Is a virus or not?

[Dzyszla]

Hi!
I have small problem. I'm software developer and for one of my file (installer by InnoSetup) 25% scanners engine report virus (links bellow). Avast (I use it!) nothing see. I wrote to MKS and ask for test my file, but got no answer. How can I get any help and be sure, that my files are not infected?

Links to results:
http://www.virustotal.com/file-scan/report.html?id=c6fe18fd13fb1f3f6c80ab458bb111e1e1b92355097ce72722482681a6c2e24a-1295895048
http://virusscan.jotti.org/pl/scanresult/1436893c135005fcc109d266c5d16db4fd993d93
http://virscan.org/report/8d012cf0df44555e8cdf283731c8ac1c.html

Link to file (click "Pobierz" on bottom of table):
hxxp://www.dzyszla.aplus.pl/download-4.html?verid=99
(Sorry, here I cann't attach file - size and extension limit)

Can tell my somebody, where I will send my file for test?

PS. Sorry for my English

[DavidR]

Whilst you are sure this is clean, links to 'suspect' file should be broken to avoid accidental exposure. e.g. hXXp://www.dzyszla.aplus.pl/download-4.html?verid=99

For obvious reasons there is a limit to file types the last thing a support forum wants is a malware sample (even if you think it clean) attached to the topic as avast would alert in its own forum blocking any assistance that could be given.

For some reason I can't get the VT results page.

Send the sample to virus (at) avast (dot) com zipped and password protected with the password in email body, a link to this topic might help and false positive in the subject.

Or

Contact avast http://www.avast.com/contact-form.php?loadStyles - If you are reporting an FP, then you get another input filed open, click Browse button and navigate to the file you wish to submit.

Edit is this the DekoderElektronika32Setup.exe file ?

[Dzyszla]

Link don't redirect direct file, but to website, where can be download, so I leave normal link

Yes, VT broken down

Yes, this is the DekoderElektronika32Setup.exe file.

I try use form, but can I do this, if in avast no FP result for this file?

[DavidR]

OK, avast doesn't alert on this, so I don't see the purpose of sending it to avast ?

You could still send an email as outlined in my last post but with Possible Undetected Malware in the subject

[Dzyszla]

Ok, i send file via email Thx for help.

[DavidR]

You're welcome.

[polonus]

Cześć Dżyszla,

Here the link you gave was scanned and found benign: http://wepawet.iseclab.org/view.php?hash=664451618500e067c359f683684a13fb&t=1303329149&type=js

Clean here: http://vscan.urlvoid.com/analysis/880c2b7c3d22588f7a08040c5f87e07b/ZG93bmxvYWQtNC1odG1s/

Benign here: hxtp://jsunpack.jeek.org/dec/go?report=73c8a463e7e708396205f54c963a5ae190e5267b
(visit sandboxed and with ample script protection)

Scanned url and I see nothing there, but check the google analytics code, it is suspicious...

pozdrawiam,

polonus

[Pondus]

Polonus,
it is not the URL that is the problem, but the "DekoderElektronika32Setup.exe " file that you will find there

http://www.threatexpert.com/report.aspx?md5=99a0fef969955f519825b5d6a0dd40c3


http://www.virustotal.com/file-scan/report.html?id=c6fe18fd13fb1f3f6c80ab458bb111e1e1b92355097ce72722482681a6c2e24a-1303330989


sigcheck:
publisher....: D_yszlaSoft
copyright....: Dawid Najgiebauer
product......: Dekoder Elektronika
description..: Dekoder Elektronika Setup
original name: n/a
internal name: n/a
file version.: 3.2.0.99
comments.....: This installation was built with Inno Setup.
signers......: -
signing date.: -
verified.....: Unsigned

[polonus]

Hi Pondus,

Well I scanned the download link he gave and he now knows the status of that URL,
thanks for the real file information, and when we analyse further the KNOWN contents like this md5 (Kaspersky finds)
we land here:
http://www.threatexpert.com/report.aspx?md5=99a0fef969955f519825b5d6a0dd40c3
and for the second known md5 hash we get here: http://www.threatexpert.com/report.aspx?md5=99a0fef969955f519825b5d6a0dd40c3
and then here: http://www.virustotal.com/file-scan/report.html?id=c6fe18fd13fb1f3f6c80ab458bb111e1e1b92355097ce72722482681a6c2e24a-1303330989
and here: Team-CYMRU.org says 18% detected malware

Trojan.Swisyn is a nasty Trojan that you better not get onto your computer. Trojan.Swisyn means a high risk of getting access to your machine without your approval or consent, and will that upon install run at every start-up...

polonus

[Dzyszla]

Hi Pounds, cześć Polonus!

Yes, it's not URL problem, but file

1. Most of scaners don't recognize virus there. (Avast too)
2. Hm, i recompile the suspicious file (KondensatoryElLit.dll) and rigth - same size, but another content...
But here only one file extracted from installer: http://www.virustotal.com/file-scan/report.html?id=1d532d182e703d767a18bec457334f820d4037e0b237a79b01e0658f5ab76f33-1303334470 - 5/41 only... ?

Edit:
I change the file form link in my first post and now is clean! Thanks Pounds and Polonus for help! You help my a lot! Avast don't recognize dangerous I think topic is closed

[Pondus]

SOPHOS analysis

SophosLabs has analyzed the submitted file(s) and determined they are not malicious and can safely be authorized.

DekoderElektronika32Setup.exe -- can be authorised

[Milos]

Hello,
the file looks clean.

Milos

[Pondus]

uploaded to Avira as a FP case

The file 'DekoderElektronika32Setup.exe' has been determined to be 'MALWARE'. Our analysts named the threat TR/Swisyn.alys. The term "TR/" denotes a trojan horse that is able to spy out data, to violate your privacy or carry out unwanted modifications to the system.Detection is added to our virus definition file (VDF) starting with version 7.11.01.80.

[Pondus]

Norman analysis

DekoderElektronika32Setup.exe : Not added, clean file

so Norman / Sophos / avast (milos) say clean
Avira say malware ?

[Omid Farhang]

uploaded to Avira as a FP case

Could you please give me file ID as I highlighted in screenshot