BoClean trojan warning on msfeedssync.exe

Discussion in 'other anti-trojan software' started by hekegeous, Jan 29, 2008.

Thread Status:
Not open for further replies.
  1. hekegeous

    hekegeous Registered Member

    Joined:
    Nov 19, 2007
    Posts:
    11
    I woke up yesterday to find the first BoClean detection alert I have ever witnessed. It reported that a trojan, WEBDL4LITE, has been found in memory and was killed along with a warning that the file that started it is still on the disk. What I found strange about it is the following:

    The file in question, msfeedssync.exe (approx 1Xkb in size, close to what CA reports to be the the original WEBDL variant's size) seems to belong to Windows and does not appear to have been modified since it's original creation date.

    The warning occured only once, after closing the original detection window it hasn't popped up again even though the msfeedsync app supposedly runs in regullary scheduled intervals.

    The only reference to this file and suspicious activity / detections / fp was on Kaspersky forums where it was flagged as a fp with very little info. Avira remained silent the whole time, Virustotal and Jotti found nothing in the file which was expected, neither did Kaspersky's file upload scanner. VT reported the file being scanned already on 26th so there is a chance that someone else ran into the same detection.

    No unknown new executable files dated 01/28/08 can be found on the machine. Machine performance has not been visibly degraded or affected in any way.

    Any ideas as to why the detection popped up? False positive? Exploit? Random disturbance in the Force?

    Submitted file to Comodo, no response yet.
     
  2. LoneWolf

    LoneWolf Registered Member

    Joined:
    Jan 2, 2006
    Posts:
    3,408
    Looks like maybe a FP.

    IE7.png

    Seems like since Comodo took over BOClean from PSC, theres been a lot more FP's.
     
  3. hekegeous

    hekegeous Registered Member

    Joined:
    Nov 19, 2007
    Posts:
    11
    Thanks for the reply, LoneWolf. If it kept popping up constantly I would have written it off for a fp, sent it to comodo and moved on. The fact that it only came up once is what's keeping me suspicious.
     
Thread Status:
Not open for further replies.