uniextract autoit script, FP?

[ady4um]

Suddenly I received an autoit script VBS:Malware-gen dialog from Avast.

I'm using Avast Free 5.0.594, virus definitions 100731-0, Windows Vista Home Basic w/sp1 x86/x32 (have not installed sp2, but all other updates are installed).

I send the suspected file to the virus chest. The file is uniextract.exe , downloaded some time ago from:

 http://legroom.net/software/uniextract#download

and trying to redownload it from the "uniextract binary archive" option got me to another Avast dialog.

I have used this tool before - same original folder, same uniextract version. So I thought about the possibility of the file being infected by another virus in my system (which I don't know about it, yet), or this being a new false positive introduced recently in avast's virus definitions.

I would like Avast team to confirm if this is a FP.

I have the file in the virus chest, as I said before. Currently, I can't redownload the suspected file (avast stops the download, of course), and until I can confirm if this is a FP or if I really have some other malware in my system, I'd rather choose not to extract or restore the suspected file.

Since this situation prevents me from doing anything with the file, I would like to suggest adding the possibility to calculate hash numbers from within the chest, so I (Avast users) could send the hash to virustotal. This could potentially give some indication of the suspected file being a FP or not, without having to take a risk by extracting the file from the virus chest.

Please advice me about the specific file (whether is a FP or not), since I searched the forum and found old topics about autoit scripts and uniextract, but no recent topic.

In any case, I hope my suggestion is relevant. Thank you in advance.

[Asyn]

Report    2010-07-31 17:06:54 (GMT 1)
Website    legroom.net
Domain Hash    9b7a443fd0e17597845fcefd5ae0adda
IP Address    64.182.149.164 [SCAN]
IP Hostname    mail.legroom.net
IP Country    US (United States)
AS Number    27473
AS Name    CIHOST-CDC03 - C I Host
Detections    1 / 17 (6 %)
Status    SUSPICIOUS
      
Scanning site with:    hpHosts    DETECTED
(http://hosts-file.net/?s=legroom.net)


Report    2010-07-31 17:12:52 (GMT 1)
File Name    uniextract161-noinst-rar
File Size    5186991 bytes
File Type    Unknown file
MD5 Hash    949a20402c22a860d681b0b447244ec0
SHA1 Hash    e960091d203c84c6034c14a6146f8f4bb638b11a
Detections:   1 / 16 (6 %)
Status   INFECTED
Antivirus    Updated    Engine    Result

Avast    31/07/2010    5.0    VBS:Malware-gen

[ady4um]

Thank you for the info, specially for the hashes.

Since the suspected file is in my system already for some time now, and just 1 (avast) of 16 states this file has a virus, I assume this is a false positive.

Moreover, the following info is available at legroom forums since 2007:

 http://legroom.net/node/534/184

"...This affects all AutoIt programs, not just Universal Extractor. One suggestion they provide is to notify your AV vendor of the false positive. That way they can at least fix the issue in a future update."

The info is about another malware, not the one Avast states I have, but I suspect this info is relevant to my case too.

I guess this topic could be moved to the viruses and worms forum category, as it seems to be and old FP that "came back" in some recent virus definitions.

I hope to confirm if this is a false positive in the next few days with an update of the virus definitions.

Still, I think the suggestion to add the possibility to calculate hash codes to the virus chest is relevant. Alternatively, maybe someone could suggest a way to calculate the hash code of a file in the virus chest without extracting it from the virus chest itself.

Thank you in advance.

[Asyn]

1. Thank you for the info, specially for the hashes.
2. I hope to confirm if this is a false positive in the next few days with an update of the virus definitions.
3. Still, I think the suggestion to add the possibility to calculate hash codes to the virus chest is relevant.

1. You're welcome..!
2. You can send it to: virus (at) avast.com with the subject: possible FP
3. This should go to the wishlist here: http://forum.avast.com/index.php?topic=12640.0
asyn

[ady4um]

Thank you Asyn for you help. Regarding the huge wish list topic, I'm not sure adding a post to that particular topic is useful, after more than 120 pages. I will add some comment there anyway, but maybe someone could point me to a better category or method.

