Jump to content
cwh803

[Fixed]FP? Trojan program Exploit.PHP.Userpic.a

Recommended Posts

cwh803   

FP? Trojan program Exploit.PHP.Userpic.a

 

My KAV 7.0.0.125 reports “Trojan program Exploit.PHP.Userpic.a” infection in ZoneAlarm Pro install files: zapSetup_70_473_000_en.exe and zapSetup_70_483_000_en.exe this morning.

 

I expect it is a false positive.

Share this post


Link to post
Share on other sites
Cytoned   

I don't use ZAP, but if it's the file you downloaded from their site, and it's digitally signed by Checkpoint, then yes. Chances are it's a FP.

 

Report this to Kaspersky by zipping the file that's being flagged as Trojan program Exploit.PHP.Userpic.a -- password protect the archive.

Send an email to: newvirus@kaspersky.com with "False positive" as the subject line.

 

In the email, attach the Zipped file, say what password you've used for the archive (I usually use "kaspersky"), tell them what it's being detected as and perhaps point to the download of the file on the ZA servers.

 

You should hear back from them in a few hours with the result.

Share this post


Link to post
Share on other sites

Thanks for reporting this. My KIS 7.0.1.325 detected Trojan program Exploit.PHP.Userpic.a as a new threat today for the object

C:\windows\help\rz_mce_u.chm//images/rz_mce_w.jpg

 

Since this appeared (to me) to be another example of the same FP, I followed your advice for zipping this up and reporting it as a suspected false positive.

Share this post


Link to post
Share on other sites
cwh803   

I submitted my currently running “zaclients.chm” (7.0.473) to Kaspersky labs and received the following reply just now:

 

“From: newvirus@kaspersky.com

Sent:Fri 7/11/08 1:16 PM

To: me@hotmail.com

 

Hello. This is not false positive, but this file danger only for web-servers.

 

Sincerely yours,

Andrey Bezborodov, Virus Analyst.

 

Kaspersky Lab Ltd Moscow, Russia

Tel/Fax : +7 (095) 797-8700E-mail : newvirus@kaspersky.comInternet: http://www.kaspersky.com, http://www.viruslist.com”

 

I still think it is a false positive, but have delayed the installation of 70_483_000 while this is sorted out.

 

What action will be helpful to the ZoneAlarm folks to be able to resolve this?

 

Share this post


Link to post
Share on other sites

Very prompt reply from Kaspersky support:

 

 

On Fri, 7/11/08, newvirus@kaspersky.com <newvirus@kaspersky.com> wrote:

 

From: newvirus@kaspersky.com <newvirus@kaspersky.com>

Subject: RE: False positive (Trojan program Exploit.PHP.Userpic.a) [KLAB-5656208]

To: _

Date: Friday, July 11, 2008, 4:04 PM

 

 

Hello.

Sorry, it's false alarm. It's detection will be deleted in the next

update. Thank you for your help.

-----------------

Regards, Andrey Ladikov

Virus Analyst, Kaspersky Lab.

 

Ph.: +7(495) 797-8700

E-mail: newvirus@kaspersky.com

http://www.kaspersky.com http://www.viruslist.com

 

 

Share this post


Link to post
Share on other sites
Baz^^   
I submitted my currently running “zaclients.chm” (7.0.473) to Kaspersky labs and received the following reply just now:

 

“From: newvirus@kaspersky.com

Sent:Fri 7/11/08 1:16 PM

To: me@hotmail.com

 

Hello. This is not false positive, but this file danger only for web-servers.

 

Sincerely yours,

Andrey Bezborodov, Virus Analyst.

 

Kaspersky Lab Ltd Moscow, Russia

Tel/Fax : +7 (095) 797-8700E-mail : newvirus@kaspersky.comInternet: http://www.kaspersky.com, http://www.viruslist.com”

 

I still think it is a false positive, but have delayed the installation of 70_483_000 while this is sorted out.

 

What action will be helpful to the ZoneAlarm folks to be able to resolve this?

 

 

Send a reply back explaining this is a part of the ZA installation package, another legitemate security software.

Share this post


Link to post
Share on other sites
Deedjee   

12-07-2008 (03:30 Amsterdam time)

 

2 hits while browsing liveleak.com when entering a video.

 

Reported 1 to liveleak.

 

(i translated the words: "gedetecteerd" to"detected" and "pagina" to "page" from dutch to english.)

[*]Kopied from de detection list from Kis 7.nl

 

Please note that the links are infected (!)

 

 

Edited by Don Pelotas
Links to malware removed

Share this post


Link to post
Share on other sites
Deedjee   
Do not post infected links in the forum. Send them to the Lab instead. See: http://forum.kaspersky.com/index.php?showtopic=13881

 

Im really sorry, i noticed it afterwards when i posted the lines, and didnt know instantly how to make them "not links" im new to the bbcode in this forum.

I added comment for the time beeing.

 

When i tryed to edit them and post them again as code, i could not enter the post, got an error message, perhaps because you replyd in the meantime.

 

I gave up then.

 

I will send the links to the Lab, thanks for your advice.

 

 

 

 

 

 

Share this post


Link to post
Share on other sites

Today i got the same message for the online scan. I scanned my research groups computer and found 5 files. I know that they are false pos.

At least i'm not the only one who got this message. :P

Share this post


Link to post
Share on other sites
cwh803   
FP? Trojan program Exploit.PHP.Userpic.a

 

My KAV 7.0.0.125 reports “Trojan program Exploit.PHP.Userpic.a” infection in ZoneAlarm Pro install files: zapSetup_70_473_000_en.exe and zapSetup_70_483_000_en.exe this morning.

 

I expect it is a false positive.

 

Resolved at this writing; these are no longer flagged. Thanx for the rapid resolution.

 

And is the "Post Editing" function restricted for new posters? I wanted to add "[Fixed}" to this topic's Title, but do not see the "Edit" tab.

Share this post


Link to post
Share on other sites
Resolved at this writing; these are no longer flagged. Thanx for the rapid resolution.

 

And is the "Post Editing" function restricted for new posters? I wanted to add "[Fixed}" to this topic's Title, but do not see the "Edit" tab.

Only available in the first 10-20 minutes right after posting. :)

Share this post


Link to post
Share on other sites
Guest
This topic is now closed to further replies.

×