Help with ¿FP?

Discussion in 'other anti-virus software' started by lordraiden, Feb 16, 2010.

Thread Status:
Not open for further replies.
  1. lordraiden

    lordraiden Registered Member

    Joined:
    Jan 30, 2006
    Posts:
    3,077
    I'm trying to be sure if a file is a malware or not.
    Comodo in paranoid mode (without AV) dont make any popup.
    VirusTotal: 30/40 (75%)
    Comodo Cima: -http://camas.comodo.com/cgi-bin/submit?file=7cc08f1573a3c7eafd08de79eb5a738e36d45cfedc4784b55de78e30c69a9b43-

    What do you think? there is anything similar to CIMA where I can check the file?

    Thanks
     
    Last edited by a moderator: Feb 16, 2010
  2. nikanthpromod

    nikanthpromod Registered Member

    Joined:
    Oct 9, 2009
    Posts:
    1,369
    Location:
    India
    that MD5 shows its a keygen. Keygens are always loaded with malwares.
     
  3. lordraiden

    lordraiden Registered Member

    Joined:
    Jan 30, 2006
    Posts:
    3,077
    Sorry but you are wrong, not always.

    After execute the file in a computer I made a full scan with 2 of the AV's that detect it like a malware also with malwarebytes, Hitman Pro and Prevx and they found nothing.

    Update: -http://www.threatexpert.com/report.aspx?md5=c78a7b417054ac28ec856e5ae899c7be-

    Seems that the only reason because is detected is for the kind of packer that the keygen uses. A very poor rule for an AV.
     
    Last edited: Feb 16, 2010
  4. nikanthpromod

    nikanthpromod Registered Member

    Joined:
    Oct 9, 2009
    Posts:
    1,369
    Location:
    India
    OKo_O
    The result showing its a backdoor .
     
  5. lordraiden

    lordraiden Registered Member

    Joined:
    Jan 30, 2006
    Posts:
    3,077
    Yes but only because the AV says it. The behavior of the file is safe, dont create new files, dont modify the memory, see again CIMA.
     
  6. stackz

    stackz Registered Member

    Joined:
    Dec 27, 2007
    Posts:
    619
    Location:
    Sydney Australia
    The ThreatExpert report clearly shows that it does nothing other than providing a keygen, no backdoor or anything else. Either the packer puts it in the too hard basket for AVs, or any keygen is a PUA - or maybe both.
     
  7. lordraiden

    lordraiden Registered Member

    Joined:
    Jan 30, 2006
    Posts:
    3,077
    Thanks for the aclaration, each day I trust less in the AV's :doubt:
    I hope that cima will be integrated in comodo soon. I have submit the FP to comodo but would be nice submit FP's to VirusTotal
     
    Last edited: Feb 16, 2010
  8. thanatos_theos

    thanatos_theos Registered Member

    Joined:
    Apr 28, 2007
    Posts:
    540
    Why are you interested if this keygen is clean? Even if it is clean most AVs won't adjust signatures for cracks.

    From CAMAS it created a new svchost thread. Possibly some AVs flagged it as a backdoor because of this behaviour. Why would a keygen create this thread or need it? Who knows?
     
  9. lordraiden

    lordraiden Registered Member

    Joined:
    Jan 30, 2006
    Posts:
    3,077
    Do you understand why any executable needs a svchost thread? no true? xD

    Another example:
    VirusTOTAL: 5/40 (12.5%) (Old keygen: 2008.03.06 11:41:04 UTC)
    CIMA: -http://camas.comodo.com/cgi-bin/submit?file=f6ee169a7555549f2418ec45bafc0ca376b5481f8e8a68b8efb531788c289a97- same behavior.
    ThreatExpert: -http://www.threatexpert.com/report.aspx?md5=81404256f98a45571401f7832d4ebfc1- (packed with PE_Patch.UPX)

    I think that I have a factory of fp's in my computer xD
     
    Last edited: Feb 16, 2010
  10. AvinashR

    AvinashR Registered Member

    Joined:
    Dec 26, 2009
    Posts:
    2,060
    Location:
    New Delhi Metallo β-Lactamase 1
    In Threat Expert you can clearly see that IKARUS is detecting it as a not-a-virus.Keygen.CoreAVC, but keep in mind that there are many private crypters like Incognito which can be used to avoid detections. This known private crypter is very powerful and IMHO many keygens are also using this.
     
  11. lordraiden

    lordraiden Registered Member

    Joined:
    Jan 30, 2006
    Posts:
    3,077
    Ok but if you execute the file, have to be uncrypted?
    Anyway CIMA will show what will do this uncrypted files, no?
     
