False positive - OBJFIX.EXE

[Zbzzn]

Hello,

I was performing a compile of the latest ZSNES and received what I believe to be a false positive upon compiling an executable for correcting Win32 object files for MinGW. The source code for the executable follows:

Code: [Select]

#include <stdio.h>
#include <string.h>

int open_error(const char *filename, const char *mode)
{
 printf("Failure opening %s for %s\n",filename,mode);
 return 1;
}

int main(int argc, char **argv)
{
 int c;
 int section_count;
 FILE *in, *out;
 unsigned char section_header[40];

 if (argc < 2 || argc > 3)
 {
  printf("Fixes MS Win32 object files to be compatible with the incorrect\n");
  printf(" implementation in MinGW32.\n");
  printf("Usage: objfix infile [outfile]\n");
  return 1;
 }

 in = fopen(argv[1], (argc == 2 ? "rb+" : "rb"));
 if (!in) return open_error(argv[1], (argc == 2 ? "read" : "update"));

 if (argc == 3)
 {
  out = fopen(argv[2], "wb");
  if (!out) return open_error(argv[1], (argc == 2 ? "read" : "update"));
 }
 else
 {
  out = NULL;
 }

 if (out)
 {
  fputc(fgetc(in), out);
  fputc(fgetc(in), out);

  fputc(section_count = fgetc(in), out);
  fputc(c = fgetc(in), out);
  section_count += c << 8;

  for (c = 4; c < 0x14; c++)
  {
   fputc(fgetc(in), out);
  }

  for (c = 0; c < section_count; c++)
  {
   fread(section_header, 1, 40, in);

   if (!strncmp(section_header, ".bss", 8))
   {
    memcpy(section_header + 8, section_header + 16, 4);
    memset(section_header + 16, 0, 4);
   }
   else
   {
    memset(section_header + 8, 0, 4);
   }

   fwrite(section_header, 1, 40, out);
  }

  while ((c = fgetc(in)) != EOF)
  {
   fputc(c, out);
  }
 }
 else
 {
  fgetc(in);
  fgetc(in);

  section_count = fgetc(in);
  section_count += fgetc(in) << 8;

  fseek(in, 0x14, SEEK_SET);

  for (c = 0; c < section_count; c++)
  {
   fread(section_header, 1, 40, in);

   fseek(in, -40, SEEK_CUR);

   if (!strncmp(section_header, ".bss", 8))
   {
    memcpy(section_header + 8, section_header + 16, 4);
    memset(section_header + 16, 0, 4);
   }
   else
   {
    memset(section_header + 8, 0, 4);
   }

   fwrite(section_header, 1, 40, in);

   fseek(in, 0, SEEK_CUR);
  }
 }

 fclose(in);
 if (out) fclose(out);

 return 0;
}
I am using avast! v4.7 Home Edition, VPS file dated 08/01/2007 version 000763-0. I scanned objfix.exe at VirusTotal as well, the outcome was:

Antivirus	Version	Last Update	Result
AhnLab-V3	2007.8.2.0	2007.08.01	-
AntiVir	7.4.0.54	2007.08.01	-
Authentium	4.93.8	2007.08.01	-
Avast	4.7.1029.0	2007.08.01	Win32:Agent-HFI
AVG	7.5.0.476	2007.08.01	-
BitDefender	7.2	2007.08.01	-
CAT-QuickHeal	9.00	2007.08.01	-
ClamAV	0.91	2007.08.01	-
DrWeb	4.33	2007.08.01	-
eSafe	7.0.15.0	2007.07.31	-
eTrust-Vet	31.1.5024	2007.08.01	-
Ewido	4.0	2007.08.01	-
FileAdvisor	1	2007.08.01	-
Fortinet	2.91.0.0	2007.08.01	-
F-Prot	4.3.2.48	2007.08.01	-
F-Secure	6.70.13030.0	2007.08.01	-
Ikarus	T3.1.1.8	2007.08.01	-
Kaspersky	4.0.2.24	2007.08.01	-
McAfee	5088	2007.08.01	-
Microsoft	1.2704	2007.08.01	-
NOD32v2	2431	2007.08.01	-
Norman	5.80.02	2007.08.01	-
Panda	9.0.0.4	2007.08.01	-
Prevx1	V2	2007.08.01	-
Rising	19.34.22.00	2007.08.01	-
Sophos	4.19.0	2007.08.01	-
Sunbelt	2.2.907.0	2007.08.01	-
Symantec	10	2007.08.01	-
TheHacker	6.1.7.160	2007.08.01	-
VBA32	3.12.2.2	2007.07.31	-
VirusBuster	4.3.26:9	2007.08.01	-
Webwasher-Gateway	6.0.1	2007.08.01	-

Additional information
File size: 6656 bytes
MD5: 5469672259c2f6a1bc63b6e7520974f8
SHA1: a24b127c1ca517e3f258162323b9cda570997037

[DavidR]

Send the sample to virus@avast.com zipped and password protected with password in email body and false positive in the subject.

Or you can also add the file to the User Files (File, Add) section of the avast chest where it can do no harm and send it from there (select the file, right click, email to Alwil Software). No need to zip and PW protect when the sample is sent from chest. A copy of the file/s will remain in the original location, so any further action you take can remove that.