Trojan False Positive?

[PantherDave]

I thought you should know I recently tried out Spyware Teriminator with ClamAV integrated, and ClamAV identified DUO and DUOtris as the PWS.Wexd Trojan.  I'm sure it's not, so you might want to talk to the ClamAV people about getting that fixed. 

[Michael_King]

Damnit we have been discovered, all those bank account numbers, pictures of partners, exposed!


 Im only joking


 Ive not had any problems with the products with my virus protection. (Trend Micro PC-Cillin), so ill have a look with ClamAV, and at the same time, ill just make sure you don't have a virus in your system that is just spreading.

[fog]

Hi PantherDave and welcome.

Yeah it's a false positive.  I actually contacted them (ClamAV) about it when it was first brought to my attention at least a year ago.

I'm quite disappointed if they still haven't done anything about it yet, although TBH it doesn't surprise me as false positives will be a long way down on their list of priorities compared to keeping up with all the genuine viruses out there.

[EricT]

I'm bored, so I thought I'd take a look at what else comes up between binary zoo, and just some random DBC/DBP exe's

So first I did a random DBC 1.13 exe:

Code:

File cubesnshit.exe received on 05.27.2008 19:56:01 (CET)

Result: 0/32 (0%)

Antivirus Version Last Update Result
AhnLab-V3 2008.5.28.0 2008.05.27 -
AntiVir 7.8.0.19 2008.05.27 -
Authentium 5.1.0.4 2008.05.26 -
Avast 4.8.1195.0 2008.05.27 -
AVG 7.5.0.516 2008.05.27 -
BitDefender 7.2 2008.05.27 -
CAT-QuickHeal 9.50 2008.05.26 -
ClamAV 0.92.1 2008.05.27 -
DrWeb 4.44.0.09170 2008.05.27 -
eSafe 7.0.15.0 2008.05.27 -
eTrust-Vet 31.4.5826 2008.05.27 -
Ewido 4.0 2008.05.27 -
F-Prot 4.4.4.56 2008.05.26 -
F-Secure 6.70.13260.0 2008.05.27 -
Fortinet 3.14.0.0 2008.05.27 -
GData 2.0.7306.1023 2008.05.27 -
Ikarus T3.1.1.26.0 2008.05.27 -
Kaspersky 7.0.0.125 2008.05.27 -
McAfee 5304 2008.05.27 -
Microsoft None 2008.05.27 -
NOD32v2 3135 2008.05.27 -
Norman 5.80.02 2008.05.27 -
Panda 9.0.0.4 2008.05.27 -
Prevx1 V2 2008.05.27 -
Rising 20.46.12.00 2008.05.27 -
Sophos 4.29.0 2008.05.27 -
Sunbelt 3.0.1123.1 2008.05.17 -
Symantec 10 2008.05.27 -
TheHacker 6.2.92.320 2008.05.26 -
VBA32 3.12.6.6 2008.05.27 -
VirusBuster 4.3.26:9 2008.05.27 -
Webwasher-Gateway 6.6.2 2008.05.27 -

Random DBC exe comes clean, so lets check out Duo:

Code:

File DUO.exe received on 05.27.2008 19:59:43 (CET)

Result: 2/32 (6.25%)

Antivirus Version Last Update Result
AhnLab-V3 2008.5.28.0 2008.05.27 -
AntiVir 7.8.0.19 2008.05.27 -
Authentium 5.1.0.4 2008.05.26 W32/Heuristic-138!Eldorado
Avast 4.8.1195.0 2008.05.27 -
AVG 7.5.0.516 2008.05.27 -
BitDefender 7.2 2008.05.27 -
CAT-QuickHeal 9.50 2008.05.26 -
ClamAV 0.92.1 2008.05.27 -
DrWeb 4.44.0.09170 2008.05.27 -
eSafe 7.0.15.0 2008.05.27 -
eTrust-Vet 31.4.5826 2008.05.27 -
Ewido 4.0 2008.05.27 -
F-Prot 4.4.4.56 2008.05.26
F-Secure 6.70.13260.0 2008.05.27 -
Fortinet 3.14.0.0 2008.05.27 -
GData 2.0.7306.1023 2008.05.27 -
Ikarus T3.1.1.26.0 2008.05.27 -
Kaspersky 7.0.0.125 2008.05.27 -
McAfee 5304 2008.05.27 -
Microsoft None 2008.05.27 -
NOD32v2 3135 2008.05.27 -
Norman 5.80.02 2008.05.27 -
Panda 9.0.0.4 2008.05.27 -
Prevx1 V2 2008.05.27 -
Rising 20.46.12.00 2008.05.27 -
Sophos 4.29.0 2008.05.27 -
Sunbelt 3.0.1123.1 2008.05.17 -
Symantec 10 2008.05.27 -
TheHacker 6.2.92.320 2008.05.26 -
VBA32 3.12.6.6 2008.05.27 -
VirusBuster 4.3.26:9 2008.05.27 -
Webwasher-Gateway 6.6.2 2008.05.27 -

