Here is Jotti results
-------------------
-------------------
ProtoEXE.dat
Status:
INFECTED/MALWARE (Note: this file has been scanned before. Therefore, this file's scan results will not be stored in the database)
MD5 d8282c779febd5b8c7d9d0e927b98a7f
Packers detected:
-
Scanner results
AntiVir
Found nothing
ArcaVir
Found nothing
Avast
Found Win32:Trojan-gen. {Delphi}
AVG Antivirus
Found nothing
BitDefender
Found Trojan.Click.657
ClamAV
Found nothing
Dr.Web
Found Trojan.DownLoader.6217
F-Prot Antivirus
Found W32/Downloader.MNC
Fortinet
Found nothing
Kaspersky Anti-Virus
Found nothing
NOD32
Found nothing
Norman Virus Control
Found nothing
UNA
Found TrojanClicker.Win32.Delf
VBA32
Found Trojan.Click.657
-------------------
-------------------
I do not belive that it is virus inside of thet file, but it mat be.
File was downloaded from
http://cadkas.de/And is part of:
Direct path to file is "http:\\www.cadkas.com\ htmbaler!.exe"
(replace \ with / and no spaces)
File is RAR compressed and can be uzipped by adding "RAR" extension type to it or rename .EXE to .RAR
Also files that creates by that program, is "infected".
It deppends on that ProtoEXE.dat is "sample" that used to create new files. When I replaced first bytes to "CD" that was also in that file that was created.
-------------------
-------------------
Is it possible that few antivirus can have same false possitive?
----------
I found now "WinMerge" and "bin2hex" tools that can be used for that(compare bin files). But if you have some other so please tell me.
