VPS 0424-2 and Win32:Trojan-gen. {UPX!} - False Alarm?

[DavidR]

Hi guys,

I have noticed a number of posts relating to Win32:Trojan-gen. {UPX!} warnings.

I have been having a number of them relating to one file, every time I enter a folder it kicks off - I am certain that it is a false alarm since the file it mentions has been on my system for as long as I have had avast! 6 weeks.

The file is a self install exe file and that's is what it is alarming on and none of the programs files it installed only the self extracting exe.

Sign of "Win32:Trojan-gen. {UPX!}" has been found in "D:\Downloads\Utilities\Install PC-Encrypt.exe" file.

I'm holding off sending it off to virus @ avast.com and see what happens on the next VPS update. This has only been happening since 0424-2 on 9/6/2004.

[silburnl]

I'm getting the same behaviour on a self-extracting zipfile with 427-0. But checking the file against Dr Web gives a clean bill of health and none of the extracted files register as infected, just the archive.

Is this still a problem for you? Did you send a sample in to Alwil?

Regards
Luke

[DavidR]

No.

1.  I basically ignored it, moving the file to a directory I don't scan and awaited the new VPS and program update, no problem after that.

2. having already installed the program, I deleted the program's setup self-extracting exe file. None of the files that were extracted had any sign of infection.

3. I didn't send the file to avast.

Your problem is similar, using an unpacker to look inside the .exe file, the wrong one possible, this could give a false positive. I believe that it is the exe file extension (assumed that it's exe) that is causing it to choose the wrong unpacker.

You don't say what program created the zipfile (if known), if you created it, downloaded it, its name and full path or when and how it was detected, etc.

Those more knowledgable will then be better able to help and avast hopefully correct.

[silburnl]

Sorry about the lack of gory details, the file in question was a self-extracting installer I downloaded last week for a demo of a game called ;'Laser Squad Nemesis'.

Currently its stored at:

C:\zzLuke_Downloads\zzMarked4Deletion\LSNinstall-FreeTrial-3-04.exe

I wasn't too worried as I've already installed the demo (which scanned clean) and, as the directory path indicates, I'm going to junk the file in my next spate of housecleaning.

It registered as infected when I ran a scan last night but I saw your comment on the board and decided to recheck it with an up-to-date virus definition (427-0) which I did this afternoon and it still registers as infected.

It weighs in at six megs though, so I didn't want to send it in to Anwil if they were already on top of things, hence my follow up to your post.

Regards
Luke

[DavidR]

Hi Luke,

As you say a bit large to email, that was one of the reasons I didn't send mine also.

It would appear there are still a few false positives related to the {UPX!} unpacker. The aditional activity on this thread will probably bring it into the light again. Perhaks Vlk or Pavel will see it.

Since you have installed the program as I did and no viruses were found in the installed files (or the double check with Dr Web, wise to double check) I think you can be fairly certain you are clear.

If you no longer need the install file you could archive it off to CD. Or move it to a folder and exclude that folder from checks.

David

[igor]

Do you happen to have a URL where the problematic installers can be downloaded?

[DavidR]

Hi Igor,

This is where my pc-encrypt installer came from http://www.pc-encrypt.com/_site/pce/download.mhtml

David

[RejZoR]

It appears to be FP. Kaspersky and RAV confirmed it OK (no malware).

[kareld]

Yes, both files are clean, it's a false alarm. It should be repaired in the next virus database update. Thank you for notice and URL.

[DavidR]

That's what I thought, thanks for the acknowlegement and info on the update fix.