Jump to content

Welcome to MSFN Forum
Register now to gain access to all of our features. Once registered and logged in, you will be able to create topics, post replies to existing threads, give reputation to your fellow members, get your own private messenger, post status updates, manage your profile and so much more. This message will be removed once you have signed in.
Login to Account Create an Account



Photo

Virus suspected in XP_INST_v04.7z


  • Please log in to reply
30 replies to this topic

#1
DigitalJ

DigitalJ
  • Member
  • 4 posts
  • Joined 07-February 10

Try open the .ima inside XP_INST_v04.7z (XP_INST.IMA) with 7-zip....
My 7-zip (4.65 x64) is unable to open the .IMG file.
I get an error "Can't open XP_INST.IMA as archiv." Did we find a x64 bug of 7-zip? ;)
Ok that's the wrong board for this type of error :D


Looks like Exploit.Win32.IMG-WMF.bts got into it!

More info here:

http://www.sunbeltse...B0C3F2AF3BD1691

Is somebody here trying to play games?


How to remove advertisement from MSFN

#2
ilko_t

ilko_t

    MSFN Addict

  • Super Moderator
  • 1,723 posts
  • Joined 06-December 06
  • OS:none specified
  • Country: Country Flag

Looks like Exploit.Win32.IMG-WMF.bts got into it!

More info here:

http://www.sunbeltse...B0C3F2AF3BD1691

Is somebody here trying to play games?

Yep, you got us ;)
We got bored and decided to infect with a deadly virus whoever gets curious enough to download that attachment. :ph34r:

Seriously, before throwing such questions in such manner, check online with multiple virus scanners:
virsusscan.jotti.org
virustotal.com

Next inform your antivirus vendor for a false positive. If more antivirus program detect the file in question as a virus, inform the developer politely. In sites such as msfn.org, it's quite unlikely someone intentionally to put virus in the program posted.

Install Windows from USB, boot Linux, multiboot and a lot more with WinSetupFromUSB


#3
DigitalJ

DigitalJ
  • Member
  • 4 posts
  • Joined 07-February 10

Looks like Exploit.Win32.IMG-WMF.bts got into it!

More info here:

http://www.sunbeltse...B0C3F2AF3BD1691

Is somebody here trying to play games?

Yep, you got us ;)
We got bored and decided to infect with a deadly virus whoever gets curious enough to download that attachment. :ph34r:

Seriously, before throwing such questions in such manner, check online with multiple virus scanners:
virsusscan.jotti.org
virustotal.com

Next inform your antivirus vendor for a false positive. If more antivirus program detect the file in question as a virus, inform the developer politely. In sites such as msfn.org, it's quite unlikely someone intentionally to put virus in the program posted.


I wish it had been just a false positive - the system went nuts and I had to reinstall!

And since there was no other suspect in sight - yeap, may be I did got something...

#4
jaclaz

jaclaz

    The Finder

  • Developer
  • 14,676 posts
  • Joined 23-July 04
  • OS:none specified
  • Country: Country Flag

I wish it had been just a false positive - the system went nuts and I had to reinstall!

And since there was no other suspect in sight - yeap, may be I did got something...


I don't get it. :blink:

EITHER:
the referenced file results infected by an antivirus
OR:
it doesn't.

If your system blew up while only your cat was in the room, it doesn't necessarily means that curiosity killed the cat system.

And now, just for the record, and for no logical apparent reason, a picture of a cat:

Posted Image

jaclaz

#5
DigitalJ

DigitalJ
  • Member
  • 4 posts
  • Joined 07-February 10
Well, I don't quite understand why some people get so defensive: you are either serious and admit that may be there is a problem, not necessarily a mental health one of other(s), and try to discuss it seriuosly.

Or otherwise try to downplay the matter by throwing "jokes".

The realy serious thing here is that there might be a problem somewhere - it might be with the file server that holds the archives (all 1.0 betas had issues), not necessarily with their author(s).

