Wow-BC Installer - False Positive for Trojan

[resa1983]

Had my WoW-BC installer pop up with a positive for a trojan yesterday when the screensaver popped up - had been off my computer for days so don't know when the scanner started picking it up.  I saw the positive, and forced an update of the virus database.  Unfortunately it still came up positive.  Waited for the update this morning, and was still a false positive..

Here's the Virustotal:

 File WoW-BurningCrusade-enUS-Installer received on 09.28.2008 17:51:09 (CET)
Current status: finished
Result: 3/36 (8.33%)
Compact Compact
Print results Print results
Antivirus    Version    Last Update    Result
AhnLab-V3    2008.9.25.0    2008.09.26    -
AntiVir    7.8.1.34    2008.09.28    -
Authentium    5.1.0.4    2008.09.28    -
Avast    4.8.1195.0    2008.09.27    Win32:Trojan-gen {Other}
AVG    8.0.0.161    2008.09.28    -
BitDefender    7.2    2008.09.28    -
CAT-QuickHeal    9.50    2008.09.26    -
ClamAV    0.93.1    2008.09.28    -
DrWeb    4.44.0.09170    2008.09.28    -
eSafe    7.0.17.0    2008.09.28    Trojan-GameThief.Win
eTrust-Vet    31.6.6110    2008.09.26    -
Ewido    4.0    2008.09.28    -
F-Prot    4.4.4.56    2008.09.25    -
F-Secure    8.0.14332.0    2008.09.28    -
Fortinet    3.113.0.0    2008.09.28    -
GData    19    2008.09.28    Win32:Trojan-gen {Other}
Ikarus    T3.1.1.34.0    2008.09.28    -
K7AntiVirus    7.10.473    2008.09.25    -
Kaspersky    7.0.0.125    2008.09.28    -
McAfee    5392    2008.09.25    -
Microsoft    1.3903    2008.09.28    -
NOD32    3478    2008.09.28    -
Norman    5.80.02    2008.09.26    -
Panda    9.0.0.4    2008.09.28    -
PCTools    4.4.2.0    2008.09.26    -
Prevx1    V2    2008.09.28    -
Rising    20.63.62.00    2008.09.28    -
SecureWeb-Gateway    6.7.6    2008.09.28    -
Sophos    4.34.0    2008.09.28    -
Sunbelt    3.1.1668.1    2008.09.24    -
Symantec    10    2008.09.28    -
TheHacker    6.3.0.9.095    2008.09.27    -
TrendMicro    8.700.0.1004    2008.09.26    -
VBA32    3.12.8.6    2008.09.26    -
ViRobot    2008.9.26.1393    2008.09.26    -
VirusBuster    4.5.11.0    2008.09.28    -
Additional information
File size: 1038603 bytes
MD5...: ac578ed96e8ab27525dfc076c6aab4e2
SHA1..: a735c79ec2882abfcb9356ae9f2ce8b0aef2d056
SHA256: e6d08193c4e5ee51950002c7cdf014689e2fe5e548bd677fba866a7dfde0d6eb
SHA512: 624608bc985f8d080c3b0f53375f137a5f4ac95d206efef517f474bd4c2707f3
9e3210468c7ac592a8ff63f11addf2765b488e2ddcea3e7a5fa4a0fb8c332ad8
PEiD..: -
TrID..: File type identification
Win32 Executable MS Visual C++ (generic) (65.2%)
Win32 Executable Generic (14.7%)
Win32 Dynamic Link Library (generic) (13.1%)
Generic Win/DOS Executable (3.4%)
DOS Executable Generic (3.4%)
PEInfo: PE Structure information

( base data )
entrypointaddress.: 0x4629dd
timedatestamp.....: 0x45b6b002 (Wed Jan 24 01:01:54 2007)
machinetype.......: 0x14c (I386)

( 4 sections )
name viradd virsiz rawdsiz ntrpy md5
.text 0x1000 0x72302 0x73000 6.53 195b74be3b1fa0747effff15c6189d46
.rdata 0x74000 0x23a0a 0x24000 6.04 3a921e80edcb5363dce7bfbeffb5bb0c
.data 0x98000 0x7e44 0x5000 5.63 ef25124c468482a2de2d396bf4d8689a
.rsrc 0xa0000 0x1e540 0x1f000 7.49 410d363aae41910b87efaec50822a693

