FP on EazyBackup4 (variant of Win32/Induc.A)

Discussion in 'NOD32 version 2 Forum' started by FanJ, Aug 19, 2009.

Thread Status:
Not open for further replies.
  1. FanJ

    FanJ Updates Team

    Joined:
    Feb 9, 2002
    Posts:
    2,564
    NOD32 is giving a False Positive on a file that belongs to EazyBackup4:

    C:\Program Files\ezBackup4\EZNETSCP6.DLL - a variant of Win32/Induc.A virus

    This is most definitely a false positive; please fix it !

    EazyBackup4 is a backup program.
    It can be found here:
    http://ajsystems.com/eazybackup/ezb.html

    I will inform the company AJSystems.

    NOD32 v2 info:
    NOD32 antivirus system information
    Virus signature database version: 4348 (20090819)
    Dated: woensdag 19 augustus 2009
    Virus signature database build: 16679

    Information on other scanner support parts
    Advanced heuristics module version: 1096 (20090809)
    Advanced heuristics module build: 1205
    Internet filter version: 1.002 (2004070:cool:
    Internet filter build: 1013
    Archive support module version: 1089 (20090721)
    Archive support module build version: 1232

    Information about installed components
    NOD32 For Windows NT/2000/XP/2003/Vista/x64 - Base
    Version: 2.70.39
    NOD32 For Windows NT/2000/XP/2003/Vista/x64 - Internet support
    Version: 2.70.39
    NOD32 for Windows NT/2000/XP/2003/Vista/x64 - Standard component
    Version: 2.70.39
     
  2. FanJ

    FanJ Updates Team

    Joined:
    Feb 9, 2002
    Posts:
    2,564
    Whoops .... 16 out of 41 at VT are saying it is infected.... oops...
     
  3. ronjor

    ronjor Global Moderator

    Joined:
    Jul 21, 2003
    Posts:
    57,755
    Location:
    Texas
  4. FanJ

    FanJ Updates Team

    Joined:
    Feb 9, 2002
    Posts:
    2,564
    Thanks much Ron for that info !

    I have just submitted the file to Eset (sorry that it took me so long!!).
    A copy of the email was also send to AJSystems.

    Maybe I will need to apologize for that "This is most definitely a false positive".
    Eset, please have a look at the file, please.
     
  5. FanJ

    FanJ Updates Team

    Joined:
    Feb 9, 2002
    Posts:
    2,564
    In the meanwhile EazyBackup4 has been updated by AJSystems, as I noticed on my system while looking for an update.

    I hope that both ESET and AJSystems will have more info soon.
    I'll also get back to you.
     
  6. ronjor

    ronjor Global Moderator

    Joined:
    Jul 21, 2003
    Posts:
    57,755
    Location:
    Texas
  7. FanJ

    FanJ Updates Team

    Joined:
    Feb 9, 2002
    Posts:
    2,564
    Thanks again, Ron !!!

    I'm in the meanwhile in contact with AJSystems about this.

    (I do hope that Eset will contact me either here in this thread, or by private IM here on the board, or by email.)

    I'll get back on you ;)
     
  8. FanJ

    FanJ Updates Team

    Joined:
    Feb 9, 2002
    Posts:
    2,564
    OK, after this posting I choose to stay out of this further.
    From one company (Eset) I didn't hear back at all. NOD32 was telling that the file was infected, as did 15 other scanners at VT.
    The other company (AJSystems) did send me one email in which I was told that indeed a lot of scanners were telling that the file was infected since 18 Aug 2009, that they didn't agree with that and that they do consider it FP's caused by some debug-code placed there by them.
    Anyway, as I was told, AJSystems did remove that debugging code and recompiled it without that code.
    Users of EazyBackup4 can use its internal updater to get the new one, which I did. But after that I decided to install a complete fresh version.
    I have scanned the new file at VT, and it doesn't get anymore warnings there.

    End of story, as far as I am concerned.
     
  9. danieln

    danieln Eset Staff

    Joined:
    Jan 7, 2009
    Posts:
    112
    It is self-replicating infector not a debug code. I don't believe they put this virus code to the sources intentionally.
     
  10. Marcos

    Marcos Eset Staff Account

    Joined:
    Nov 22, 2002
    Posts:
    14,374
    That's right, I saw your query already answered here, otherwise I'd have replied you in this thread.
     
  11. FanJ

    FanJ Updates Team

    Joined:
    Feb 9, 2002
    Posts:
    2,564
    Hi Marcos,

    Thanks, yes I understand what you're saying.
    Actually I was hoping for a reply that Eset looked at the file and what the result of that analysis was.

    Anyway, it is not very important anymore since AJSystems did recompile their programs. I've got more email-contact with them.
    For info about the recompiling made by AJSystems, see:
    https://www.wilderssecurity.com/showthread.php?t=251489

    BTW: here is the blog from Randy Abrams called "The Retro-Virus" from 19 Aug 2009:
    http://www.eset.com/threat-center/blog/
     
    Last edited: Aug 20, 2009
Thread Status:
Not open for further replies.