Jump to content
mchain

SAS found Trojan.Unclassified-Packed/Suspicious

Recommended Posts

SAS found a file on 7/08/10 named Trojan.Unclassified-Packed/Suspicious with the following path: Documents and Settings\(name of folder withheld)\Local Settings\Temp\HealthCheck\Antivirus\Opswat\OpswatProcessScanner.dll on Windows XP SP3.

Interestingly enough, SAS was unable to see this file while run in administrator mode, only when in user mode. While in user, it would find and quarantine this file but when I looked for this file in admin, it would still be there.

F-Secure says this file is clean even though checking for Digital Signatures gives an invalid result. I have contacted them twice about this file and the only response I have gotten so far is from their automated server.

I have erased this file from my system using a DoD process and also had to turn off System Restore to remove it completely from my system.

I have had some weird events on my machine when trying to install an update to an existing program, i.e, a dialog box will show stating I cannot install this program without administrator privileges while I am running as admin, the box would display for about four seconds, disappear, and installation would continue and complete, but have not seen this since removing this file.

F-Secure says this file is clean. Is this a false-positive?

Let me know what other information you require to research this further.

Share this post


Link to post
Share on other sites

Welcome to the SAS forum Mchain.

Without a sample, there's no way for SAS to determine if it was a FP.

Share this post


Link to post
Share on other sites

Here is the original file. As I said, I removed the file using a DoD process but I saved it to a floppy disk. I tried using the first upload option and that said it would not accept that type of file. I tried modifying the uploader settings to a flash-based, no luck.

So, how do I get the file to you?

BTW, F-Secure says the file is clean, even though the digital signatures produces an error.

Share this post


Link to post
Share on other sites

You can also submit through www.virustotal.com

I already forgot about that:)

Mchain,

SAS was just recently included in the scanners at VirusTotal.

Share this post


Link to post
Share on other sites
On 7/13/2010 at 8:11 AM, Seth said:

You didn't say you saved it a floppy, but I'm glad you did:)

http://cdn.superantispyware.com/SUPERSampleSubmit.exe

Sent via link: Don't know yet if successful.

As an aside, there were several other folders and files involved, i.e. \HealthCheck\Antivirus\Opswat, etc, along with this possibly questionable file.

Updated with the latest MS security hotfix, something to do with a HelpCenter vulnerabilty, as well as the standard malware cleaner they send, today and looked for these folders and files associated with, and could not find these anywhere on my system afterwards.

Near as I can tell, the only thing wrong with this file was that the digital signatures and/or certificate(s) was expired.

Also scanned with VirusTotal. Result was 0/42, but it did say the above was expired, which is what I see on my system.

If MS removed these folders and files, then maybe there is or was something wrong with this file?

Share this post


Link to post
Share on other sites

Are you using the latest version and def files?

Using version 4,40,0,1002 with latest definitions. Latest Version?

As I said before, these files and folders were removed.

Share this post


Link to post
Share on other sites

Using version 4,40,0,1002 with latest definitions. Latest Version?

As I said before, these files and folders were removed.

Google it buddy, you'd have better luck there. No one home here it seems!

Share this post


Link to post
Share on other sites

Are you using the latest version and def files?

Yes, I am using the latest version and defs. Is this a false positive or not? I haven't heard anything from Super since I sent the file off for analysis.

Share this post


Link to post
Share on other sites

Given the VirusTotal outcome, I'd say it was a false positive.

More specifically, the file was probably corrupt which affected the signature.

Share this post


Link to post
Share on other sites

Given the VirusTotal outcome, I'd say it was a false positive.

More specifically, the file was probably corrupt which affected the signature.

I would like to thank each person who has taken the time to answer my questions about the false positive result. I know a file can be modified off-site and placed on the system, and that may have been what happened here. There have been no system crashes of any kind, but the shortcut to F-Secure was modified somehow and showed as a generic, non-windows icon. This is interesting because of the now infamous .lnk and .pif file exploit(s), and this occurred before these exploits became public knowledge.

As of the moment, my system seems to be running just fine.

Share this post


Link to post
Share on other sites

Is this a false positive or not? I haven't heard anything from Super since I sent the file off for analysis.

No surprises there.

Share this post


Link to post
Share on other sites
Guest
This topic is now closed to further replies.

×
×
  • Create New...