IPB

Welcome Guest ( Log In | Register )

 
Reply to this topicStart new topic
> Possible false positive: utorrent
iuffra
post 5.07.2007 10:00
Post #1


Member
**

Group: Members
Posts: 14
Joined: 16.05.2006




I was running utorrent 1.7 rc2 (build 2999) overnight and when I turned on my monitor I got a warning.

Infected: adware not-a-virus:AdWare.Win32.Agent.bn uTorrent.exe\uTorrent.exe 608 KB

Infected: adware not-a-virus:AdWare.Win32.Agent.bn c:\program files\utorrent\utorrent.exe 239 KB

database published 05/07/2007 04:54:41

probably a false postive, i've been running utorrent rc2 since it came out and I have had no warnings from kav until now.

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

I've run utorrent.exe through virustotal.com and here are the positive results

Antivirus Version Update Result
eSafe 7.0.15.0 07.04.2007 suspicious Trojan/Worm
Kaspersky 4.0.2.24 07.05.2007 not-a-virus:AdWare.Win32.Agent.bn
Panda 9.0.0.4 07.05.2007 Suspicious file
Webwasher 6.0.1 07.05.2007 Win32.ModifiedUPX.gen!84 (suspicious)
-Gateway

Additional Information
File size: 244736 bytes
MD5: 7169bf84a07fb377601707332ed012c2
SHA1: 1bcf64bf81ea9345e9a95cf1f9125cf311d547db
packers: UPX_LZMA

I've checked the md5 and sha1 hashes and they are correct.

This post has been edited by iuffra: 5.07.2007 10:15
Go to the top of the page
 
+Quote Post
Lucian Bara
post 5.07.2007 10:19
Post #2


Are You Kidding?
*****************

Group: Gold beta testers
Posts: 56947
Joined: 28.01.2006
From: Timisoara, Romania




send the files for analysis: http://forum.kaspersky.com/index.php?showtopic=13881
Go to the top of the page
 
+Quote Post
iuffra
post 5.07.2007 10:48
Post #3


Member
**

Group: Members
Posts: 14
Joined: 16.05.2006




done, thanks Lucian
Go to the top of the page
 
+Quote Post
King Grub
post 5.07.2007 11:09
Post #4


Kaspersky Fan I
********

Group: Members
Posts: 1585
Joined: 4.04.2006
From: Sweden




I just got the same "adware not-a-virus:AdWare.Win32.Agent.bn" for the ImgBurn executables with the same databases. I sent it for analysis, too - has to be the same FP.

This post has been edited by King Grub: 5.07.2007 11:09
Go to the top of the page
 
+Quote Post
King Grub
post 5.07.2007 11:38
Post #5


Kaspersky Fan I
********

Group: Members
Posts: 1585
Joined: 4.04.2006
From: Sweden




While waiting, I downloaded a new ImgBurn from the official site, and it was "infected", too.
Go to the top of the page
 
+Quote Post
King Grub
post 5.07.2007 12:01
Post #6


Kaspersky Fan I
********

Group: Members
Posts: 1585
Joined: 4.04.2006
From: Sweden




"Hello.
Sorry,this was a false detection
it will be fixed in the next updates
thank you for your help

Please quote all when answering.
-----------------
Regards, Yampolsky Boris
Virus Analyst, Kaspersky Lab."

Sweet fast reply! smile.gif
Go to the top of the page
 
+Quote Post
iuffra
post 5.07.2007 12:02
Post #7


Member
**

Group: Members
Posts: 14
Joined: 16.05.2006




QUOTE(King Grub @ 5.07.2007 07:38)
While waiting, I downloaded a new ImgBurn from the official site, and it was "infected", too.
[right][snapback]388967[/snapback][/right]


that's weird because I was using imgburn and it was ok, I scanned the exe and downloaded a new setupimgburn and kav didn't report anything.

i've got a e-mail saying utorrent is a false positive and will be out with the next update.

thank you kaspersky wub.gif
Go to the top of the page
 
+Quote Post
Baz^^
post 5.07.2007 12:56
Post #8


Wrestling Champion
**************

Group: Gold beta testers
Posts: 8799
Joined: 10.03.2007




May have been my fault ohmy.gif

Hello,

install_cr.exe, ddesupport.dll, edi.exe, main_uninstaller.exe, msole.dll - not-a-virus:AdWare.Win32.Agent.bn

These files are Advertizing Tools, theirs detection will be included in the next update of extended databases set. See more info about extended databases here: http://www.kaspersky.com/extraavupdates

Please quote all when answering.

--
Best regards, Yaroslav Kirillov
Virus analyst, Kaspersky Lab.