But it might also be elsewhere - may be with that poor kitten!

#6
cdob

cdob

    MSFN Expert

  • Member
  • PipPipPipPipPipPip
  • 1,000 posts
  • Joined 29-September 05

The realy serious thing here is that there might be a problem somewhere

Did you check the file at virsusscan.jotti.org and virustotal.com?
http://www.virustota...0154-1265529826
Zero scanner reports anything at the image.
Which file should contain the wmf exploit? BTW, there is no single wmf included.

Reports are taken seriously, but there is no proof so far.
The problem is at one machine so far. May be another reason, not the mentioned file.

#7
DigitalJ

DigitalJ
  • Member
  • 4 posts
  • Joined 07-February 10
No, I didn't check with the AV sites you mentioned - one part of the problem is that if I leave my AV to do his thing it cleans the downloaded archives and they can't be opened (7-zip complaint).

I disabled the AV only to get them down, 7-zip was ok with them, used last beta, and so I got it!

But I powered off the system in the middle of something (there were already some weird things going on) and on power on it became evident that there is a problem, even the simplest thing, like double clicking "My Documents" or "My Computer", didn't work as expected, due probably to registry inconsistencies - did I tell you I powered off the system in the middle of something?

I could have submitted the archives to AV sites, but another part of the problem is that this kind of sites can be used for malware optimization too - bad guys just submit themselves their "work" until they get "AV clearance", so to speak.

#8
cdob

cdob

    MSFN Expert

  • Member
  • PipPipPipPipPipPip
  • 1,000 posts
  • Joined 29-September 05

I disabled the AV only to get them down, 7-zip was ok with them, used last beta, and so I got it!

Can you clarify: what did you do?
Did you run 7-zip beta and opened the floppy archiv XP_INST.IMA?
Did you extracted any file?
Did you run any extracted application?

But I powered off the system in the middle of something (there were already some weird things going on) and on power on it became evident that there is a problem, even the simplest thing, like double clicking "My Documents" or "My Computer", didn't work as expected, due probably to registry inconsistencies - did I tell you I powered off the system in the middle of something?

Well, this may be a file system corruption or registry corruption.
There may a malvare involved or not. a malvare may be active already, before downloading XP_INST_v04.7z.
Hardware failure is another possible cause.

I could have submitted the archives to AV sites, but another part of the problem is that this kind of sites can be used for malware optimization too - bad guys just submit themselves their "work" until they get "AV clearance", so to speak.

What do you suggest instead now?

#9
03GrandAmGT

03GrandAmGT

    Forging Onwards

  • Member
  • PipPip
  • 274 posts
  • Joined 13-February 05
  • OS:none specified
  • Country: Country Flag
So why trust anything including the great site of MSFN. ;) As cdob mentioned this could have been a serious file or registry corruption and by just instantly shutting your system down as you described you have more then likely fubared the whole thing where a system re-install will probably be needed.
JD

#10
jaclaz

jaclaz

    The Finder

  • Developer
  • 14,676 posts
  • Joined 23-July 04
  • OS:none specified
  • Country: Country Flag
Let me try to rephrase (I assure you that I am serious, really, really serious :yes: ).

You are of course perfectly free not to believe my word for it, but I can assure you that:
  • MSFN and this particular group of developers of the "Install windows from USB" are not part of an evil plot to infect anything/anyone
  • AV firms are not so gullible to UNmark a supposed "false positive" without having thoroughly checking the reports and the files involved

It is possible that a file gets infected for a number of reasons, we are trying proactively to understand if this happened on the source file or if your report is attributing the problem you experienced to "our" file incorrectly.

To do this we need the information asked below:
  • WHAT Antivirus are you using?
  • Are you sure that that particular antivirus reported the file as infected?
  • WHICH file, the whole .7z archive or the .ima inside it?

In order to be able to check your report and do corrective actions, if needed.

