Jump to content
Amethyst

Trojan Dropper/Win-NV, WINNT.EXE

Recommended Posts

I believe this is a false positive, detected in my I386 folder on a Windows XP Media Center Edition SP3. On that computer, it is in C:\Windows\I386\WINNT.exe. On my laptop, I have a version of this file, WINNT.EXE here: C:\I386\WINNT.EXE. SAS does not detect it as being a problem. I have scanned the file from both computers at Virustotal and Jotti. Both sites show each of these files as being identical. I have checked all the numbers, the MD5, SHA1, SHA256, and the ssdeep numbers, and they are all identical for both files. The only difference is the dates. The supposed bad file was created and modified Aug 9/04, and the good file was created April 29/06 and has a modification date of Aug 04/04. The file with the later modification date is from a computer purchased in 2008. The affected computer was purchased in 2005. SAS is up to date on both of the computers in question.

Virustotal result:

http://www.virustotal.com/analisis/ec9f379259bc73a0f10f4ac86462ac0236d1e922b98b2a7aa1a8674be406efb7-1268205549

Jotti:

http://virusscan.jotti.org/en/scanresult/072a0d745e38783ae6defc0cbbb8c25f2068804f/c4523bd6dfee495ad5105f11b1553d8cefc22f28

I am currently running a second scan on the other computer. I see that it has again detected this file as being a trojan dropper. Why is the identical file being picked up as a problem on one computer and not another? Is it the location of it that is at issue?

I would sure like to hear back from you. This has me puzzled and more than a little concerned!

Edited to add: Program version 4.34.1000, core 4658, trace 2470

Share this post


Link to post
Share on other sites

I believe this is a false positive, detected in my I386 folder on a Windows XP Media Center Edition SP3. On that computer, it is in C:\Windows\I386\WINNT.exe. On my laptop, I have a version of this file, WINNT.EXE here: C:\I386\WINNT.EXE. SAS does not detect it as being a problem. I have scanned the file from both computers at Virustotal and Jotti. Both sites show each of these files as being identical. I have checked all the numbers, the MD5, SHA1, SHA256, and the ssdeep numbers, and they are all identical for both files. The only difference is the dates. The supposed bad file was created and modified Aug 9/04, and the good file was created April 29/06 and has a modification date of Aug 04/04. The file with the later modification date is from a computer purchased in 2008. The affected computer was purchased in 2005. SAS is up to date on both of the computers in question.

Virustotal result:

http://www.virustotal.com/analisis/ec9f379259bc73a0f10f4ac86462ac0236d1e922b98b2a7aa1a8674be406efb7-1268205549

Jotti:

http://virusscan.jotti.org/en/scanresult/072a0d745e38783ae6defc0cbbb8c25f2068804f/c4523bd6dfee495ad5105f11b1553d8cefc22f28

I am currently running a second scan on the other computer. I see that it has again detected this file as being a trojan dropper. Why is the identical file being picked up as a problem on one computer and not another? Is it the location of it that is at issue?

I would sure like to hear back from you. This has me puzzled and more than a little concerned!

Edited to add: Program version 4.34.1000, core 4658, trace 2470

Hi.

When the scan completes, you'll have the option to report the file as a false positive. The SAS team will check it out, and make the appropriate changes if needed.

Share this post


Link to post
Share on other sites

Hi.

When the scan completes, you'll have the option to report the file as a false positive. The SAS team will check it out, and make the appropriate changes if needed.

Thanks for your response. I am baffled as to why a file scans as clean on one machine and a trojan on another when analysis by Virustotal and Jotti show the identical numbers. To me, other than the dates, they appear to be exactly the same.

Can I expect an e-mail, and how long would that take? I filed a false positive report over 12 hours ago already, the signatures have been updated since, and I'm still getting the same scan result. :( This is a file I certainly don't feel I can easily quarantine, not without some consequences.

Share this post


Link to post
Share on other sites

Thanks for your response. I am baffled as to why a file scans as clean on one machine and a trojan on another when analysis by Virustotal and Jotti show the identical numbers. To me, other than the dates, they appear to be exactly the same.

Can I expect an e-mail, and how long would that take? I filed a false positive report over 12 hours ago already, the signatures have been updated since, and I'm still getting the same scan result. :( This is a file I certainly don't feel I can easily quarantine, not without some consequences.

Slow down.

Share this post


Link to post
Share on other sites

Thanks for your response. I am baffled as to why a file scans as clean on one machine and a trojan on another when analysis by Virustotal and Jotti show the identical numbers. To me, other than the dates, they appear to be exactly the same.

Can I expect an e-mail, and how long would that take? I filed a false positive report over 12 hours ago already, the signatures have been updated since, and I'm still getting the same scan result. :( This is a file I certainly don't feel I can easily quarantine, not without some consequences.

We have received your report and file, and have adjusted our definitions. We don't take false postives lightly and properly review all reports before making changes to the definitions. The next release (about an hour from now) should resolve this issue. Please report back the results.

Share this post


Link to post
Share on other sites

@Superantispy,

Thank you, and please forgive my impatience. I'll check again later this evening and post the results.

Share this post


Link to post
Share on other sites

Just updated the affected computer's SAS definitions and scanned that one file. (I'll do the rest later, other people need to use that computer at the moment.) Looks like it's resolved now. Thanks so much, you guys are great! :-D

Share this post


Link to post
Share on other sites

We have received your report and file, and have adjusted our definitions. We don't take false postives lightly and properly review all reports before making changes to the definitions. The next release (about an hour from now) should resolve this issue. Please report back the results.

Interesting. If you fixed this then why did my lapto just detect this as a virus after previously detecting another false positive 12 hours earlier. You can read my other post I just made on it.

Share this post


Link to post
Share on other sites
Guest
This topic is now closed to further replies.

×
×
  • Create New...