False Positive - Win32:Monga [Trj]?

[vitalbr]

I Said:
Avast(current version) alert about Win32:Monga [trj] in file
hxxp://acclaim.solidstatenetworks.com/2moons_downloader_us_8-28-2008.exe

I did the comunication about the trojan in the game 2moons forum hxxp://phpbb.acclaim.com/2moons/viewtopic.php?t=107970

hxxp://2moons.acclaim.com/download.htm
Look this link is the same server.

2Moons VGM said that:
"Only Avast! seems to detect a "trojan" when clearly there aren't any - other antivirus programs detect nothing. If you're downloading from the official Acclaim website, there's nothing to worry about."

What is the truth?

01/09/2008   17:06:53   1220299613   LOCAL SERVICE   1772   Sign of "Win32:Monga [trj]" has been found in "E:\Downloads\2moons_downloader_us_8-28-2008.exe" file. 
01/09/2008   17:07:29   1220299649   Andrezao   3848   Sign of "Win32:Monga [trj]" has been found in "E:\Downloads\2moons_downloader_us_8-28-2008.exe" file. 
01/09/2008   17:09:32   1220299772   LOCAL SERVICE   1772   Sign of "Win32:Monga [trj]" has been found in "E:\Downloads\2moons_downloader_us_8-28-2008.exe" file. 
01/09/2008   17:10:02   1220299802   Andrezao   984   Sign of "Win32:Monga [trj]" has been found in "E:\Downloads\2moons_downloader_us_8-28-2008.exe" file. 
01/09/2008   17:38:21   1220301501   Anderson   1232   Sign of "Win32:Monga [trj]" has been found in "E:\Downloads\2moons_downloader_us_8-28-2008.exe" file. 
02/09/2008   20:18:04   1220397484   Anderson   3764   Sign of "Win32:Monga [trj]" has been found in "E:\Downloads\2moons_downloader_us_8-28-2008.exe" file. 

[DavidR]

The DrWeb link checker doesn't find anything at the link you gave.

1. the download you downloaded from doesn't appear to be acclaim.com that I would guess they are talking about as the official acclaim web site

2. there really is only one way to check and that is by analysis. You would need to pause the web shield to be able to download it and take no action when the standard shield alerts (as it most likely will) when it is downloaded to your HDD.

You could also check the offending/suspect file at: VirusTotal - Multi engine on-line virus scanner and report the findings here. You can't do this with the file securely in the chest, you need to extract it to a temporary (not original) location first, see below.

Create a folder called Suspect in the C:\ drive, e.g. C:\Suspect. Now exclude that folder in the Standard Shield, Customize, Advanced, Add, type (or copy and paste) C:\Suspect\* That will stop the standard shield scanning any file you put in that folder. You should now be able to export any file in the chest to this folder and upload it to VirusTotal without avast alerting.

If it is indeed a false positive, see http://forum.avast.com/index.php?topic=34950.msg293451#msg293451, how to report it to avast! and what to do to exclude them until the problem is corrected.

[DavidR]

Update, OK I tried downloading this, twice actually, once without the web shield disabled and no alert by the standard shield, I repeated it with the web shield enabled and again no detections.

So what version of avast are you using, the latest versions are, program 4.8.1229, VPS 080902-0 ?

Using notepad, check the avast! Log Viewer (right click the avast 'a' icon), Warning section, this contains information on all avast detections. Or the C:\Program Files\Alwil Software\Avast4\DATA\log\Warning.log file which is the data file where the info is stored.

Post the full details for this detection.

[Lisandro]

Please, edit the live link to malware or false positive (change http with hxxp, for instance).

[vitalbr]

I sent the file in e-mail.

hxxp://www.virustotal.com/pt/analisis/85a415f9c9b8c9c2880c13257cc5100b

AhnLab-V3    2008.9.3.0    2008.09.02    -
AntiVir    7.8.1.23    2008.09.02    -
Authentium    5.1.0.4    2008.09.03    -
Avast    4.8.1195.0    2008.09.02    Win32:Monga
AVG    8.0.0.161    2008.09.02    -
BitDefender    7.2    2008.09.03    -
CAT-QuickHeal    9.50    2008.09.02    (Suspicious) - DNAScan
ClamAV    0.93.1    2008.09.03    -
DrWeb    4.44.0.09170    2008.09.02    -
eSafe    7.0.17.0    2008.09.02    Suspicious File
eTrust-Vet    31.6.6064    2008.09.02    -
Ewido    4.0    2008.09.02    -
F-Prot    4.4.4.56    2008.09.03    -
F-Secure    8.0.14332.0    2008.09.02    -
Fortinet    3.14.0.0    2008.09.03    -
GData    19    2008.09.03    Win32:Monga
Ikarus    T3.1.1.34.0    2008.09.03    -
K7AntiVirus    7.10.437    2008.09.02    -
Kaspersky    7.0.0.125    2008.09.03    -
McAfee    5375    2008.09.02    -
Microsoft    1.3903    2008.09.03    -
NOD32v2    3409    2008.09.02    -
Norman    5.80.02    2008.09.02    -
Panda    9.0.0.4    2008.09.02    Suspicious file
PCTools    4.4.2.0    2008.09.02    -
Prevx1    V2    2008.09.03    Suspicious
Rising    20.60.11.00    2008.09.02    -
Sophos    4.33.0    2008.09.03    Sus/Spy-B
Sunbelt    3.1.1582.1    2008.09.02    VIPRE.Suspicious
Symantec    10    2008.09.03    -
TheHacker    6.3.0.8.070    2008.09.02    -
TrendMicro    8.700.0.1004    2008.09.02    -
VBA32    3.12.8.4    2008.09.02    -
ViRobot    2008.9.2.1361    2008.09.02    -
VirusBuster    4.5.11.0    2008.09.02    -
Webwasher-Gateway    6.6.2    2008.09.02    -