About sending the file by email, I would like to know if it is acceptable to send a link to the original "uniextract" file, the one posted at legroom, instead of the file I have in the virus chest.

The reason for this is that I don't use any "local" email client, just webmails. Hence, the option in the virus chest to "submit to virus lab" won't work in my system. If I'm wrong about this, please correct me.

In any case, I would like to know about sending the link to the virus lab, instead of an actual attached file.

Thank you in advance.

[Asyn]

1. Regarding the huge wish list topic, I'm not sure adding a post to that particular topic is useful, after more than 120 pages. I will add some comment there anyway, but maybe someone could point me to a better category or method.

2. Hence, the option in the virus chest to "submit to virus lab" won't work in my system. If I'm wrong about this, please correct me.

1. You can also contact avast here: http://www.avast.com/contacts
2. The file will be automatically submitted during the next update...
asyn

[ady4um]

2. The file will be automatically submitted during the next update...
asyn

Is this also true when I don't have a local email client configured? I don't use Outlook, Outlook Express, Windows Mail... I use only webmails. That's why I don't know if the function in the virus chest works in my case. I suppose the question really is: does this function depend on anything else than having Avast installed and an Internet connection?

BTW, after automatically updating the virus definitions, when I select the file in the virus chest list and scan it, now the result is "no virus". Does this mean the FP was resolved and I can securely restore the suspected file?

Thank you in advance.

[Asyn]

2. The file will be automatically submitted during the next update...
asyn

1. Is this also true when I don't have a local email client configured? I don't use Outlook, Outlook Express, Windows Mail... I use only webmails. That's why I don't know if the function in the virus chest works in my case.
2. I suppose the question really is: does this function depend on anything else than having Avast installed and an Internet connection?
3. BTW, after automatically updating the virus definitions, when I select the file in the virus chest list and scan it, now the result is "no virus". Does this mean the FP was resolved and I can securely restore the suspected file?

1. Yes. No email client needed...!
2. No. Thats all you need.
3. Seems so. If you feel unsafe about it, check it at: virustotal.com
asyn

[ady4um]

Asyn, thank you very much for all your replies and info.

About rechecking the file at virustotal, I thought there was an option to reevaluate a known hash, but the report was every time exactly the same, with "old" virus definitions. Maybe there is somewhere an option to update the report starting with the hash, but I didn't find it.

So finally I decided to restore the suspected file from the virus chest to its original folder. From there, I sent the file itself (as oppose as sending a hash code only) to virustotal, which again presented the same "old" results, but with the option to reevaluate the file with updated virus definitions.

Indeed, avast now reports no virus, 1 other antivirus still reports it as before, and 1 antivirus now reports it as having a virus that wasn't reporting it before.

So to be completely sure about the suspected file, I think I should have to watch it for a few days at least.

BTW, when restoring the suspected file from the virus chest, I searched avast help for this option, and something is not so clear IMHO. The avast help file states:

"Restore - this will move the file from the virus chest back to its original location."

Indeed the suspected file was restored, but the virus chest still has it listed. I'm not sure if the file still being part of the virus chest list is for "log" purpose only, or if actually there is a "copy" of the file in the virus chest. If the latter, then the restored file was not "moved", but "copied", and the user should decide when to actually deleted from the virus chest.

I don't have any idea how to check if the actual file is still in the virus chest, or if it is listed there for "log" purposes only. If anyone knows this, I'll be happy to check this 2 possibilities.

Thank you in advance.

[Asyn]

1. Asyn, thank you very much for all your replies and info.
2. So to be completely sure about the suspected file, I think I should have to watch it for a few days at least.

1. No problem..!
Alternatives to VT:
- Jotti http://virusscan.jotti.org/en
- VirSCAN http://www.virscan.org/
2. Good idea..!
asyn