Win32:Trojan-gen {UPX!} in "browser.exe" - false positive?

[Allochthonous]

I completed a scan last night (VPS 0624-2) which detected this virus:

Win32:Trojan-gen {UPX!} in the file "browser.exe"

The file is located in C:\WINDOWS

I moved it to the virus chest, then moved it back so i could scan it with TrendMicro House Call to get a second opinion. It found nothing wrong with the file.  I then moved it back into the chest while I investigated.

On a hunch, I rolled over to my other machine to see if the file existed there also. It did, and i got the same results. These machines are both WinXP SP2, with Avast 4 Home and Sunbelt Kerio Firewall. That is about all they have in common, except for an SBC Yahoo DSL connection.

On a second hunch, I popped in the SBC DSL installation CD into the old system and explored the CD for the file "browser.exe." There it was, and Avast freaked out once again. So, if it thinks its a virus on the CD, then it's not like the file on the system was infected later.

I can't recall whether I have scanned since I installed the DSL. It is very possible that I have not, as we have had a baby in the meantime and I have been rather distracted. If I have scanned, I wonder why Avast did not pick this up before. If I have not scanned, then why does Avast see this file as viral? Surely SBC would not include a virus on their installation CD, would they?  Spyware, yes, virus?

I have a friend who also has SBC DSL and uses Avast. I will check with him tonight to see if a)he has the file and b)whether Avast finds it viral.

For now I have moved the file into the chest on both systems.

Any clue?

PK

[DavidR]

First update the VPS the latest is 0625-2 yours is a week out of date (you should ensure auto updates is set), unless 0624-2 is a typo.

What is browser.exe ?

You could also check the offending/suspect file at: Jotti - Multi engine on-line virus scanner if any other scanners here detect them it is less likely to be a false positive. You can't do this with the file in the chest, you will need to move it out.
Or VirusTotal - Multi engine on-line virus scanner

If it is indeed a false positive, add it to the exclusions lists (Standard Shield, Customize, Advanced and Program Settings, Exclusions) and check scan it periodically using the ashQuick scan (right click scan), when it is no longer detected then remove it from the exclusions.
Also see (Mini Sticky) False Positives

[Spiritsongs]

   Hi :

     I feel a "trojan" is more "spyware" than it is a "virus" ;
     a very good program, to use as a "2nd Opinion", would
     be "Ewido", available at www.ewido.net . Should consider
     running their online scanner !?

[Allochthonous]

OK, I talked to my friend. The file is on his SBC DSL Setup CD, but could not be found on his system. Avast went off on the file on the CD.

I tried those online scanners.

Jotti says that Avast found Win32:Trojan-gen
Fortinet found Pahador.F!tr
VirusBuster found Trojan.Autoit.A

However, it says the SAME THING when i scan the file from the CD too!

What the heck?  This still has to be a false positive, right? I mean, if its ON THE CD?

I am still wating for the VirusTotal results.

I have an email out to Avast tech support. Should I confront SBC too? 

I have one more SBC DSL system (my mother in law) that I can look onto to see if the file exists and what her McAfee AV thinks of it.

PK

[RejZoR]

There is no such file as browser.exe located in WINDOWS folder. So you can be pretty sure it's malware.

[Allochthonous]

The VirusTotal results are similar.
They were identical for both the files on my system and the file on the SBC DSL install CD.

CAT-Quickheal - Trojan.Autoit.D
Fortinet - Pahador.F!tr
Sophos - Troj/Pahador-F
VirusBuster - Trojan.Autoit.A

The Ewido online scanner came up negative, except for cookies.

The issue isn't necessarily "what is this file doing in my WINDOWS directory" bu more like "why do a few AV scanners consider a file being distributed by SBC to be viral"?

Should I email this to Avast as a potential false positive as suggested in the sticky?


PK

[DavidR]

Try a forums search for autoit as I remember AutoIt used to cause some false detections for those using AutoIt. However, if you haven't got AutoIt then that may not be relevant.

Again what is the browser.exe file for what does it do ?

Should I email this to Avast as a potential false positive as suggested in the sticky?

If you don't they will be none the wiser and unable to analyse it, so I would say yes.

[Allochthonous]

DavidR: Thats part of the problem. I have NO idea what it is or what it does. All I know is that is exists on the SBC DSL install CD and in my WINDOWS directory. It exists on my friend's CD, but not his system.