Again, this is binary, 0/1, or ON/OFF:
EITHER:
you give us the needed info in order for us to double check everything and take consequent corrective actions
OR:
you don't and we cannot but tag your report as unverifiable and dismiss it

jaclaz

#11
Sp0iLedBrAt

Sp0iLedBrAt

    MSFN Addict

  • MSFN Sponsor
  • 1,727 posts
  • Joined 19-March 09
  • OS:XP Pro x86
  • Country: Country Flag
setup.ex_ from WinSetup-1-0-beta4\files\winsetup\PyronSetup\i386\ is reported as TR/Expl.IMG-WMF.bts Trojan by Antivir Personal. VirusTotal shows that only 2 products recognize it as a threat (Avira is not one of them???).

I have taken the liberty of submitting it for inspection as a false positive.

Edited by Sp0iLedBrAt, 08 February 2010 - 05:30 AM.


#12
Yzöwl

Yzöwl

    Wise Owl

  • Super Moderator
  • 4,557 posts
  • Joined 13-October 04
  • OS:Windows 7 x64
  • Country: Country Flag

Donator

My system (MSE), found nothing so I uploaded it to novirusthanks

Here's what I got back:

File Info

Report date: 8.2.2010 at 14.39.19 (GMT 1)
File name: XP_INST.IMA
File size: 1474560 bytes
MD5 Hash: 7c8b0f32d613d4c5a8ebe4ac2e8c6593
SHA1 Hash: 36A14B9C9599056F9E24CA7E258C6A2B8E694A0E
File inspector: File is possible binded with malware
Detection rate: 0 on 20
Status: CLEAN

Detections

a-squared - -
Avira AntiVir - -
Avast - -
AVG - -
BitDefender - -
ClamAV - -
Comodo - -
Dr.Web - -
F-PROT6 - -
G-Data - -
Ikarus T3 - -
Kaspersky - -
McAfee - -
NOD32 - -
Panda - -
Solo Antivirus - -
Sophos - -
TrendMicro - -
VBA32 - -
VirusBuster - -

Scan report generated by
NoVirusThanks.org

It looks fine to me!

#13
ilko_t

ilko_t

    MSFN Addict

  • Super Moderator
  • 1,723 posts
  • Joined 06-December 06
  • OS:none specified
  • Country: Country Flag

setup.ex_ from WinSetup-1-0-beta4\files\winsetup\PyronSetup\i386\ is reported as TR/Expl.IMG-WMF.bts Trojan by Antivir Personal. VirusTotal shows that only 2 products recognize it as a threat (Avira is not one of them???).

I have taken the liberty of submitting it for inspection as a false positive.

Now even more AV detect it:
http://www.virustota...229d-1265653509

which is not unusual, as AV vendors share signatures. The file is the same as in XP_INST.IMA, only cab compressed, just hex compared them in case there was something wrong on my side.

I will also send emails to a few AV vendors for reanalyzing.

Install Windows from USB, boot Linux, multiboot and a lot more with WinSetupFromUSB


#14
Yzöwl

Yzöwl

    Wise Owl

  • Super Moderator
  • 4,557 posts
  • Joined 13-October 04
  • OS:Windows 7 x64
  • Country: Country Flag

Donator

I hope this will help you tie it down:

\SETUP\I386\SETUP.EXE

VirSCAN.org Scanned Report :
Scanned time : 2010/02/08 20:26:49 (GMT)
Scanner results: 25% Scanner(s) (9/36) found malware!
File Name : SETUP.EXE
File Size : 6144 byte
File Type : PE32 executable for MS Windows (GUI) Intel 80386 32-bit
MD5 : 30275fc3df5b5c2f1d2e72250b820706
SHA1 : 897edcdce86eb4a1dcd1b6403594bada4263219b
Online report : http://virscan.org/r...3d2814d8d4.html

