[Fixed]FP? Trojan program Exploit.PHP.Userpic.a Options

[cwh803]

FP? Trojan program Exploit.PHP.Userpic.a

My KAV 7.0.0.125 reports “Trojan program Exploit.PHP.Userpic.a” infection in ZoneAlarm Pro install files: zapSetup_70_473_000_en.exe and zapSetup_70_483_000_en.exe this morning.

I expect it is a false positive.

[Cytoned]

I don't use ZAP, but if it's the file you downloaded from their site, and it's digitally signed by Checkpoint, then yes. Chances are it's a FP.

Report this to Kaspersky by zipping the file that's being flagged as Trojan program Exploit.PHP.Userpic.a -- password protect the archive.
Send an email to: newvirus@kaspersky.com with "False positive" as the subject line.

In the email, attach the Zipped file, say what password you've used for the archive (I usually use "kaspersky"), tell them what it's being detected as and perhaps point to the download of the file on the ZA servers.

You should hear back from them in a few hours with the result.

[cwh803]

Thanx Cytoned; done.

[KosminenPoika]

Thanks for reporting this. My KIS 7.0.1.325 detected Trojan program Exploit.PHP.Userpic.a as a new threat today for the object
C:\windows\help\rz_mce_u.chm//images/rz_mce_w.jpg

Since this appeared (to me) to be another example of the same FP, I followed your advice for zipping this up and reporting it as a suspected false positive.

[solemnstraw3]

I received the same report for Zone Alarm. Has anyone responded from Kaspersky yet?

[cwh803]

I submitted my currently running “zaclients.chm” (7.0.473) to Kaspersky labs and received the following reply just now:

“From: newvirus@kaspersky.com
Sent:Fri 7/11/08 1:16 PM
To: me@hotmail.com

Hello. This is not false positive, but this file danger only for web-servers.

Sincerely yours,
Andrey Bezborodov, Virus Analyst.

Kaspersky Lab Ltd Moscow, Russia
Tel/Fax : +7 (095) 797-8700E-mail : newvirus@kaspersky.comInternet: http://www.kaspersky.com, http://www.viruslist.com”

I still think it is a false positive, but have delayed the installation of 70_483_000 while this is sorted out.

What action will be helpful to the ZoneAlarm folks to be able to resolve this?

[KosminenPoika]

Very prompt reply from Kaspersky support:


On Fri, 7/11/08, newvirus@kaspersky.com <newvirus@kaspersky.com> wrote:

From: newvirus@kaspersky.com <newvirus@kaspersky.com>
Subject: RE: False positive (Trojan program Exploit.PHP.Userpic.a) [KLAB-5656208]
To: _
Date: Friday, July 11, 2008, 4:04 PM


Hello.
Sorry, it's false alarm. It's detection will be deleted in the next
update. Thank you for your help.
-----------------
Regards, Andrey Ladikov
Virus Analyst, Kaspersky Lab.

Ph.: +7(495) 797-8700
E-mail: newvirus@kaspersky.com
http://www.kaspersky.com http://www.viruslist.com

[Baz^^]

I submitted my currently running “zaclients.chm” (7.0.473) to Kaspersky labs and received the following reply just now:

“From: newvirus@kaspersky.com
Sent:Fri 7/11/08 1:16 PM
To: me@hotmail.com

Hello. This is not false positive, but this file danger only for web-servers.

Sincerely yours,
Andrey Bezborodov, Virus Analyst.

Kaspersky Lab Ltd Moscow, Russia
Tel/Fax : +7 (095) 797-8700E-mail : newvirus@kaspersky.comInternet: http://www.kaspersky.com, http://www.viruslist.com”

I still think it is a false positive, but have delayed the installation of 70_483_000 while this is sorted out.

What action will be helpful to the ZoneAlarm folks to be able to resolve this?

Send a reply back explaining this is a part of the ZA installation package, another legitemate security software.

[Deedjee]

12-07-2008 (03:30 Amsterdam time)

2 hits while browsing liveleak.com when entering a video.

Reported 1 to liveleak.

(i translated the words: "gedetecteerd" to"detected" and "pagina" to "page" from dutch to english.)[list]
[*]Kopied from de detection list from Kis 7.nl

Please note that the links are infected (!)



This post has been edited by Don Pelotas: 12.07.2008 12:39

Reason for edit: Links to malware removed

[richbuff]

Do not post infected links in the forum. Send them to the Lab instead. See: http://forum.kaspersky.com/index.php?showtopic=13881

[Deedjee]

Do not post infected links in the forum. Send them to the Lab instead. See: http://forum.kaspersky.com/index.php?showtopic=13881

Im really sorry, i noticed it afterwards when i posted the lines, and didnt know instantly how to make them "not links" im new to the bbcode in this forum.
I added comment for the time beeing.

When i tryed to edit them and post them again as code, i could not enter the post, got an error message, perhaps because you replyd in the meantime.

I gave up then.

I will send the links to the Lab, thanks for your advice.

[Shinigami]

Today i got the same message for the online scan. I scanned my research groups computer and found 5 files. I know that they are false pos.
At least i'm not the only one who got this message.

[cwh803]

FP? Trojan program Exploit.PHP.Userpic.a

My KAV 7.0.0.125 reports “Trojan program Exploit.PHP.Userpic.a” infection in ZoneAlarm Pro install files: zapSetup_70_473_000_en.exe and zapSetup_70_483_000_en.exe this morning.

I expect it is a false positive.

Resolved at this writing; these are no longer flagged. Thanx for the rapid resolution.

And is the "Post Editing" function restricted for new posters? I wanted to add "[Fixed}" to this topic's Title, but do not see the "Edit" tab.

[Don Pelotas]

Resolved at this writing; these are no longer flagged. Thanx for the rapid resolution.

And is the "Post Editing" function restricted for new posters? I wanted to add "[Fixed}" to this topic's Title, but do not see the "Edit" tab.

Only available in the first 10-20 minutes right after posting.