Avast alarms on the file in ALL cases.

PK

[mauserme]

Hi Allochthonous,

I also have SBC Global DSL and avast! detected the same on a home computer Saturday during a boot scan.  Oddly the scheduled scan done Friday morning (standard/no archives) gave me no warnings even though, if this is from the SBC set up, it must have been on my drive since November 2005.

Prior to the boot scan I had scanned as follows because of suspicious activity on the pc (ie BitDefender 8 was disabled without explanation)

Avast! Scheduled Scan - no detection
Ewido v 3.5 - no detection
BitDefender 8 (after re-installation) - no detection
AdAware - no detection
Spybot S&D - no detection
Trend House Call - no detection

I'm treating mine as a real detection for the time being - I put it in the chest and plan on scanning it again with avast!, Bitdefender, and maybe ClamWin in a week or so.

I did not think to check the SBC set up cd but I will when I get home from work.  I'll also check a second home pc as well as a friend's I set up 2 weeks ago to see if its present there.  It could be a false positive but it wouldn't surprise me at all if its some sort of "marketing tool".

BTW, my DSL connection is just fine without it.

... we have had a baby in the meantime and I have been rather distracted.

Congratulations - hope your getting a little sleep.

[Allochthonous]

mauserme: Thanks! (we actually can't complain about out quantity of sleep) She's a pretty good baby.

Hey, let me know what you find out on your SBC CD. I almost guarantee its gonna wig out on you. Also let me know what you find on your other SBC DSL PC's. I will try to make it over to the inlaws soon to see if that file exists on their system. They use McAfee for AV though.

I wish i knew the date that I started my SBC service so i knew whether I had indeed run a scan between then and now.  I may have to dig through some paperwork.

PK

[Allochthonous]

OK, i just confirmed it. I had DSL by mid March. I KNOW that i ran MANY MANY scans between then and now. I know this because i had another minor "run in" with some malware in early April. I bet I ran 20 different scans from many products, and I don't recall any of them finding this. (refer to my post here regarding that threat)

PK

[DavidR]

New/Modified signatures get added all the time, this is why you often find stuff that has been on your system for some time being detected after VPS update and also why you should never delete but send to the chest and investigate as you have. Because of the fact that a few other AVs are alerting on it you have to air on the side of caution as has been mentioned before and send it to avast with some background info, such as this thread, etc.

[mauserme]

Hey, let me know what you find out on your SBC CD. I almost guarantee its gonna wig out on you.

OK, consider me wigged.

Although I don't have access to my friend's computer right now I do have her installation disk.  Scanning hers and mine yielded identical results:

avast! = W32:Trojan-gen[UPX]
Bitdefender with updated defs = no detection
Ewido (new version 4) = no detection
ClamWin = Error: Can't open file F:\setup\browser.exe
a-squared = no detection in browser.exe but did report the following



I'm pretty sure browser.exe is the alternate browser SBC supplies (see your documentation) but I would obviously stay away from using it.  The a-squared stuff?  Not a clue...

New/Modified signatures get added all the time, this is why you often find stuff that has been on your system for some time being detected after VPS update ...

Yes, but the reason for my surprise is that there was no VPS update between my Friday and Saturday scans.  The boot scan is a different animal, of course.

[Allochthonous]

Thanks for checking Mauserme. This is getting very wierd. Yours was only detected during a boot scan? What does the regular scanner think of the file? Or did you not get that far?

Was the file "browser.exe" located in the WINDOWS directory like mine?

I think I will contact SBC tomorrow and see what they say about the file. I will also send a "false positive" email to Avast.

PK

[mauserme]

It was not detected on my C: drive during a scheduled scan but the following day a boot scan did detect it on C:   I think this might reflect a difference in sensitivity levels between the two types of scans.  And yes, it was in C:\Windows

On the CD, scanning from the simple user interface and from the context menu gives a positive detection.

I've also now submitted it to Jotti and you can add Dr. Web to the list of detections (Trojan.Click.1255).

My feeling about this is

1)  my connection is fine without it
2)  I have no use for the browser (if that's what it is)
3)  there are enough respected programs calling it a trojan that I don't trust it

Since I have the original file on the CD I'll probably just delete from C: at this point.

Do let us know what SBC says about it.