False positive: Win32:Agent-ZKA [Trj] detected in clean program

[stamasd]

Avast detects Win32:Agent-ZKA [Trj] in a program I know is clean. Said program is DC Tool GUI, an open source application used to upload/download binary files between a PC and a Dreamcast game console. It can be found here: http://www.dcemu.co.uk/vbulletin/showthread.php?t=97389 http://dchelp.dcemulation.org/?dc-tool_GUI and http://sbibuilder.free.fr/files/dev/dctool/dctoolgui/?N=D

I have submitted it as a false positive report today.

[DavidR]

You could also check the offending/suspect file at: VirusTotal - Multi engine on-line virus scanner and report the findings here the URL in the Address bar of the VT results page. You can't do this with the file securely in the chest, you need to extract it to a temporary (not original) location first, see below.

Create a folder called Suspect in the C:\ drive, e.g. C:\Suspect. Now exclude that folder in the Standard Shield, Customize, Advanced, Add, type (or copy and paste) C:\Suspect\* That will stop the standard shield scanning any file you put in that folder. You should now be able to export any file in the chest to this folder and upload it to VirusTotal without avast alerting.

[stamasd]

That's what I was just doing. Here's the report on setup.exe from version 2.0 of DC Tool GUI

http://www.virustotal.com/analisis/e940cc04e2a5635f36df4cc02868004bba70579e07f9028f2eaed41ac35a239e-1252973682

Antivirus     Version     Last Update     Result
a-squared   4.5.0.24   2009.09.15   -
AhnLab-V3   5.0.0.2   2009.09.14   -
AntiVir   7.9.1.14   2009.09.14   -
Antiy-AVL   2.0.3.7   2009.09.14   -
Authentium   5.1.2.4   2009.09.14   -
Avast   4.8.1351.0   2009.09.14   Win32:Agent-ZKA
AVG   8.5.0.412   2009.09.14   -
BitDefender   7.2   2009.09.15   -
CAT-QuickHeal   10.00   2009.09.14   -
ClamAV   0.94.1   2009.09.14   -
Comodo   2320   2009.09.15   -
DrWeb   5.0.0.12182   2009.09.15   -
eSafe   7.0.17.0   2009.09.14   -
eTrust-Vet   31.6.6737   2009.09.14   -
F-Prot   4.5.1.85   2009.09.14   -
F-Secure   8.0.14470.0   2009.09.13   -
Fortinet   3.120.0.0   2009.09.15   -
GData   19   2009.09.15   Win32:Agent-ZKA
Ikarus   T3.1.1.72.0   2009.09.14   -
Jiangmin   11.0.800   2009.09.14   -
K7AntiVirus   7.10.844   2009.09.14   -
Kaspersky   7.0.0.125   2009.09.15   -
McAfee   5741   2009.09.14   -
McAfee+Artemis   5741   2009.09.14   -
McAfee-GW-Edition   6.8.5   2009.09.14   -
Microsoft   1.5005   2009.09.14   -
NOD32   4425   2009.09.14   -
Norman   6.01.09   2009.09.14   -
nProtect   2009.1.8.0   2009.09.14   -
Panda   10.0.2.2   2009.09.14   -
PCTools   4.4.2.0   2009.09.14   -
Prevx   3.0   2009.09.15   -
Rising   21.47.04.00   2009.09.14   -
Sophos   4.45.0   2009.09.15   -
Sunbelt   3.2.1858.2   2009.09.15   -
Symantec   1.4.4.12   2009.09.15   -
TheHacker   6.3.4.4.404   2009.09.15   -
TrendMicro   8.950.0.1094   2009.09.14   -
VBA32   3.12.10.10   2009.09.14   -
ViRobot   2009.9.14.1934   2009.09.14   -
VirusBuster   4.6.5.0   2009.09.14   -
Additional information
File size: 3825713 bytes
MD5...: 534d59139e65f06ff0b6d08df3cfde46
SHA1..: 8a66656f49cc7eac182246e06298be6f0575d90f
SHA256: e940cc04e2a5635f36df4cc02868004bba70579e07f9028f2eaed41ac35a239e
ssdeep: 98304:iY5YltX6zvIN2IqbzgQwQa5fOlymhRQ1vK4Mj8d:iY5ZjIN+S5gZ4M6
PEiD..: -
PEInfo: PE Structure information