--------------------
Kind Regards,

Baz
Go to the top of the page
 
+Quote Post
Lucian Bara
post 5.07.2007 12:58
Post #9


Are You Kidding?
*****************

Group: Gold beta testers
Posts: 56947
Joined: 28.01.2006
From: Timisoara, Romania




looks like they might hit a packer or something like that, a lot of applications have that detection.
Go to the top of the page
 
+Quote Post
King Grub
post 5.07.2007 13:39
Post #10


Kaspersky Fan I
********

Group: Members
Posts: 1585
Joined: 4.04.2006
From: Sweden




Now, after the new update, Kaspersky detects the very same executable that was a confirmed FP as "Trojan-Dropper.Win32.Agent.blk" instead...

Also downloaded the latest ImgBurn again from the official site, and upon installing, "Trojan-Dropper.Win32.Agent.blk" was "detected".

This post has been edited by King Grub: 5.07.2007 13:40
Go to the top of the page
 
+Quote Post
King Grub
post 5.07.2007 16:44
Post #11


Kaspersky Fan I
********

Group: Members
Posts: 1585
Joined: 4.04.2006
From: Sweden




There you go; now things are back to normal. Very fast responses from Kaspersky.
Go to the top of the page
 
+Quote Post
myhomie
post 20.07.2007 13:52
Post #12


Member
**

Group: Members
Posts: 11
Joined: 3.01.2006




Sorry im still quite confused, will add to the inclusion or not?
Go to the top of the page
 
+Quote Post
Lucian Bara
post 20.07.2007 13:53
Post #13


Are You Kidding?
*****************

Group: Gold beta testers
Posts: 56947
Joined: 28.01.2006
From: Timisoara, Romania




will add what? the false positive was fixed two weeks ago, what's the problem?
Go to the top of the page
 
+Quote Post
myhomie
post 21.07.2007 11:13
Post #14


Member
**

Group: Members
Posts: 11
Joined: 3.01.2006




QUOTE(Lucian Bara @ 20.07.2007 09:53)
will add what? the false positive was fixed two weeks ago, what's the problem?
[right][snapback]401152[/snapback][/right]


Just updated my utorrent to 1.7 last night KAV is still detecting it as a trojan my KAV is up to date though. guess its still not fixed on my side??
Go to the top of the page
 
+Quote Post
Lucian Bara
post 21.07.2007 11:20
Post #15


Are You Kidding?
*****************

Group: Gold beta testers
Posts: 56947
Joined: 28.01.2006
From: Timisoara, Romania




QUOTE(myhomie @ 21.07.2007 10:13)
Just updated my utorrent to 1.7 last night KAV is still detecting it as a trojan my KAV is up to date though. guess its still not fixed on my side??
[right][snapback]401771[/snapback][/right]

what's the full detection for your utorrent (name)?
Go to the top of the page
 
+Quote Post
myhomie
post 21.07.2007 11:45
Post #16


Member
**

Group: Members
Posts: 11
Joined: 3.01.2006




QUOTE(Lucian Bara @ 21.07.2007 07:20)
what's the full detection for your utorrent (name)?
[right][snapback]401777[/snapback][/right]


it says:

Possibly infected: riskware Trojan.generic - uTorrent.exe

Its under my quarantine at the moment.
Go to the top of the page
 
+Quote Post
Lucian Bara
post 21.07.2007 12:10
Post #17


Are You Kidding?
*****************

Group: Gold beta testers
Posts: 56947
Joined: 28.01.2006
From: Timisoara, Romania




QUOTE(myhomie @ 21.07.2007 10:45)
it says:

Possibly infected: riskware Trojan.generic - uTorrent.exe

Its under my quarantine at the moment.
[right][snapback]401793[/snapback][/right]

you will always get that on installation. that's a behavioural detection from the proactive defense, it occurs when a software tries to add a copy of itself into startup. in this case is safe and you can choose "Skip"
Go to the top of the page
 
+Quote Post
myhomie
post 21.07.2007 12:40
Post #18


Member
**

Group: Members
Posts: 11
Joined: 3.01.2006




QUOTE(Lucian Bara @ 21.07.2007 08:10)
you will always get that on installation. that's a behavioural detection from the proactive defense, it occurs when a software tries to add a copy of itself into startup. in this case is safe and you can choose "Skip"
[right][snapback]401810[/snapback][/right]


Cool, thats what i thought as well i conferred to you guys just in case. better safe than sorry as they say. Cheers!
Go to the top of the page
 
+Quote Post

Reply to this topicStart new topic

 



Lo-Fi Version Time is now: 19.12.2014 21:28