Scanner Engine Ver Sig Ver Sig Date Time Scan result
a-squared 4.5.0.8 20100209031127 2010-02-09 4.35 Exploit.Win32.IMG-WMF!IK
AhnLab V3 2010.02.08.00 2010.02.08 2010-02-08 1.02 -
AntiVir 8.2.1.160 7.10.3.240 2010-02-08 0.54 TR/Expl.IMG-WMF.bts
Antiy 2.0.18 20100201.3785967 2010-02-01 0.02 -
Arcavir 2009 201002081449 2010-02-08 0.03 -
Authentium 5.1.1 201002081158 2010-02-08 1.27 -
AVAST! 4.7.4 100208-1 2010-02-08 0.00 -
AVG 8.5.720 271.1.1/2660 2010-02-01 5.17 -
BitDefender 7.81008.5034554 7.30286 2010-02-09 5.15 -
ClamAV 0.95.3 10365 2010-02-08 0.01 -
Comodo 3.13.579 3409 2010-02-08 1.09 -
CP Secure 1.3.0.5 2010.02.09 2010-02-09 0.03 -
Dr.Web 5.0.1.12222 2010.02.09 2010-02-09 5.16 -
F-Prot 4.4.4.56 20100208 2010-02-08 1.28 -
F-Secure 7.02.73807 2010.02.08.13 2010-02-08 9.81 Exploit.Win32.IMG-WMF.bts [AVP]
Fortinet 11.473- 11.473 2010-02-08 0.20 -
GData 19.10387/19.739 20100208 2010-02-08 8.46 Exploit.Win32.IMG-WMF.bts [Engine:A]
ViRobot 20100208 2010.02.08 2010-02-08 0.49 -
Ikarus T3.1.01.80 2010.02.08.75140 2010-02-08 4.48 Exploit.Win32.IMG-WMF
JiangMin 13.0.900 2010.02.08 2010-02-08 6.66 -
Kaspersky 5.5.10 2010.02.08 2010-02-08 0.06 Exploit.Win32.IMG-WMF.bts
KingSoft 2009.2.5.15 2010.2.8.17 2010-02-08 0.56 -
McAfee 5.3.00 5886 2010-02-08 3.50 Generic Exploit!s
Microsoft 1.5406 2010.02.08 2010-02-08 7.29 -
Norman 6.01.09 6.01.00 2010-02-08 4.00 -
Panda 9.05.01 2010.02.08 2010-02-08 5.60 -
Trend Micro 9.120-1004 6.834.06 2010-02-08 0.03 -
Quick Heal 10.00 2010.02.08 2010-02-08 1.43 -
Rising 20.0 22.34.00.04 2010-02-08 1.42 -
Sophos 3.04.1 4.50 2010-02-09 3.47 -
Sunbelt 3.9.2400.2 5663 2010-02-07 2.89 Trojan.Win32.Generic!BT
Symantec 1.3.0.24 20100201.009 2010-02-01 0.03 -
nProtect 20100207.01 7182772 2010-02-07 8.82 -
The Hacker 6.5.1.1 v00183 2010-02-08 0.82 -
VBA32 3.12.12.1 20100207.2056 2010-02-07 2.51 Exploit.Win32.IMG-WMF.bts
VirusBuster 4.5.11.10 10.119.45/2024198 2010-02-08 2.50 -


\SETUP\I386\setup_dbg.exe

VirSCAN.org Scanned Report :
Scanned time : 2010/02/08 20:24:38 (GMT)
Scanner results: 17% Scanner(s) (6/36) found malware!
File Name : setup_dbg.exe
File Size : 6144 byte
File Type : PE32 executable for MS Windows (GUI) Intel 80386 32-bit
MD5 : b0906d0908fdf03aedee6900785ed082
SHA1 : 5a9f3c8f3cca8be8fd6704c90cd5eded6bd34f26
Online report : http://virscan.org/r...03fd97d45d.html