  12. thanatos_theos

    thanatos_theos Registered Member

    Joined:
    Apr 28, 2007
    Posts:
    540
    Well, it's a keygen and I wouldn't trust it. Malware usually inject threads into svchost.exe to create/drop files or send out data.
     
  13. nikanthpromod

    nikanthpromod Registered Member

    Joined:
    Oct 9, 2009
    Posts:
    1,369
    Location:
    India
    This is Wilders security Thread and here promotion of keygens are not accepted.
    I think this thread will be closed soon.:p

    u r playing with trouble .
    ALll cracks are loaded with troubles.;)
     
  14. lordraiden

    lordraiden Registered Member

    Joined:
    Jan 30, 2006
    Posts:
    3,077
    The firewall didnt make any alert, should the firewall made an alert?

    1) I am not promoting anything, and you?
    2) Who told you that? your AV? :p

    This is what I pretend to promote with this thread:
    I hope that somebody could be able to explain how to check this kind of files correctly, like any AV company should do.
     
    Last edited: Feb 16, 2010
  15. nikanthpromod

    nikanthpromod Registered Member

    Joined:
    Oct 9, 2009
    Posts:
    1,369
    Location:
    India
    it created svchost.exe
    From MS site
     
  16. lordraiden

    lordraiden Registered Member

    Joined:
    Jan 30, 2006
    Posts:
    3,077
    Again, almost any application in the world needs to have access to svchost.exe process in order to be execute.

    PE: -http://camas.comodo.com/cgi-bin/submit?file=1e6096c0f6b5db4c9f15a9c1352297830b981e668280862c3f2b1fe8a51521f5-
    autoruns.exe from: -http://technet.microsoft.com/en-us/sysinternals/bb963902.aspx-
     
    Last edited: Feb 16, 2010
  17. thanatos_theos

    thanatos_theos Registered Member

    Joined:
    Apr 28, 2007
    Posts:
    540
    You use CIS? IIRC, CIS treats all MS-signed exes as trusted and by default allows svchost outbound connection. :doubt: But CIS should alert you if something is trying to modify or inject something into svchost.
     
  18. lordraiden

    lordraiden Registered Member

    Joined:
    Jan 30, 2006
    Posts:
    3,077
    Defense+(paranoid): no alert
    Firewall(safe mode): no alert
     
  19. Paul Wilders

    Paul Wilders Administrator

    Joined:
    Jul 1, 2001
    Posts:
    12,472
    Location:
    The Netherlands
    Discussing is no problem. Promoting indeed is. We strongly advize against pirating and theft in general, apart from the security issues coming with key generators and all sorts of cracks in general.

    In case this thread moves the wrong way, it will be closed and possibly even vanish from the public eyesight. Thus stick to the rules please.
     
  20. thanatos_theos

    thanatos_theos Registered Member

    Joined:
    Apr 28, 2007
    Posts:
    540
    From this quote it's pretty obvious what the subliminal purpose of this thread is. To lordraiden: use at your own risk.
     
  21. lordraiden

    lordraiden Registered Member

    Joined:
    Jan 30, 2006
    Posts:
    3,077
    Subliminal? dont be paranoic. I just want to know how a suspicious file must be checked, I suppose norton, panda, KAV, avast... dont use VT, CIMA and ThreatExpert for check the files.
    So which tools use a "professional" and how, this is my question.
     
  22. nikanthpromod

    nikanthpromod Registered Member

    Joined:
    Oct 9, 2009
    Posts:
    1,369
    Location:
    India
  23. lordraiden

    lordraiden Registered Member

    Joined:
    Jan 30, 2006
    Posts:
    3,077

    Thanks a lot, JoeBox and anubis are really good.

    JoeBox: -http://www.mediafire.com/file/mvymjhjwzzi/result.html-
    Anubis: -http://anubis.iseclab.org/?action=result&task_id=13687a9bfe250620449db577f91a87cd3&format=html#chapter1-

    Now seems more suspicious but anyway the data need the correct interpretation.
    I have seen many http, dns and registry data but I have uploaded safe (autoruns.exe) files that does not need internet connection and shows similar results.

    Also I have checked the integrity of the win7 files and everything is ok
     
  24. nikanthpromod

    nikanthpromod Registered Member

    Joined:
    Oct 9, 2009
    Posts:
    1,369
    Location:
    India
    u r welcome;)
     
  25. AvinashR

    AvinashR Registered Member

    Joined:
    Dec 26, 2009
    Posts:
    2,060
    Location:
    New Delhi Metallo β-Lactamase 1
    If your threatfire popup during the execution of this Keygen, then probably there is something inside it, which need to be taken care. But after seeing the Threat Expert and CIMA report i can say that it is almost clean. But you should use it with extreme care.. (Please do note that doing piracy is an offense):D
     
Thread Status:
Not open for further replies.