you posted would have concerned me much more that the possible detection and I wouldn't have downloaded it to start with.

As AV signature files are updated you might well find something that hadn't been picked up is now detected. You were correct to check it out at VT and Jotti, but I would have reservations about using this even if it were confirmed as a false positive.

If you are getting a virus warning that you believe is a false positive, then if you can zip and password protect ('virus', will do) the suspect file and send it to virus @ avast.com (no spaces), or send from the chest (after adding it to the User Files section of the chest).

Give a brief outline of the problem (possibly a link to this thread), the fact that you believe it to be a false positive and include the password in the body of the email and false positive in the subject. Some info on the avast version and VPS number (see about avast {right click avast icon}) will also help.

If it is indeed a false positive and you decide even with the reservations about the program you want to keep it, add it to the exclusions lists:
Standard Shield, Customize, Advanced, Add and
Program Settings, Exclusions
Restore it to its original location, periodically check it (scan it in the chest), there should still be a copy in the chest even though you restored it to the original location. When it is no longer detected then you can also remove it from the Standard Shield and Program Settings, exclusions.

You could check the dlls files, etc. you quoted from the review using windows explorer and check their properties and see if they have modified the date modified field would correspond with your installation date.

[Acco]

Thanks for the reply DavidR.

Yes, I agree that 5MB for a utility program of this type does seem somewhat "heavy".
In the past, I've used 2 other renaming utilities that were both under 1200kb, but their user interface, as well as their full capabilities was much simpler. I figured due to the extra "bells and whistles" of this program, it would naturally be larger in size, but still agree that 5MB is significantly (needlessly?) larger.

Before downloading, I checked 2 full pages of "user reviews" and all said "great utility program, very useful, etc, etc". I don't hold much credit in user reviews, but do use them as a form of guideline or reference, as many users don't know what programs they download might possibly contain malware,, anyway. (maybe like me  )
Later I discovered the "bad" user review, but it was way at the end of page 3.

I re-checked the supposedly "modified" dll's and ocx's, and it "appears" that the program may be just using older versions of Microsoft's dll files, as for instance, File Renamer's vbscript.dll shows v5.6.0.7426 modified date of Feb 26, 2002 while my original system32's vbscript.dll shows v5.7.0.5730 modified date of Nov 07, 2006.
This makes me think the negative user reviewer might not know what he is talking about and jumping to false conclusions. (?)

I'll try to get it emailed in to Avast for a closer look.

...Acco

[DavidR]

Your welcome.

If the program keeps its dll and ocx files in its program folder and not in the system folder/s (or they have a different name to the system ones) then it shouldn't have any impact on other applications.

[Acco]

Your welcome.

If the program keeps its dll and ocx files in its program folder and not in the system folder/s (or they have a different name to the system ones) then it shouldn't have any impact on other applications.

Yes, I had forgotten to mention that these dll and ocx files are in File Renamer's own program folder, and there is no indication (so far) that any of the system's original dll and ocx files with the same name were ever replaced or modified in any way. They are still in the system32 folder, unaltered.
I agree, they should therefore have no impact on other applications. It now appears the negative reviewer of this program's install files jumped to false conclusions and "misinformation" from the way it looks.

Thanks for reminding me of the simple way to check these files, their version and modified dates. I hadn't thought of confirming them this simple way, until you mentioned it. Duh on my part.

Thanks again,
Acco

[DavidR]

No problem, it is often easy to overlook the obvious, file properties, etc. when the blood is up

I trust you have send a sample to avast and added the file to the exclusions as outlined above.