Scanner Engine Ver Sig Ver Sig Date Time Scan result
a-squared 4.5.0.8 20100209031127 2010-02-09 6.83 Exploit.Win32.IMG-WMF!IK
AhnLab V3 2010.02.08.00 2010.02.08 2010-02-08 1.10 -
AntiVir 8.2.1.160 7.10.3.240 2010-02-08 0.09 -
Antiy 2.0.18 20100201.3785967 2010-02-01 0.02 -
Arcavir 2009 201002081449 2010-02-08 0.03 -
Authentium 5.1.1 201002081158 2010-02-08 1.41 -
AVAST! 4.7.4 100208-1 2010-02-08 0.00 -
AVG 8.5.720 271.1.1/2660 2010-02-01 5.19 -
BitDefender 7.81008.5034554 7.30286 2010-02-09 5.16 -
ClamAV 0.95.3 10365 2010-02-08 0.01 -
Comodo 3.13.579 3409 2010-02-08 1.28 -
CP Secure 1.3.0.5 2010.02.09 2010-02-09 0.03 -
Dr.Web 5.0.1.12222 2010.02.09 2010-02-09 5.17 -
F-Prot 4.4.4.56 20100208 2010-02-08 1.28 -
F-Secure 7.02.73807 2010.02.08.13 2010-02-08 0.10 Exploit.Win32.IMG-WMF.btt [AVP]
Fortinet 11.473- 11.473 2010-02-08 0.22 -
GData 19.10387/19.739 20100208 2010-02-08 6.29 Exploit.Win32.IMG-WMF.btt [Engine:A]
ViRobot 20100208 2010.02.08 2010-02-08 0.42 -
Ikarus T3.1.01.80 2010.02.08.75140 2010-02-08 4.50 Exploit.Win32.IMG-WMF
JiangMin 13.0.900 2010.02.08 2010-02-08 13.02 -
Kaspersky 5.5.10 2010.02.08 2010-02-08 0.06 Exploit.Win32.IMG-WMF.btt
KingSoft 2009.2.5.15 2010.2.8.17 2010-02-08 7.87 -
McAfee 5.3.00 5886 2010-02-08 3.56 -
Microsoft 1.5406 2010.02.08 2010-02-08 8.32 -
Norman 6.01.09 6.01.00 2010-02-08 4.01 -
Panda 9.05.01 2010.02.08 2010-02-08 2.28 -
Trend Micro 9.120-1004 6.834.06 2010-02-08 0.03 -
Quick Heal 10.00 2010.02.08 2010-02-08 1.34 -
Rising 20.0 22.34.00.04 2010-02-08 0.49 -
Sophos 3.04.1 4.50 2010-02-09 3.20 -
Sunbelt 3.9.2400.2 5663 2010-02-07 3.25 -
Symantec 1.3.0.24 20100201.009 2010-02-01 0.01 -
nProtect 20100207.01 7182772 2010-02-07 5.54 -
The Hacker 6.5.1.1 v00183 2010-02-08 0.40 -
VBA32 3.12.12.1 20100207.2056 2010-02-07 2.50 Exploit.Win32.IMG-WMF.bts
VirusBuster 4.5.11.10 10.119.45/2024198 2010-02-08 2.48 -



#15
jaclaz

jaclaz

    The Finder

  • Developer
  • 14,676 posts
  • Joined 23-July 04
  • OS:none specified
  • Country: Country Flag
In any case it is a "low profile" trojan, it simply cannot have created the havoc DigitalJ reported.

I mean, as a reductio ad absurdum:
http://en.wikipedia....tio_ad_absurdum

Let's assume that the file is actually infected by that thingy :ph34r:

If the Antivirus detects it, good, it deletes or cleans the file and no harm is done.

