IPB

Welcome Guest ( Log In | Register )

 
Closed TopicStart new topic
> [Fixed]FP? Trojan program Exploit.PHP.Userpic.a
cwh803
post 11.07.2008 20:02
Post #1


Member
**

Group: Members
Posts: 25
Joined: 1.07.2007
From: Chicago/USA




FP? Trojan program Exploit.PHP.Userpic.a

My KAV 7.0.0.125 reports “Trojan program Exploit.PHP.Userpic.a” infection in ZoneAlarm Pro install files: zapSetup_70_473_000_en.exe and zapSetup_70_483_000_en.exe this morning.

I expect it is a false positive.
Go to the top of the page
 
+Quote Post
Cytoned
post 11.07.2008 20:05
Post #2


Advanced Member II
****

Group: Members
Posts: 201
Joined: 27.06.2008
From: England




I don't use ZAP, but if it's the file you downloaded from their site, and it's digitally signed by Checkpoint, then yes. Chances are it's a FP.

Report this to Kaspersky by zipping the file that's being flagged as Trojan program Exploit.PHP.Userpic.a -- password protect the archive.
Send an email to: newvirus@kaspersky.com with "False positive" as the subject line.

In the email, attach the Zipped file, say what password you've used for the archive (I usually use "kaspersky"), tell them what it's being detected as and perhaps point to the download of the file on the ZA servers.

You should hear back from them in a few hours with the result.


--------------------
Go to the top of the page
 
+Quote Post
cwh803
post 11.07.2008 21:10
Post #3


Member
**

Group: Members
Posts: 25
Joined: 1.07.2007
From: Chicago/USA




Thanx Cytoned; done.
Go to the top of the page
 
+Quote Post
KosminenPoika
post 11.07.2008 21:15
Post #4


Newbie
*

Group: Members
Posts: 3
Joined: 3.01.2008




Thanks for reporting this. My KIS 7.0.1.325 detected Trojan program Exploit.PHP.Userpic.a as a new threat today for the object
C:\windows\help\rz_mce_u.chm//images/rz_mce_w.jpg

Since this appeared (to me) to be another example of the same FP, I followed your advice for zipping this up and reporting it as a suspected false positive.
Go to the top of the page
 
+Quote Post
solemnstraw3
post 11.07.2008 21:39
Post #5


Newbie
*

Group: Members
Posts: 1
Joined: 11.07.2008




I received the same report for Zone Alarm. Has anyone responded from Kaspersky yet?
Go to the top of the page
 
+Quote Post
cwh803
post 11.07.2008 22:48
Post #6


Member
**

Group: Members
Posts: 25
Joined: 1.07.2007
From: Chicago/USA




I submitted my currently running “zaclients.chm” (7.0.473) to Kaspersky labs and received the following reply just now:

“From: newvirus@kaspersky.com
Sent:Fri 7/11/08 1:16 PM
To: me@hotmail.com

Hello. This is not false positive, but this file danger only for web-servers.

Sincerely yours,
Andrey Bezborodov, Virus Analyst.

Kaspersky Lab Ltd Moscow, Russia
Tel/Fax : +7 (095) 797-8700E-mail : newvirus@kaspersky.comInternet: http://www.kaspersky.com, http://www.viruslist.com”

I still think it is a false positive, but have delayed the installation of 70_483_000 while this is sorted out.

What action will be helpful to the ZoneAlarm folks to be able to resolve this?

Go to the top of the page
 
+Quote Post
KosminenPoika
post 12.07.2008 01:26
Post #7


Newbie
*

Group: Members
Posts: 3
Joined: 3.01.2008




Very prompt reply from Kaspersky support:


On Fri, 7/11/08, newvirus@kaspersky.com <newvirus@kaspersky.com> wrote:

From: newvirus@kaspersky.com <newvirus@kaspersky.com>
Subject: RE: False positive (Trojan program Exploit.PHP.Userpic.a) [KLAB-5656208]
To: _
Date: Friday, July 11, 2008, 4:04 PM


Hello.
Sorry, it's false alarm. It's detection will be deleted in the next
update. Thank you for your help.
-----------------
Regards, Andrey Ladikov
Virus Analyst, Kaspersky Lab.

Ph.: +7(495) 797-8700
E-mail: newvirus@kaspersky.com
http://www.kaspersky.com http://www.viruslist.com

Go to the top of the page
 
+Quote Post
Baz^^
post 12.07.2008 02:19
Post #8


Wrestling Champion
**************

Group: Gold beta testers
Posts: 8799
Joined: 10.03.2007




QUOTE(cwh803 @ 11.07.2008 19:48) *
I submitted my currently running “zaclients.chm” (7.0.473) to Kaspersky labs and received the following reply just now:

“From: newvirus@kaspersky.com
Sent:Fri 7/11/08 1:16 PM
To: me@hotmail.com

Hello. This is not false positive, but this file danger only for web-servers.

