Sign in to follow this  
Followers 0
iuffra

Possible false positive: utorrent

18 posts in this topic

I was running utorrent 1.7 rc2 (build 2999) overnight and when I turned on my monitor I got a warning.

 

Infected: adware not-a-virus:AdWare.Win32.Agent.bn uTorrent.exe\uTorrent.exe 608 KB

 

Infected: adware not-a-virus:AdWare.Win32.Agent.bn c:\program files\utorrent\utorrent.exe 239 KB

 

database published 05/07/2007 04:54:41

 

probably a false postive, i've been running utorrent rc2 since it came out and I have had no warnings from kav until now.

 

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

 

I've run utorrent.exe through virustotal.com and here are the positive results

 

Antivirus Version Update Result

eSafe 7.0.15.0 07.04.2007 suspicious Trojan/Worm

Kaspersky 4.0.2.24 07.05.2007 not-a-virus:AdWare.Win32.Agent.bn

Panda 9.0.0.4 07.05.2007 Suspicious file

Webwasher 6.0.1 07.05.2007 Win32.ModifiedUPX.gen!84 (suspicious)

-Gateway

 

Additional Information

File size: 244736 bytes

MD5: 7169bf84a07fb377601707332ed012c2

SHA1: 1bcf64bf81ea9345e9a95cf1f9125cf311d547db

packers: UPX_LZMA

 

I've checked the md5 and sha1 hashes and they are correct.

Edited by iuffra

Share this post


Link to post
Share on other sites

I just got the same "adware not-a-virus:AdWare.Win32.Agent.bn" for the ImgBurn executables with the same databases. I sent it for analysis, too - has to be the same FP.

Edited by King Grub

Share this post


Link to post
Share on other sites

While waiting, I downloaded a new ImgBurn from the official site, and it was "infected", too.

Share this post


Link to post
Share on other sites

"Hello.

Sorry,this was a false detection

it will be fixed in the next updates

thank you for your help

 

Please quote all when answering.

-----------------

Regards, Yampolsky Boris

Virus Analyst, Kaspersky Lab."

 

Sweet fast reply! smile.gif

Share this post


Link to post
Share on other sites
While waiting, I downloaded a new ImgBurn from the official site, and it was "infected", too.

388967[/snapback]

 

that's weird because I was using imgburn and it was ok, I scanned the exe and downloaded a new setupimgburn and kav didn't report anything.

 

i've got a e-mail saying utorrent is a false positive and will be out with the next update.

 

thank you kaspersky wub.gif

Share this post


Link to post
Share on other sites

May have been my fault ohmy.gif

 

Hello,

 

install_cr.exe, ddesupport.dll, edi.exe, main_uninstaller.exe, msole.dll - not-a-virus:AdWare.Win32.Agent.bn

 

These files are Advertizing Tools, theirs detection will be included in the next update of extended databases set. See more info about extended databases here: http://www.kaspersky.com/extraavupdates

 

Please quote all when answering.

 

--

Best regards, Yaroslav Kirillov

Virus analyst, Kaspersky Lab.

 

Share this post


Link to post
Share on other sites

looks like they might hit a packer or something like that, a lot of applications have that detection.

Share this post


Link to post
Share on other sites

Now, after the new update, Kaspersky detects the very same executable that was a confirmed FP as "Trojan-Dropper.Win32.Agent.blk" instead...

 

Also downloaded the latest ImgBurn again from the official site, and upon installing, "Trojan-Dropper.Win32.Agent.blk" was "detected".

Edited by King Grub

Share this post


Link to post
Share on other sites

There you go; now things are back to normal. Very fast responses from Kaspersky.

Share this post


Link to post
Share on other sites

will add what? the false positive was fixed two weeks ago, what's the problem?

Share this post


Link to post
Share on other sites
will add what? the false positive was fixed two weeks ago, what's the problem?

401152[/snapback]

 

Just updated my utorrent to 1.7 last night KAV is still detecting it as a trojan my KAV is up to date though. guess its still not fixed on my side??

Share this post


Link to post
Share on other sites
Just updated my utorrent to 1.7 last night KAV is still detecting it as a trojan my KAV is up to date though. guess its still not fixed on my side??

401771[/snapback]

what's the full detection for your utorrent (name)?

Share this post


Link to post
Share on other sites
what's the full detection for your utorrent (name)?

401777[/snapback]

 

it says:

 

Possibly infected: riskware Trojan.generic - uTorrent.exe

 

Its under my quarantine at the moment.

Share this post


Link to post
Share on other sites
it says:

 

Possibly infected: riskware Trojan.generic - uTorrent.exe

 

Its under my quarantine at the moment.

401793[/snapback]

you will always get that on installation. that's a behavioural detection from the proactive defense, it occurs when a software tries to add a copy of itself into startup. in this case is safe and you can choose "Skip"

Share this post


Link to post
Share on other sites
you will always get that on installation. that's a behavioural detection from the proactive defense, it occurs when a software tries to add a copy of itself into startup. in this case is safe and you can choose "Skip"

401810[/snapback]

 

Cool, thats what i thought as well i conferred to you guys just in case. better safe than sorry as they say. Cheers!

Share this post


Link to post
Share on other sites

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!


Register a new account

Sign in

Already have an account? Sign in here.


Sign In Now
Sign in to follow this  
Followers 0