Malicious Blocking From DDS download

[Probzzie]

hxxp://www.bleepingcomputer.com/download/anti-virus/dds
The download link here for the dds scan is stating it is infected with malware gen-32. Is this a false positive or unsafe place too download>?

[doktornotor]

Seeing the StopZilla ad there, I would leave the site alone and never come back.  Also, what the heck is DDS antivirus? 

[spg SCOTT]

It is something similar to OTL if I remember correctly. Made by sUBs - the same as ComboFix...

File submitted to avast as FP

[Probzzie]

I am after DDS log just the program and simply put in dds log download, and it came up with bleepingcomputer. which I have downloaded combo fix from, so I was shocked too see a problem, Do you have a dds link ?

[doktornotor]

Avast blocks DDS itself, apparently. Not interested in such stuff.

http://www.forospyware.com/sUBs/dds

[DavidR]

It is just that the file type is .scr to be able to run avoiding blocking malware, etc. and it does some things that your common or garden screen saver doesn't do. It isn't a digitally signed application and the avast File System Shield (FSS) runs the emulator process would see this as suspect. Hence the win32:Malware-gen, a generic signature that is designed to detect new previously undetected variants. This is a fine balance of catching new variants or detecting good files.

So the file needs to sent to avast for analysis.

See http://www.virustotal.com/file-scan/report.html?id=0ddc11aaaeadce0ba74dab32248f0549c2c88fe2a5c8531148312b06889d351b-1301775326, whilst there are a number of detections, avast and gdata (amounting to 1) and the others are also suspicious/heuristic detections.

[doktornotor]

It is just that the file type is .scr to be able to run avoiding blocking malware, etc. and it does some things that your common or garden screen saver doesn't do.

The above is PIF, actually (my link).

[DavidR]

I didn't check the link, but it is pretty much the same thing trying to get round malware blocking and would still have a Packed Executable inside.

Actually it isn't a .pif it has a double file type .pif.txt another obfuscation that just makes people suspect of the file and no doubt AVs.

[doktornotor]

Well, to sum this up: I have not been able to find a single download in a decent, digitally signed format, let alone some versioning or checksums of this "product", let alone at least a semi-official homepage. I will stay away from that for sure. Offering an SCR, PIF or whatever randomized stuff is fine as a last resort alternative , not a standard solution.

[spg SCOTT]

dds.scr in my virus chest is now not detected.
110403-0

[doktornotor]

dds.scr in my virus chest is now not detected.
110403-0

Nor is the DDS.PIF - looks like fixed via VPS update. Still, they should provide a standard executable (preferably signed as well).

P.S. On the previous point on DDS.PIF.TXT - no, it is downloaded like DDS.PIF. The TXT thing is what IE does with certain security settings, demoting the MIME type to a less dangerous one. (I could expand on that if you are really interested.)

[DavidR]

Well Scott and I uploaded it for analysis as soon after this topic was created and they are quick to correct an FP once confirmed.

With an anti-malware analysis tool, which is going to constantly change I rather doubt that digital signing is going to be done. The idea of not using a standard executable is to prevent the malware from stopping it running like they do with many other security applications and intercepts, etc. on .exe files.

The problem being I didn't download it with IE but on firefox, so it didn't tack on a .txt suffix to the dds.pif file. So I don't know where the .txt suffix came from, weird.

[doktornotor]

The problem being I didn't download it with IE but on firefox, so it didn't tack on a .txt suffix to the dds.pif file. So I don't know where the .txt suffix came from, weird.

FF takes some IE settings as well.