False positive on an executable?

[aimpau323]

I have a file here that was detected at my friends PC (AVG) as a virus. When I scanned with mine (avast!) and spyware terminator, its not a virus nor a spyware. I used virus total and here's what it says:

Antivirus     Version     Last Update     Result
AhnLab-V3   2007.8.9.2   2007.08.10   -
AntiVir   7.4.0.60   2007.08.10   -
Authentium   4.93.8   2007.08.11   -
Avast   4.7.1029.0   2007.08.10   -
AVG   7.5.0.476   2007.08.11   Generic5.JOW
BitDefender   7.2   2007.08.11   -
CAT-QuickHeal   9.00   2007.08.11   (Suspicious) - DNAScan
ClamAV   0.91   2007.08.11   -
DrWeb   4.33   2007.08.11   -
eSafe   7.0.15.0   2007.08.10   suspicious Trojan/Worm
eTrust-Vet   31.1.5050   2007.08.11   -
Ewido   4.0   2007.08.11   -
FileAdvisor   1   2007.08.11   -
Fortinet   2.91.0.0   2007.08.11   -
F-Prot   4.3.2.48   2007.08.10   -
F-Secure   6.70.13030.0   2007.08.11   -
Ikarus   T3.1.1.12   2007.08.11   OScope.Dialer.GMHA
Kaspersky   4.0.2.24   2007.08.11   -
McAfee   5095   2007.08.10   -
Microsoft   1.2704   2007.08.11   -
NOD32v2   2451   2007.08.11   -
Norman   5.80.02   2007.08.10   Suspicious_F.gen
Panda   9.0.0.4   2007.08.11   -
Prevx1   V2   2007.08.11   Generic.Malware
Rising   19.35.51.00   2007.08.11   -
Sophos   4.19.0   2007.08.01   Mal/Packer
Sunbelt   2.2.907.0   2007.08.11   VIPRE.Suspicious
Symantec   10   2007.08.11   -
TheHacker   6.1.7.166   2007.08.10   -
VBA32   3.12.2.2   2007.08.11   -
VirusBuster   4.3.26:9   2007.08.11   -
Webwasher-Gateway   6.0.1   2007.08.11   Win32.Malware.gen#FSG (suspicious)
Additional information
File size: 37481 bytes
MD5: fc61bdf4daa513cb17a25bc9e8ebb043
SHA1: 3dcc9b6ff7f6bab9a9b1d072f4dee7f395e611bf
packers: FSG
packers: FSG
Prevx info: http://fileinfo.prevx.com/fileinfo.asp?PX5=6208D39969EB7CA092BC00A06217CB005F5D1326
Sunbelt info: VIPRE.Suspicious is a generic detection for potential threats that are deemed suspicious through heuristics.
(sorry for the cut and paste)

avast!, McAffee, BitDefender and even Symantec did not detect this file as malicious so that made me wonder if this is a false positive or is it really a threat to life itself. What is generic5.JOW or the other names that is shown there?

This file was created about 2-4 months ago(i downloaded it) and its just 3 weeks in my PC. No changes or anything suspicious. I have spyware terminator that guards ANY registry alterations by any program. I got avast and updated it to the max. I also have with my spyware terminator an integrated AV (ClamAV). I scanned my PC four times and no virus detected. So, what am I dealing with?

Thanks!

aimpau323
avast! loyalist

[FreewheelinFrank]

Well, quite a few scanners are suspicious of it. You could submit it for analysis at avast!, AntiVir, Bitdefender, DrWeb etc and see what sort of responses you get.

http://support.drweb.com/sendnew/

http://analysis.avira.com/samples/index.php

newvirus@kaspersky.com

virus_submission@bitdefender.com

virus@avast.com

[Lisandro]

Seems a false positive of some antivirus...

[aimpau323]

I think I may have the answer.  However, check my explanation on this ok?

As we all know, virus/malware ALTERS files, right? This file that is under scrutiny actually does that!  It's a patcher; it works by altering a file of a program. Probably, the file structure of the said file match certain file altering virus/malware and thus tagged suspicious by other AV. We all know that AVs have their own heuristic methods of detecting malware/virus so probably they thought that this file maliciously alters files (which, really is the case why I downloaded it. )

Is my explanation valid?

Thanks!

[Lisandro]

Is my explanation valid?

I think so.

[aimpau323]

I smell that your not 101% convinced...

[DavidR]

You can agree with an explanation but that doesn't necessarily mean it is correct, the underlying issue is is the detection on the file an FP when so many 9 think it suspicious, etc.

Whilst most of those are likely to be using heuristics but probably not all of them I believe as Frank suggested it requires further investigation, submission for analysis.

Did you submit it too the sources Frank gave 3 days ago and if so what results ?

[aimpau323]

Yup. Did even better, I ask the file author himself and said that yes, some AV would detect it as suspicious and he even said that earlier definitions of avast would detect this as well. I don't see any changes in my PC so I think everything is fine.

[DavidR]

It might well be that someone sent it off for further analysis when it was detected by older avast signatures and it was subsequently removed. If your happy having sought further information from the author then that is what is important.