Tiny Watcher download infected with 3 trojans by virustotal

Discussion in 'other anti-malware software' started by Horus37, Dec 23, 2007.

Thread Status:
Not open for further replies.
  1. Horus37

    Horus37 Registered Member

    Joined:
    Jan 4, 2007
    Posts:
    328
    I downloaded tiny watcher from donation coders website and ran it through virus total and jotti and virus total reported 3 trojans and jotti reported one trojan. I see people around here using tiny watcher. Did you download it from donation coders website and did you also run the file through these virus detecting websites and get these results? Could there be that many false positives on this file?
     
  2. lucas1985

    lucas1985 Retired Moderator

    Joined:
    Nov 9, 2006
    Posts:
    4,047
    Location:
    France, May 1968
    Check the hash:
    - MD5: 2c2154e64f154aad9c4043df331423c3
    - SHA1: c2939b89d6a9b5c958e5ac1b70497217990b6515

    EDIT:
    eSafe, Prevx and TheHacker have a FP with the installer.
     
  3. EASTER

    EASTER Registered Member

    Joined:
    Jul 28, 2007
    Posts:
    11,126
    Location:
    U.S.A. (South)
    Dunno whats up there but grab what should be a clean copy from SnapFiles and run WatcherSetup15.exe thru Jotti.

    This is my result:

    Ikarus: Found Trojan-PWS.Win32.Delf.ho
     
  4. lucas1985

    lucas1985 Retired Moderator

    Joined:
    Nov 9, 2006
    Posts:
    4,047
    Location:
    France, May 1968
    DonationCoders redirects to SnapFiles :)
    Ikarus doesn't have this FP at Virustotal (Jotti uses Linux)
     
  5. Horus37

    Horus37 Registered Member

    Joined:
    Jan 4, 2007
    Posts:
    328
    I have the same md5 as posted above so I'm hoping that is ok. Here is the results from virus total.

    • eSafe - suspicious Trojan/Worm
    • Prevx1 - Heuristic: Suspicious File Which Interferes With Vulnerable Files Like The HostsFile
    • TheHacker - Trojan/Spy.GhostKeyLogger.c
    • Can I feel safe?


    Is snapfiles a known safe place to download from? Says on their website no adware no spyware but you never know.
     
    Last edited: Dec 23, 2007
  6. lucas1985

    lucas1985 Retired Moderator

    Joined:
    Nov 9, 2006
    Posts:
    4,047
    Location:
    France, May 1968
    Then, don't worry :) Matching checksums are you best insurance against tampering (although the MD5 algorithm is considered weak nowadays)
    I have the same results and my copy is several months old.
    Let's analyze the report:
    - eSafe. This is a gateway scanner and it's known to have a paranoid heuristic scanner which flags most runtime packed files. TW's setup file is packed with UPX (according to FileAlyzer and Virustotal) so a FP isn't a surprise.
    - Prevx. It's a heuristic detection, probably made by the sandbox. Tiny Watcher monitors the host file, so this behaviour is triggering a somewhat aggresive heuristic rule.
    - TheHacker. It seems a signature detection. Probably a bad signature or a mistake done by the viruslab.

    Virustotal and Jotti are powerful tools. However, they may cause harm if you don't partially understand the report. Also, they might use older versions of the scanning engines or different settings (this is evident when scanning riskware/PUPs)
    It's one of the major download sites (together with MajorGeeks, Softpedia, Download.com) so it's fairly safe. However, it's always better to download from the author's site if possible.
     
  7. Horus37

    Horus37 Registered Member

    Joined:
    Jan 4, 2007
    Posts:
    328
    Thanks for the info. I feel a bit better now. I was going to recommend this app to a friend and didn't want to infect them with a nasty bug accidently
     
  8. ErikAlbert

    ErikAlbert Registered Member

    Joined:
    Jun 16, 2005
    Posts:
    9,455
    IrfanView had also 3 infections according VirusTotal, while Jotti didn't report anything.
     
  9. LUSHER

    LUSHER Registered Member

    Joined:
    Feb 28, 2007
    Posts:
    440
    The main problem is this.

    You are scanning with 32 scanners with virus total. Consider that even if the chance of FP for 1 scanner individually is low, when you have 32 different chances of FP, this accumulates to a fairly high chance at least one of them will alert.

    Add the fact that 1) many of the scanners are set to maximum heuristics (to look good because people are using virustotal to judge quality of scanners) , 2) that you are uploading security related software which do a lot of unusual things.... , I reckon the chance of a FP is much higher than usual....

    If each scanner has a 1% chance of FP, there is a 1- {0.99^32} = 27% chance of at least one hit....
     
  10. bellgamin

    bellgamin Registered Member

    Joined:
    Aug 1, 2002
    Posts:
    8,102
    Location:
    Hawaii
    I have scanned TW with DrWeb, Avira, A-squared, & Threatfire. It is clean.
     
  11. kubicle

    kubicle Registered Member

    Joined:
    Jan 6, 2007
    Posts:
    23
    Location:
    Tokyo
    Same SHA-1 code as the installer .exe on my disk... glad to know I am safe :D

    BTW, SnapFiles are not generous enough to do the downloads; their page is getting the file from DonationCoders who is hosting me for free...
    On DonationCoders I redirected to SnapFiles to have a single place to count the downloads.

    Also: I know this installer as an executable is quite old fashioned now; XP is already alerting because of the lack of digital signature, etc. and maybe Vista complains even more. If you think there are easy steps to make the installer more "conforming" to today's policies, please let me know.

    Cheers,
    Olivier
     
  12. Empath

    Empath Registered Member

    Joined:
    Nov 13, 2002
    Posts:
    178
    For SnapFilesPro subscribers there is a SnapFiles local download. For free users though, it's only through DonationCoders.

    SnapFiles provides downloads from their site as a paying subscriber feature.
     
Thread Status:
Not open for further replies.
  1. This site uses cookies to help personalise content, tailor your experience and to keep you logged in if you register.
    By continuing to use this site, you are consenting to our use of cookies.