( 14 imports )
> iphlpapi.dll: GetAdaptersInfo, GetTcpTable
> WININET.dll: HttpSendRequestA, HttpQueryInfoA, InternetReadFile, HttpOpenRequestA, InternetReadFileExA, InternetSetStatusCallback, InternetConnectA, InternetOpenA, InternetCloseHandle, InternetSetOptionA, InternetCrackUrlA
> VERSION.dll: GetFileVersionInfoA, VerQueryValueA, GetFileVersionInfoSizeA
> COMCTL32.dll: -
> RPCRT4.dll: UuidCreate
> WS2_32.dll: -, -, -, -, -, -, -, -, -, -, -, -, -, -, -, -, -, -, -, -, -, -, -, -, -, -
> KERNEL32.dll: EnumSystemLocalesA, GetModuleFileNameA, CreateThread, GetUserDefaultLangID, WideCharToMultiByte, MultiByteToWideChar, GetProcAddress, LoadLibraryA, SetFileAttributesA, GetDiskFreeSpaceExA, GetVersionExA, GetComputerNameA, GetLastError, CreateEventA, CloseHandle, WriteFile, SetEvent, DeleteFileA, OpenMutexA, CopyFileA, GetCurrentDirectoryA, WaitForSingleObject, CreateFileA, CreateMutexA, GetFileSize, GlobalFree, GlobalAlloc, FreeResource, SizeofResource, LockResource, LoadResource, FindResourceA, GetUserDefaultLCID, GetStringTypeW, GetStringTypeA, VirtualProtect, SetFilePointer, VirtualQuery, IsValidLocale, GetEnvironmentStringsW, FreeEnvironmentStringsW, GetEnvironmentStrings, FreeEnvironmentStringsA, UnhandledExceptionFilter, GetFileType, GetStdHandle, SetHandleCount, IsBadWritePtr, HeapCreate, HeapDestroy, HeapSize, GetOEMCP, GetACP, SetUnhandledExceptionFilter, GetCPInfo, LCMapStringW, LCMapStringA, GetCurrentThreadId, ExitThread, HeapReAlloc, HeapAlloc, GetFullPathNameA, GetCommandLineA, GetStartupInfoA, GetCurrentProcess, TerminateProcess, ExitProcess, HeapFree, RaiseException, RtlUnwind, InterlockedExchange, InterlockedIncrement, InterlockedDecrement, GetSystemInfo, VirtualFree, VirtualAlloc, GetDiskFreeSpaceA, IsValidCodePage, QueryPerformanceCounter, GetCurrentProcessId, IsBadReadPtr, SetLastError, SetEndOfFile, IsBadCodePtr, SetStdHandle, GetLocaleInfoW, GetDriveTypeA, FlushFileBuffers, ReadFile, SetCurrentDirectoryA, GetFileAttributesA, CreateDirectoryA, GetLocaleInfoA, GetFileTime, GetSystemTimeAsFileTime, FileTimeToLocalFileTime, GetTickCount, TlsAlloc, TlsFree, TlsGetValue, TlsSetValue, Sleep, FileTimeToSystemTime, CreateProcessA, WaitForSingleObjectEx, GetModuleHandleA, DeleteCriticalSection, LeaveCriticalSection, EnterCriticalSection, InitializeCriticalSection
> USER32.dll: DialogBoxParamA, GetClientRect, WaitForInputIdle, SetTimer, KillTimer, wsprintfA, GetWindowTextA, SendMessageA, MoveWindow, ScreenToClient, GetWindowRect, GetDlgItem, EnumWindows, FindWindowA, PostMessageA, InvalidateRect, ShowWindow, LoadIconA, SetWindowTextA, SetDlgItemTextA, MessageBoxA, EndDialog, CheckDlgButton, IsDlgButtonChecked, ReleaseDC, FillRect, GetDC, SetWindowLongA, SystemParametersInfoA, SetWindowPos, CopyImage, DrawTextA, EnumChildWindows, GetWindowTextLengthA, GetParent, SetPropA, GetWindowLongA, GetCapture, SetCapture, ClientToScreen, PtInRect, ReleaseCapture, LoadCursorA, SetCursor, GetPropA, CallWindowProcA, RemovePropA, GetDesktopWindow, EnableWindow, GetMenu, ModifyMenuA, LoadImageA, IsWindowVisible, CreateDialogParamA, BringWindowToTop, SetForegroundWindow
> GDI32.dll: SetBkMode, GetObjectA, SetTextColor, GetStockObject, StretchBlt, SetBkColor, CreateFontIndirectA, CreateCompatibleDC, CreateBitmap, SelectObject, CreateSolidBrush, SetPixel, DeleteObject
> comdlg32.dll: GetSaveFileNameA
> ADVAPI32.dll: RegEnumKeyExA, RegCloseKey, RegQueryValueExA, GetUserNameA, RegOpenKeyExA, RegCreateKeyExA, RegSetValueExA
> SHELL32.dll: SHBrowseForFolderA, ShellExecuteA, Shell_NotifyIconA, SHGetPathFromIDListA, SHGetMalloc
> ole32.dll: OleSetContainedObject, CreateStreamOnHGlobal, CoUninitialize, OleInitialize, CoInitialize, OleCreate
> OLEAUT32.dll: -, -, -, -

( 0 exports )
ThreatExpert info: http://www.threatexpert.com/report.aspx?md5=ac578ed96e8ab27525dfc076c6aab4e2



The Installer is clean - and has been since it was downloaded back in Feb 2008 when I reinstalled Wow on my machine.  The file hasn't been modified since I downloaded it.

[DavidR]

Did you submit the sample to avast for analysis as that is the only way it would come to their notice ?

If it is indeed a false positive and it seems so, see http://forum.avast.com/index.php?topic=34950.msg293451#msg293451, how to report it to avast! and what to do to exclude them until the problem is corrected.

[resa1983]

Awesome.  Just sent the email off now.

Thanks for the help.

[DavidR]

You're welcome.

They are normally quite quick to correct when confirmed.