And Duotris (from DBP 1.2 I think) :

Code:

File DUOtris.exe received on 05.27.2008 20:04:45 (CET)

Result: 3/32 (9.38%)

Antivirus Version Last Update Result
AhnLab-V3 2008.5.28.0 2008.05.27 -
AntiVir 7.8.0.19 2008.05.27 -
Authentium 5.1.0.4 2008.05.26 W32/Heuristic-138!Eldorado
Avast 4.8.1195.0 2008.05.27 -
AVG 7.5.0.516 2008.05.27 -
BitDefender 7.2 2008.05.27 -
CAT-QuickHeal 9.50 2008.05.26 -
ClamAV 0.92.1 2008.05.27 Trojan.PWS.Wexd
DrWeb 4.44.0.09170 2008.05.27 -
eSafe 7.0.15.0 2008.05.27 -
eTrust-Vet 31.4.5826 2008.05.27 -
Ewido 4.0 2008.05.27 -
F-Prot 4.4.4.56 2008.05.26 W32/Heuristic-138!Eldorado
F-Secure 6.70.13260.0 2008.05.27 -
Fortinet 3.14.0.0 2008.05.27 -
GData 2.0.7306.1023 2008.05.27 -
Ikarus T3.1.1.26.0 2008.05.27 -
Kaspersky 7.0.0.125 2008.05.27 -
McAfee 5304 2008.05.27 -
Microsoft None 2008.05.27 -
NOD32v2 3135 2008.05.27 -
Norman 5.80.02 2008.05.27 -
Panda 9.0.0.4 2008.05.27 -
Prevx1 V2 2008.05.27 -
Rising 20.46.12.00 2008.05.27 -
Sophos 4.29.0 2008.05.27 -
Sunbelt 3.0.1123.1 2008.05.17 -
Symantec 10 2008.05.27 -
TheHacker 6.2.92.320 2008.05.26 -
VBA32 3.12.6.6 2008.05.27 -
VirusBuster 4.3.26:9 2008.05.27 -
Webwasher-Gateway 6.6.2 2008.05.27 -

I can't find anything at all for the one labeled Heuristic... but for the one Clam finds:

Virus Profile: PWS-Wexd
Risk Assessment    
  - Home Users:    Low
  - Corporate Users:    Low
Date Discovered:    7/10/2003
Date Added:    7/10/2003
Origin:    Unknown
Length:    327168 bytes (.exe)
Type:    Trojan
SubType:    Password
DAT Required:    4277
Virus Characteristics

This is a password stealing trojan. When executed, the below window is displayed:

Identificador de chamadas

There are three components to this trojan:

    * ebina.exe
    * thost.dll
    * osyst32.dll

The trojan drops the following files into the %WINDIR% directory when run:

    * dod_<LOGIN name>_<COMPUTER name>10d001.ux (encrypted)
    * ech.exe (trojan body)
    * mct.sys (log file)
    * sct.sys (log file)
    * win.txt (encrypted information)
    * wini.sys (contains information about system's IP address)

Where %WINDIR% is C:\windows or C:\winnt

When the following websites are visited, the trojan will record the keyboard and mouse inputs entered and save the information in encrypted format.

    * https://bankline.itau.com.br/GRIPNET/gracgi.ex   
    * https://ibpf.unibanco.com.br/index.asp     
    * https://ibpf.unibanco.com.br
    * https://wwws3.hsbc.com.br/ITE/common/html/frameset.htm?
      central=/HOB-INFRA/servlets/Migrac 
    * https://internetcaixa.caixa.gov.br/Internet
    * https://www.realsecureweb.com.br
    * https://wwwss.bradesco.com.br/scripts/ib2k1.dll
    * https://netbanking2.banespa.com.br/default.asp
    * https://piloto.abnamro.com.br/scripts/     
    * https://www2.bancobrasil.com.br/aapf/aai/login.pbk
    * https://ibank.besc.com.br/CWS/CONTEXTO
    * https://www2.bancobrasil.com.br/aapf
    * http://siteseguro.ib.banco1.net/asp/login/login.asp?agenci
    * https://wwws.nossacaixa.com.br/logincheck.asp
    * https://empresarial.unibanco.com.br/ 

The file is sent via the SMTP server smtp.bol.com.br to the author's email.

Essentially harmless, and most likely a case of mistaken identity for that manner. Unless Chris has been brushing up on his Brazilian.

