[FP] www.hoverdesk.net Regseeker 4.0

[REDACTED]

http://www.hoverdesk.net/download/RegSeeker_4.0.zip detected as Sf:Gamarue-A [Trj]

https://www.virustotal.com/#/url/adb71890d78cf22ed1a09e4d1613022a02947bcd8f503d8ce9d9e30a2d0f9a88/detection - 0 detected

Sorry my bad not sure if its because of the comment mentioned at the end of this page w.r.t delta toolbar https://www.nsanedown.com/?request=187466697

[DavidR]

First you aren't actually scanning sites using VT to check a URL all it is doing is checking it against a list of blacklists. You would need to upload the file to have it scanned.

I have just scanned the file and it is 3/59 so a possibility of a false positive. Even more so as AVG and Avast detect it they are both using the same virus signature database. So you could say 2 of 58 detections.
https://virustotal.com/en/file/5ef44613881f8be5c2978ee8475a174d6dbd7fe0e24c3d984eac0f4724e9ca12/analysis/1503214812/

EDIT: I have extracted RegSeeker.exe and submitted it to avast for analysis.

[polonus]

We see a confirmation here: http://www.download3k.com/Antivirus-Report-RegSeeker.html
with avast detecting RegSeeker_4.0.zip|>RegSeeker\RegSeeker.exe|>[UPX]   Sf:Gamarue-A [Trj]
On the rise again as part of the Zeus banking trojan botnetwork.
Re: https://www.microsoft.com/en-us/wdsi/threats/malware-encyclopedia-description?Name=Worm:Win32/Gamarue.A
But a typical avast detection here: http://v.virscan.org/Sf:Gamarue-A%20[Trj].html

Wait for an Avast Team Member to explain and give a verdict on this detection.
All versions of RegSeeker being flagged of having this malcode.

My hunch is a falsely flagged UPX packed exe detection! But IP had other malware: https://urlquery.net/report/5519bb86-8f3d-44dc-9397-587e997259eb  and that might have a reason to take no chances on that packed UPX executable as well or file was not signed proprerly. But still could well be a FP.

polonus

[DavidR]

@  polonus
The Microsoft link is pretty old Published Sep 18, 2011 | Updated Mar 23, 2012, so I'm not sure how relevant it might be.

The v.virscan.org link is coming up 404.

[polonus]

Hi DavidR and threadstarter,

Well the UPX packed file controversy (FPs versus genuine detections) has been around ongoing since 2011.
It is not the first time a packed UPX executable was found to be a FP and it certainly will not be the last.

Kaspersky warned av-vendors not to automattically flag all, but to better discriminate between FPs and the real McCoy.
All avast detection with regseeker are for all of 2017. Remember, avast has some reputation here of serving up FP's.
Wonder what the final verdict will be then?.

Also it should be taken into the bargain that that same IP was abused for serving malcode.
One and one counts up to two in suh a case. Anyway, let us wait and see...

As for that 404, the link was not being given properly: http://v.virscan.org/Sf:Gamarue-A%20[Trj].html  (take all to the end of it into the searchbar then press enter)...

polonus

[DavidR]

Its, those pesky square brackets in their URL get in the way in forums that use square brackets in the code tags.

Perhaps AV Comparatives should throw in some UPX files into there clean set to check for FPs, that would certainly make the virus labs pat attention

[Pondus]

First you aren't actually scanning sites using VT to check a URL all it is doing is checking it against a list of blacklists. You would need to upload the file to have it scanned.

I have just scanned the file and it is 3/59 so a possibility of a false positive. Even more so as AVG and Avast detect it they are both using the same virus signature database. So you could say 2 of 58 detections.
https://virustotal.com/en/file/5ef44613881f8be5c2978ee8475a174d6dbd7fe0e24c3d984eac0f4724e9ca12/analysis/1503214812/

EDIT: I have extracted RegSeeker.exe and submitted it to avast for analysis.

IF there is a file at the URL, VT will download and scan it.
To see the file scan result, click the icon after the hash at > Downloaded file

see attached screenshot below

Be aware that if the file is in a zip, then the hash and additional file info will not be correct, it will be for the zip and not the file inside

In this case it seems the zip containe multiple files.
If you upload the file to metadefender.com it will unpack and list scan result for all files inside the zip. I think the limit is 500 files inside the zip

[DavidR]

If it did download the file, then I would have to ask why there was no alert by avast or the other two that detected it ?

Yet my upload to be scanned of the actual RegScanner_4.0.zip did list the detections, yet the SHA256 is the same as in your image, yet it doesn't appear to have been scanned.

[Pondus]

If it did download the file, then I would have to ask why there was no alert by avast or the other two that detected it ?

Yet my upload to be scanned of the actual RegScanner_4.0.zip did list the detections, yet the SHA256 is the same as in your image, yet it doesn't appear to have been scanned.

There is if you click the icon (in the link posted by the OP) you will see the file scan result
https://www.virustotal.com/#/file/5ef44613881f8be5c2978ee8475a174d6dbd7fe0e24c3d984eac0f4724e9ca12/detection

Same SHA-256 hash as in your link

[DavidR]

Ah, I had never noticed that tiny icon, much less what it was for

I went into what I thought was the obvious, the Details Tab only to find it wanting. I would have thought that would been the logical location or a link to the file scan.

[polonus]

Hi Pondus - Heia Norge,

Thanks for that explanation on the inner workings of VT.
You know Virus Total scan outlay like the inner lining of your pocket.   
Good to have you around in such discussions.

Damian

[REDACTED]

@Pondus, DavidR - Many thanks glad to have learnt something new today (w.r.t VT)

At the time of raising this thread also raised it to hoverdesk and received the below

Hello

Yes it's a false positive from Avast because RegSeeker executable is compressed with upx.
Next version won't be no longer compressed though upx has nothing to do with some kind of virus...

Best regards
Thibaud

So if needed we could defer adding exclusion signatures until next version is released.

[DavidR]

You're welcome.

You could try that, but personally I would stick with your existing older version of RegSeeker (I'm still using version 2.7 on my XP System) until Avast do remove the detection.  Because Avast is alerting on the Zip file when you try to download it, you would have to set a URL exclusion or disable the web shield, neither I feel worthy of what is just another registry cleaner. CCleaner also has a registry cleaner function.

There was also something I read about unwanted add-on also on installation that would make me wait and or ensure you did a custom install and deselect any unwanted extras.

Currently avast is still alerting on it, bu it is still early for a likely FP.

[polonus]

But there is still room for some fundamental discussion on the ongoing problem of UPX packed proggies and false positives.

Re: https://autohotkey.com/board/topic/49032-enough-with-the-upx-packed-virus-false-alarms-enough/
Re: https://forums.spybot.info/showthread.php?47483-UPX-packed-executables&p=311376
Re: http://www.virtualdub.org/blog/pivot/entry.php?id=245
Re: https://reverseengineering.stackexchange.com/questions/198/what-different-upx-formats-exist-and-how-do-they-differ

Could not developer signing and authorative certification come to the rescue to discriminate between benign and benevolent UPX packed and malicious and reverse engineered UPX to go under the malware detection radar.

I can understand one often would take 'the better safe than sorry' route and question UPX packed code completely...but not like Norton did and remove it without any notice beforehand.

polonus

[jl747]

Regseeker just posted a new version (4.50) and it it also is showing the same problem when you try to download and install.