Urgent: False positives

[minacross]

after todays update, Nod32 is showing false positives regardig 2 setup files of dic.programs that I had on my HDD for months now..

Scanning Log
NOD32 version 1.537 (20031020)
Command line: /ah /all /shext C:\ D:\ E:\
Checking CRC of the NOD32.EXE file: status OK
Operating memory is OK.
date: 20.10.2003 time: 21:27:09
Scanned disks, directories and files: C:\; D:\; E:\
C:\WIN98SE\WIN386.SWP - error opening (file locked) [4]
C:\WIN98SE\Application Data\Spybot - Search & Destroy\Recovery\AlexaRelated.zip > ZIP > RELATED.HTM - error - file is password protected
C:\WIN98SE\Application Data\Spybot - Search & Destroy\Recovery\AlexaRelated.zip > ZIP > sbRecovery.ini - error - file is password protected
E:\CDs\CD_1\Internet Stuff\Documents\Information Technology\Companies\ALWIL Software\Others\avast! antivirus program - virus protection for any computer from PDA, PC to Server & Network - avast! Antivirus ~ Versions comparison_files002.tmp\button-free-download.gif - error opening [4]
E:\CDs\CD_1\Internet Stuff\Documents\Information Technology\Companies\ALWIL Software\Others\avast! antivirus program - virus protection for any computer from PDA, PC to Server & Network - avast! Antivirus ~ Versions comparison_files002.tmp\page_layout_print.css - error opening [4]
E:\CDs\CD_1\Internet Stuff\Downloads\Dictionary\wordweb.exe - Win32/IRC.SdBot.EC trojan
E:\CDs\CD_1\Internet Stuff\Downloads\Dictionary\QuickDic57_db41.exe - Win32/IRC.SdBot.EC trojan
number of files scanned: 71367
number of viruses found: 2
time of termination: 21:54:22 total scanning time: 1633 sec (00:27:13)
Notes:
[4] File cannot be open. It is being exclusively used by another application or operating system.


any comment from ESEt's guys?

[jocera]

me too, false postive:

C:\Program Files\WinRAR\Default.SFX - Win32/IRC.SdBot.EC trojan

sent it to eset already

[radicalb21]

Its radicalb21. I have just tested and gotten the same result as you. First what version of WinRAR are you running? I am running WinRAR 3.20. Also could you please post a copy of your Virus Log as well as post a copy of your system information as screenshots. Second could you please send a copy of the quarantine files to samples@nod32.com. Also if you are running Windows XP or ME you will want to delete your restore points and then restart your computer. Right click my computer choose prorperties select the system restore tab and put a check mark in turn off system restore click apply then ok you will also get another box come up telling you are disabling system restore just click ok. Next restart your system. When you get back to your desktop right click on my computer and choose properties then select the system restore tab and take the check mark out of turn off system restore then click apply then ok. Next go to Start then all programs then accessories then system tools then system restore. Then click on system restore select create a restore point and name it whatever you want then click ok.


Time Module Object Name Virus Action User Info
10/20/2003 23:08:52 PM AMON file C:\Documents and Settings\v1ru5\My Documents\teamshadow_ecqttc.sfx.exe Win32/IRC.SdBot.EC trojan error occured while quarantining the object - - error while deleting - error while deleting - error while deleting - error while renaming
10/20/2003 23:08:00 PM AMON file C:\Documents and Settings\v1ru5\My Documents\teamshadow_ecqttc.sfx.exe Win32/IRC.SdBot.EC trojan quarantined - deleted V1RU5-RUI01HDAI\v1ru5


NOD32 Antivirus System information
Virus signature database version: 1.537 (20031020)
Dated: Monday, October 20, 2003
Virus signature database build: 3989

Information on other scanner support parts
Advanced heuristics module version: 1.003 (20030805)
Advanced heuristics module build: 1032
Archive support module version: 1.005 (20030924)
Archive support module build version: 1061

Information on installed components
NOD32 For Windows NT/2000/XP - Base
Version: 2.000.6
NOD32 For Windows NT/2000/XP - Internet support
Version: 2.000.6
NOD32 for Windows NT/2000/XP - Standard component
Version: 2.000.6

Operating system information
Platform: Windows XP
Version: 5.1.2600 Service Pack 1
Version of common control components: 5.82.2800
RAM: 512 MB
Processor: Intel(R) Pentium(R) 4 Mobile CPU 1.50GHz (1495 MHz)

I would appreciate a response from an ESET Moderator, Forum Moderator or member as well as an Administrator. I believe this to be a false positive. I scanned this file before trying to do a self extracting exe file. I tried this both in a .rar and .zip format and both times AMON popped up numerous times about this. Any and all help would be appreciated. I also scanned the file in question numerous times with online scanners looking at that specific file. These online services didn't detect the trojan it said I have. I will be forwarding the quarantined file to ESET samples email address.

[rodzilla]

> I tried this both in a .rar and .zip format and both times AMON popped up numerous times about this.

This is a false positive introduced today with update 1.537

The bug will be rectified as soon as possible.

Which version/flavor of ZIP are you using ? I have no FPs with self-extracting PKZip or WinZIP archives ... only with self-extracting WinRAR v3.20 archives.

Hi Rod,

Is this the fix?
NOD32 - v.1.538 (20031021)

Posted in the Update Alerts section:
http://www.wilderssecurity.com/showthread.php?t=15230

Cheers, Jan.