And for the hell of it, here comes echoes:

Code:

File echoes.exe received on 05.27.2008 20:17:15 (CET)

Result: 2/32 (6.25%)

Antivirus Version Last Update Result
AhnLab-V3 2008.5.28.0 2008.05.27 -
AntiVir 7.8.0.19 2008.05.27 -
Authentium 5.1.0.4 2008.05.26 W32/Heuristic-138!Eldorado
Avast 4.8.1195.0 2008.05.27 -
AVG 7.5.0.516 2008.05.27 -
BitDefender 7.2 2008.05.27 -
CAT-QuickHeal 9.50 2008.05.26 -
ClamAV 0.92.1 2008.05.27 -
DrWeb 4.44.0.09170 2008.05.27 -
eSafe 7.0.15.0 2008.05.27 -
eTrust-Vet 31.4.5826 2008.05.27 -
Ewido 4.0 2008.05.27 -
F-Prot 4.4.4.56 2008.05.26 W32/Heuristic-138!Eldorado
F-Secure 6.70.13260.0 2008.05.27 -
Fortinet 3.14.0.0 2008.05.27 -
GData 2.0.7306.1023 2008.05.27 -
Ikarus T3.1.1.26.0 2008.05.27 -
Kaspersky 7.0.0.125 2008.05.27 -
McAfee 5304 2008.05.27 -
Microsoft None 2008.05.27 -
NOD32v2 3135 2008.05.27 -
Norman 5.80.02 2008.05.27 -
Panda 9.0.0.4 2008.05.27 -
Prevx1 V2 2008.05.27 -
Rising 20.46.12.00 2008.05.27 -
Sophos 4.29.0 2008.05.27 -
Sunbelt 3.0.1123.1 2008.05.17 -
Symantec 10 2008.05.27 -
TheHacker 6.2.92.320 2008.05.26 -
VBA32 3.12.6.6 2008.05.27 -
VirusBuster 4.3.26:9 2008.05.27 -
Webwasher-Gateway 6.6.2 2008.05.27 -

Thar be that Heurestic again...

Lets check out a random DBP exe:

Code:

File cubesnshadersnshit.exe received on 05.27.2008 20:23:59 (CET)

Result: 2/32 (6.25%)

Antivirus Version Last Update Result
AhnLab-V3 2008.5.28.0 2008.05.27 -
AntiVir 7.8.0.19 2008.05.27 -
Authentium 5.1.0.4 2008.05.26 W32/Heuristic-138!Eldorado
Avast 4.8.1195.0 2008.05.27 -
AVG 7.5.0.516 2008.05.27 -
BitDefender 7.2 2008.05.27 -
CAT-QuickHeal 9.50 2008.05.26 -
ClamAV 0.92.1 2008.05.27 -
DrWeb 4.44.0.09170 2008.05.27 -
eSafe 7.0.15.0 2008.05.27 -
eTrust-Vet 31.4.5826 2008.05.27 -
Ewido 4.0 2008.05.27 -
F-Prot 4.4.4.56 2008.05.26 W32/Heuristic-138!Eldorado
F-Secure 6.70.13260.0 2008.05.27 -
Fortinet 3.14.0.0 2008.05.27 -
GData 2.0.7306.1023 2008.05.27 -
Ikarus T3.1.1.26.0 2008.05.27 -
Kaspersky 7.0.0.125 2008.05.27 -
McAfee 5304 2008.05.27 -
Microsoft None 2008.05.27 -
NOD32v2 3135 2008.05.27 -
Norman 5.80.02 2008.05.27 -
Panda 9.0.0.4 2008.05.27 -
Prevx1 V2 2008.05.27 -
Rising 20.46.12.00 2008.05.27 -
Sophos 4.29.0 2008.05.27 -
Sunbelt 3.0.1123.1 2008.05.17 -
Symantec 10 2008.05.27 -
TheHacker 6.2.92.320 2008.05.26 -
VBA32 3.12.6.6 2008.05.27 -
VirusBuster 4.3.26:9 2008.05.27 -
Webwasher-Gateway 6.6.2 2008.05.27 -

There we go. They're on another DBP EXE.

So in the end, it seems like a confusion between the way DBP/DBC compiles the exe's, and how those 3 scanners check them.

[fog]

You're right, uou are bored lol

Of the game we currently have on the site DUOtris was compiled in the oldest version of DBPro and that shows the "problem" so it's obviously been around for a number of years.

A quick Google shows there are a load of false positives reported for this.  Teamspeak being the most high profile.

[EricT]

I'm on month 2 of getting paid for no work... I'm bound to be REALLY bored till the end of this (July).

[fog]

I'm on month 2 of getting paid for no work... I'm bound to be REALLY bored till the end of this (July).

Getting paid for doing nothing?  I could do that.  I'm emigrating.