Real malware or just a false positive..

[polonus]

Have this file for ages (since June of 2006) and now on Vista. Did a scan with the latest version of DrWeb CureIt and that scanner found this executable to be ewido_micro.exe infected with Trojan.DownLoad2.8659.....
Uploaded the file to Anubis, see results here: http://anubis.iseclab.org/?action=result&task_id=167596889528f9484bd706ce54cf5b989&format=html
Submitted already to VT MD5:   e82b923d6d2ac34b611d2f410b159a7d
Date first seen:   2009-02-20 05:58:38 (UTC)
Date last seen:   2011-06-05 14:42:28 (UTC)
Detection ratio:   25/43
Re-analyzed at VT: http://www.virustotal.com/file-scan/report.html?id=921a5e8b7c4a53ad9e8d97295cdf9e7e3266abfe212edd825bc415128f0b4f57-1308591206
and at jotti's: http://virusscan.jotti.org/nl/scanresult/f567e85514c90b2531b65c389acc17bdc7c6c0c4
&
http://2.virscan.org/report/8ad53f5492f79bfab994e1393fa99ce1.html
&
http://www.filterbit.com/results.cgi?uid=uou2ypfz2ufeqpwmccf9mxyen1lml0g6

Is avast right by not detecting it or is this really malware/spyware?
MBAM and SAS find the file to be secure,
Here I get two flags: http://www.garyshood.com/virus/results.php?r=e82b923d6d2ac34b611d2f410b159a7d
F-prot finds a security risk and AntiVir
ALERT: [TR/Dldr.Genome.ooc] ewido_micro.exe
 Is the Trojan horse TR/Dldr.Genome.ooc

polonus

[Pondus]

MBAM and SAS find the file to be secure,

The reason for why Malwarebytes does not detect is probably....they want fresh samples, not older then 3 months

and the VT scan here say: First seen: 2009-02-20 05:58:38

[polonus]

Hi Pondus,

I think I will remove the executable. Also have set my zonemap setting stricter via MicroSoft FixIt Center. e.g. improve performance, safety and security with IE-fix. As this was affected here, so the fix had prevention of data export restored,

polonus

[Pondus]

NORMAN lab

Yes this file is a malware and we are detecting it as 'W32/Suspicious_Gen2.MXNIU'.

[Milos]

Hello,
it looks, that it is some old digitally signed file from "ewido networks GmbH & Co. KG" which belongs to "ewido anti-malware", the certificate has expired in 03/07/2007. I think it's clean.

Milos

[polonus]

Hi Milos,

Thanks, reason also at a re-scan the apparent virusnames vary all the time, see:
http://virscan.org/report/da20654126e8d63850b2b84b1e548109.html

I attached the authenticode data I got with Filealyzer

polonus

[polonus]

But with this file a we should be careful as this was pointed out to me by our forum friend, Pondus, who had that particular file analyzed at Norman's and got these specifics, I quote:

At 2011-6-23 9:18:53, len wrote:
Greetings,

We have sandbox detection of this file as suspicious(downloading activity). Although  it seems to be  a part of Ewido antimalware(Now acquired by avg)  but it has expired certificate and can be easily modified for malicious purpose. Also, this file has characteristic to download some file form ewido website. Generally security software have websites name in encrypted form but this file has in plain text that can be modified easily to download some other files.
Note: I have added this file to my track list.

Regards  

Additionally I add this specific scan with the same MD5 hash, but a complete different file name re:
File Name :     430D5A2E.E7F
File Size :     134496 byte
File Type :     PE32 executable for MS Windows (GUI) Intel 80386 32-bit
MD5 :     e82b923d6d2ac34b611d2f410b159a7d
SHA1 :     dd50332945c62e8f0cd9bc610446be27329c795f

Could that be the malicious counterpart of the original ewido executable?

polonus