[wyrmrider]

please send a copy here following these instructions
and a link to the virus total results
see
http://forum.avast.com/index.php?topic=34950.msg293451#msg293451,
how to report it to avast! and what to do to exclude them until the problem is corrected if you think a FP

[Maxx_original]

fixed internally.. will come out with next VPS update.

[kendees]

I've the same problem,if I run Pro Evolution Soccer 2008 with kitserver.  I don't know, what I can do. I've downloaded new update of avast! and iAVS, too.  Still doesn't work, I just click on install in setup of kitserver, and avast! warns me, that there's a Win32:Monga [trj]. Please, don't kill me, if I've given too less informations about my problem, but I've never ever been there and I don't know much about it... I need a professional help! I want to fix my problem and I want to play PES again! Tell me, what you need or what I must do and I'll do it!

[Lisandro]

1. Check if you really has the latest VPS (virus database) update.
2. You need to use the Exclusion lists:

For the Standard Shield provider (on-access scanning):
Left click the 'a' blue icon, click on the provider icon at left and then Customize.
Go to Advanced tab and click on Add button...

For the other providers (on-demand scanning such as the screen-saver or the Simple User Interface):
Right click the 'a' blue icon, click Program Settings.
Go to Exclusions tab and click on Add button...

You can use wildcards like * and ?.
But be careful, you should 'exclude' that many files that let your system in danger.

[kendees]

It doesn't work..  Would I post LOG here or something? I don't know how, though.. 

[Lisandro]

It doesn't work..  Would I post LOG here or something? I don't know how, though.. 

Can you say what is the infected file name, where was it found (C:\windows\system32\infected-file-name.xxx)?
What avast! version and virus database are you using? (see About dialog of avast!)

[kendees]

Yes, I can.. I hope it could be like this!
6.9.2008 21:49:13   XXX   1868   Virus "Win32:Monga [trj]" byl nalezen v souboru "D:\Hry\Pro evolution soccer 2008\PES08\PES2008.exe".

avast! version 4.8 Home Edition
VPS: 080906-0, 06.09.2008

I have Czech language in avast, so maybe you don't understand, but it says that "...it was found in..."

[Lisandro]

Is that file being shown as clean to VirusTotal ?
Yes, sometimes, Exclusion lists do not work... I don't know why...

[kendees]

http://www.virustotal.com/cs/analisis/40525807438b7a6c3abc50dfa0ebfef0

Antivirus     Verze     Poslední aktualizace     Výsledek
AhnLab-V3   2008.9.6.0   2008.09.06   -
AntiVir   7.8.1.28   2008.09.05   -
Authentium   5.1.0.4   2008.09.06   -
Avast   4.8.1195.0   2008.09.06   -
AVG   8.0.0.161   2008.09.05   -
BitDefender   7.2   2008.09.06   -
CAT-QuickHeal   9.50   2008.09.06   -
ClamAV   0.93.1   2008.09.06   -
DrWeb   4.44.0.09170   2008.09.06   -
eSafe   7.0.17.0   2008.09.03   -
eTrust-Vet   31.6.6072   2008.09.05   -
Ewido   4.0   2008.09.06   -
F-Prot   4.4.4.56   2008.09.06   -
F-Secure   8.0.14332.0   2008.09.06   -
Fortinet   3.112.0.0   2008.09.06   -
GData   19   2008.09.06   -
Ikarus   T3.1.1.34.0   2008.09.06   -
K7AntiVirus   7.10.443   2008.09.05   -
Kaspersky   7.0.0.125   2008.09.06   -
McAfee   5378   2008.09.05   -
Microsoft   1.3903   2008.09.06   -
NOD32v2   3423   2008.09.06   -
Norman   5.80.02   2008.09.05   -
Panda   9.0.0.4   2008.09.06   -
PCTools   4.4.2.0   2008.09.06   -
Prevx1   V2   2008.09.06   -
Rising   20.60.52.00   2008.09.06   -
Sophos   4.33.0   2008.09.06   -
Sunbelt   3.1.1610.1   2008.09.05   -
Symantec   10   2008.09.06   -
TheHacker   6.3.0.8.072   2008.09.04   -
TrendMicro   8.700.0.1004   2008.09.05   -
VBA32   3.12.8.5   2008.09.06   -
ViRobot   2008.9.5.1365   2008.09.06   -
VirusBuster   4.5.11.0   2008.09.06   -
Webwasher-Gateway   6.6.2   2008.09.05   -

Strange..  maybe I didn't use right method.

[Lisandro]

Strange, does your computer recognize it as infected?
avast at VirusTotal returned clean