Sincerely yours,
Andrey Bezborodov, Virus Analyst.

Kaspersky Lab Ltd Moscow, Russia
Tel/Fax : +7 (095) 797-8700E-mail : newvirus@kaspersky.comInternet: http://www.kaspersky.com, http://www.viruslist.com”

I still think it is a false positive, but have delayed the installation of 70_483_000 while this is sorted out.

What action will be helpful to the ZoneAlarm folks to be able to resolve this?



Send a reply back explaining this is a part of the ZA installation package, another legitemate security software.


--------------------
Kind Regards,

Baz
Go to the top of the page
 
+Quote Post
Deedjee
post 12.07.2008 06:00
Post #9


Newbie
*

Group: Members
Posts: 2
Joined: 12.07.2008
From: The Netherlands




12-07-2008 (03:30 Amsterdam time)

2 hits while browsing liveleak.com when entering a video.

Reported 1 to liveleak.

(i translated the words: "gedetecteerd" to"detected" and "pagina" to "page" from dutch to english.)[list]
[*]Kopied from de detection list from Kis 7.nl

Please note that the links are infected (!)



This post has been edited by Don Pelotas: 12.07.2008 12:39
Reason for edit: Links to malware removed
Go to the top of the page
 
+Quote Post
richbuff
post 12.07.2008 06:24
Post #10


Are You Kidding?
*****************

Group: Moderators
Posts: 1000056
Joined: 14.06.2007




Do not post infected links in the forum. Send them to the Lab instead. See: http://forum.kaspersky.com/index.php?showtopic=13881


--------------------
Please see the Important topics, located at the top of this section, and at the top of other sections of this forum.
Go to the top of the page
 
+Quote Post
Deedjee
post 12.07.2008 06:41
Post #11


Newbie
*

Group: Members
Posts: 2
Joined: 12.07.2008
From: The Netherlands




QUOTE(richbuff @ 12.07.2008 04:24) *
Do not post infected links in the forum. Send them to the Lab instead. See: http://forum.kaspersky.com/index.php?showtopic=13881


Im really sorry, i noticed it afterwards when i posted the lines, and didnt know instantly how to make them "not links" im new to the bbcode in this forum.
I added comment for the time beeing.

When i tryed to edit them and post them again as code, i could not enter the post, got an error message, perhaps because you replyd in the meantime.

I gave up then.

I will send the links to the Lab, thanks for your advice.





Go to the top of the page
 
+Quote Post
Shinigami
post 12.07.2008 07:41
Post #12


Advanced Member V
*******

Group: Members
Posts: 1145
Joined: 28.03.2008
From: "tax free"




Today i got the same message for the online scan. I scanned my research groups computer and found 5 files. I know that they are false pos.
At least i'm not the only one who got this message. tongue.gif


--------------------
1. Windows 7 32-bit Ultimate (not in use). 2. Windows 7 64-bit, 500gb HD, 4gb ram, Nvidia GeForce GT 425M, i5-480M (in use)
FF: current; KIS/KAV and PURE Tester since Kaspersky 6 with real computer (always).
Currently Beta Testing: N/A Trying to get into graduate school
Current job:pm me for info
Go to the top of the page
 
+Quote Post
cwh803
post 12.07.2008 16:35
Post #13


Member
**

Group: Members
Posts: 25
Joined: 1.07.2007
From: Chicago/USA




QUOTE(cwh803 @ 11.07.2008 20:02) *
FP? Trojan program Exploit.PHP.Userpic.a

My KAV 7.0.0.125 reports “Trojan program Exploit.PHP.Userpic.a” infection in ZoneAlarm Pro install files: zapSetup_70_473_000_en.exe and zapSetup_70_483_000_en.exe this morning.

I expect it is a false positive.


Resolved at this writing; these are no longer flagged. Thanx for the rapid resolution.

And is the "Post Editing" function restricted for new posters? I wanted to add "[Fixed}" to this topic's Title, but do not see the "Edit" tab.
Go to the top of the page
 
+Quote Post
Don Pelotas
post 12.07.2008 16:41
Post #14


Global Moderator
****************

Group: Global moderators

Posts: 28880
Joined: 7.04.2005




QUOTE(cwh803 @ 12.07.2008 14:35) *
Resolved at this writing; these are no longer flagged. Thanx for the rapid resolution.

And is the "Post Editing" function restricted for new posters? I wanted to add "[Fixed}" to this topic's Title, but do not see the "Edit" tab.

Only available in the first 10-20 minutes right after posting. smile.gif


--------------------
Go to the top of the page
 
+Quote Post

Closed TopicStart new topic

 



Lo-Fi Version Time is now: 22.10.2014 12:00