If the Antivirus does not detect it, to trigger it you ADDITIONALLY need to either:
  • visit malicious web site containing a specially crafter WMF file
  • view malicious WMF file (locally or network share)
  • open email containing malicious WMF

http://www.f-secure....t.shtml#details

Summary
W32/PFV-Exploit is detection for files containing exploit for vulnerability in Windows WMF (Windows Metafile) handling. The vulnerability may be exploited by the attacker locally or remotely if the user is tricked to view a specially crafted WMF file.
Detailed Description


A new exploit for vulnerability in Windows Metafile handling was found in the wild on December 28th 2005. The vulnerability may be exploited by the attacker locally or remotely if the user is tricked to view a specially crafted WMF file. Possible attack scenarios are:

When user visits malicious web site containing a specially crafter WMF file
When user views malicious WMF file (locally or network share)
When user opens email containing malicious WMF


If triggered it is a "data stealer" kind of trojan, this kind of things are meant to run without the user noticing it.

So I doubt that even IF the file is infected, it can have provokd the reported crash, something else must have been the origin.

jaclaz

#16
cluberti

cluberti

    Gustatus similis pullus

  • Supervisor
  • 11,252 posts
  • Joined 09-September 01
  • OS:Windows 8.1 x64
  • Country: Country Flag
It seems like this has been flagged as a virus by some engines, but not all, we'll all have to hold off to make sure we know for sure if the file is, or is not, infected with a virus or if a false positive is possible.

By the way, anyone can submit samples to most A/V vendors (there are usually instructions for each on their respective pages) and get a response within about 24 - 48 hours, depending on vendor. The file has been submitted to AVG, McAfee, Symantec, and Microsoft for analysis, and from there we'll see.
MCTS Windows Internals, MCITP Server 2008 EA, MCTS MDT/BDD, MCSE/MCSA Server 2003, Server 2012, Windows 8
--------------------
Please read the rules before posting!
Please consider donating to MSFN to keep it up and running!

#17
cdob

cdob

    MSFN Expert

  • Member
  • PipPipPipPipPipPip
  • 1,000 posts
  • Joined 29-September 05
If it helps the A/V vendors to solve the matter:
integrated file \setup\src\setup.c contain the source code

#18
ilko_t

ilko_t

    MSFN Addict

  • Super Moderator
  • 1,723 posts
  • Joined 06-December 06
  • OS:none specified
  • Country: Country Flag
Got response from VBA32, at last, still expecting from several of the major vendors, strangely, response time is quite slow.
Kaspersky removed it from their signatures a while ago, although didn't respond to the emails.

On Sun, 21 Feb 2010 10:06:30 -0800
> The attached 2 files are incorrectly detected as
> Win32/TrojanDownloader.Agent. These are legitimate files, source code
> is included. Password for the archive is 'infected'. Files source and
> description:
> http://www.msfn.org/...rivers-from-cd/
>
> Please reanalyze and remove from virus signatures.

Hi,

FP will be fixed in one of the nearest updates.

Thank you in advance.

--
Regards, Mikhail S. Pobolovets
VirusBlokAda Ltd., Minsk, Belarus
http://www.anti-virus.by/en/


Install Windows from USB, boot Linux, multiboot and a lot more with WinSetupFromUSB


#19
class101

class101

    Newbie

  • Member
  • 20 posts
  • Joined 14-November 09
Sophos 9 reports \WinSetup-1-0-beta4\files\winsetup\PyronSetup\i386\setup.exe & setup_dbg.exe as Mal/Generic-A

But I think its much about a false warning I dont get suspect activities here and Sophos usually detects a lot of stuffs not supposed to be on an enterprise computer

Edited by class101, 24 February 2010 - 08:18 AM.

Microsoft Partner, BizSpark Admin
An open-source bayesian antispam that integrates in Thunderbird ^

#20
cdob

cdob

    MSFN Expert

  • Member
  • PipPipPipPipPipPip
  • 1,000 posts
  • Joined 29-September 05

Sophos 9 reports \WinSetup-1-0-beta4\files\winsetup\PyronSetup\i386\setup.exe & setup_dbg.exe

But I think its much about a false warning

I'm convinced its a false warning.


How to checkout/compile with Git/MinGW the latest Qemu-0.11.x on Windows

Feel free to compile setup.c at MinGW too.