( base data )
entrypointaddress.: 0x9220
timedatestamp.....: 0x2a425e19 (Fri Jun 19 22:22:17 1992)
machinetype.......: 0x14c (I386)

( 8 sections )
name viradd virsiz rawdsiz ntrpy md5
CODE 0x1000 0x8958 0x8a00 6.58 74a653de99a5acaa8c73bf5b7b7d7d20
DATA 0xa000 0x248 0x400 2.73 676c1acce5fabc5712cc48f2e1ee12bd
BSS 0xb000 0xe40 0x0 0.00 d41d8cd98f00b204e9800998ecf8427e
.idata 0xc000 0x8a8 0xa00 4.19 a7668017e30885485e625a90abb57b62
.tls 0xd000 0x8 0x0 0.00 d41d8cd98f00b204e9800998ecf8427e
.rdata 0xe000 0x18 0x200 0.20 d293bf8d4ebe9826d58e1d27c25fe4b6
.reloc 0xf000 0x84c 0x0 0.00 d41d8cd98f00b204e9800998ecf8427e
.rsrc 0x10000 0x2800 0x2800 4.28 ac50500d0286ae6b5bf6c0a46b1b0f53

( 8 imports )
> kernel32.dll: DeleteCriticalSection, LeaveCriticalSection, EnterCriticalSection, InitializeCriticalSection, VirtualFree, VirtualAlloc, LocalFree, LocalAlloc, WideCharToMultiByte, TlsSetValue, TlsGetValue, MultiByteToWideChar, GetModuleHandleA, GetLastError, GetCommandLineA, WriteFile, SetFilePointer, SetEndOfFile, RtlUnwind, ReadFile, RaiseException, GetStdHandle, GetFileSize, GetSystemTime, GetFileType, ExitProcess, CreateFileA, CloseHandle
> user32.dll: MessageBoxA
> oleaut32.dll: VariantChangeTypeEx, VariantCopyInd, VariantClear, SysStringLen, SysAllocStringLen
> advapi32.dll: RegQueryValueExA, RegOpenKeyExA, RegCloseKey, OpenProcessToken, LookupPrivilegeValueA
> kernel32.dll: WriteFile, VirtualQuery, VirtualProtect, VirtualFree, VirtualAlloc, Sleep, SetLastError, SetFilePointer, SetErrorMode, RemoveDirectoryA, ReadFile, GetWindowsDirectoryA, GetVersionExA, GetUserDefaultLangID, GetSystemInfo, GetSystemDefaultLCID, GetProcAddress, GetModuleHandleA, GetModuleFileNameA, GetLocaleInfoA, GetLastError, GetFullPathNameA, GetFileSize, GetFileAttributesA, GetExitCodeProcess, GetEnvironmentVariableA, GetCurrentProcess, GetCommandLineA, FormatMessageA, DeleteFileA, CreateProcessA, CreateFileA, CreateDirectoryA, CloseHandle
> user32.dll: TranslateMessage, SetWindowLongA, PeekMessageA, MsgWaitForMultipleObjects, MessageBoxA, LoadStringA, ExitWindowsEx, DispatchMessageA, DestroyWindow, CreateWindowExA, CallWindowProcA, CharPrevA, CharNextA
> comctl32.dll: InitCommonControls
> advapi32.dll: AdjustTokenPrivileges

( 0 exports )
RDS...: NSRL Reference Data Set
-
pdfid.: -
trid..: Inno Setup installer (96.7%)
Generic Win/DOS Executable (1.6%)
DOS Executable Generic (1.6%)
Autodesk FLIC Image File (extensions: flc, fli, cel) (0.0%)
packers (Avast): UPX
packers (Kaspersky): UPX, UPX, UPX, UPX, UPX

[stamasd]

Also, looks like the file that triggers Avast is not the executable file, but a dll. URL to follow.

(edit) Hmm, for some reason VirusTotal will not let me upload the dll

However, here's the result of dctool.dll from virscan:
http://www.virscan.org/report/1b46c1671073c2641515ff65a2ec5da6.html

[DavidR]

@ stamasd
Certainly looks like an FP, GData also uses avast as one of its two engines, so effectively only the one detection.

Once confirmed avast are generally quick to correct it.

[Milos]

Thanks for notice, FP will be fixed.

Milos

[stamasd]

Thanks! Fixed as of today.

[DavidR]

Thanks for the feedback, I said it wouldn't take them long once confirmed