#21
ilko_t

ilko_t

    MSFN Addict

  • Super Moderator
  • 1,723 posts
  • Joined 06-December 06
  • OS:none specified
  • Country: Country Flag
Another response, few weeks later, from GData:

Dear customer,

thank you for your request.

The 2 files, you send to as, are no longer detected as virus.

Please update your virus signatures.

Please refer your ticket-number 0000477284 when contacting us again regarding this matter.

With best regards

G Data-ServiceTeam

G Data Service GmbH * Kцnigsallee 178a
D-44799 Bochum, Germany * http://www.gdata.uk


Install Windows from USB, boot Linux, multiboot and a lot more with WinSetupFromUSB


#22
ilko_t

ilko_t

    MSFN Addict

  • Super Moderator
  • 1,723 posts
  • Joined 06-December 06
  • OS:none specified
  • Country: Country Flag
Respect to the response time from Avira, 3 months and a half later :w00t:

Dear Sir or Madam,

Thank you for your email to Avira's virus lab.
Tracking number: INC00450039.

A listing of files alongside their results can be found below:
File ID Filename Size (Byte) Result
25587751 setup_dbg.ex_ 2.45 KB CLEAN


Please find a detailed report concerning each individual sample below:
Filename Result
setup_dbg.ex_ CLEAN

The file 'setup_dbg.ex_' has been determined to be 'CLEAN'. Our analysts did not discover any malicious content.


Dear Sir or Madam,

Thank you for your email to Avira's virus lab.
Tracking number: INC00450038.

A listing of files alongside their results can be found below:
File ID Filename Size (Byte) Result
25587750 setup.ex_ 2.44 KB CLEAN


Please find a detailed report concerning each individual sample below:
Filename Result
setup.ex_ CLEAN

The file 'setup.ex_' has been determined to be 'CLEAN'. Our analysts did not discover any malicious content.


Install Windows from USB, boot Linux, multiboot and a lot more with WinSetupFromUSB


#23
ilko_t

ilko_t

    MSFN Addict

  • Super Moderator
  • 1,723 posts
  • Joined 06-December 06
  • OS:none specified
  • Country: Country Flag
It turned out quite tricky to contact and report for a false positive some AV vendors. Currently at virustotal 19/43 still detect setup.exe as a virus:
http://www.virustota...4671-1288529982

Just got a response from Panda AV, waiting for the rest 18:

Dear customer,

After checking in our laboratory the message you submit, we inform you it contains no virus. The detection was caused due to a string coincidence.

The incidence is already solved in a Beta version of our Signature File (PAV.SIG), that you can download from the following URL:http://www.pandasecurity.com/homeusers/security-info/disclaimer/disclaimer

* If you have CloudAV, you don’t need to download the Beta version of our signature file (PAVSIG), it will be automatically updated in a few hours

We hope this answer has been helpful and do not hesitate to contact us should you need any suspicious file analyzed in future.

Best regards,

PandaLabs
virus@pandasecurity.com


Install Windows from USB, boot Linux, multiboot and a lot more with WinSetupFromUSB


#24
Sp0iLedBrAt

Sp0iLedBrAt

    MSFN Addict

  • MSFN Sponsor
  • 1,727 posts
  • Joined 19-March 09
  • OS:XP Pro x86
  • Country: Country Flag
And yet, using database 7.10.13.74 (29Oct2010) from 2 days ago, I get this:
Attached File  Avira Personal.JPG   14.57KB   2 downloads

:no:

#25
ilko_t

ilko_t

    MSFN Addict

  • Super Moderator
  • 1,723 posts
  • Joined 06-December 06
  • OS:none specified
  • Country: Country Flag
Go figure...

Posted Image

http://analysis.avira.com/samples/

Install Windows from USB, boot Linux, multiboot and a lot more with WinSetupFromUSB





3 user(s) are reading this topic

0 members, 3 guests, 0 anonymous users