why does Nod32 identify Magical Jellybean keyfinder as virus?

Discussion in 'NOD32 version 2 Forum' started by jayt, Mar 11, 2006.

Thread Status:
Not open for further replies.
  1. jayt

    jayt Registered Member

    Joined:
    Aug 30, 2004
    Posts:
    345
    Location:
    PA - USA
    No matter which download link I click on on this page, IMON pops us and says that the page has been blocked because it has a virus. If I shut IMON down and download the file (I know it is a dangerous practice), and right click scan it with AMON, AMON detects the file as a virus and deletes it.
    I do not think that Magical Jelly Bean Keyfinder is a virus.

    http://www.magicaljellybean.com/keyfinder.shtml
     
  2. Lollan

    Lollan Registered Member

    Joined:
    Feb 2, 2006
    Posts:
    288
    It's actually a rather handy tool that I've used before, no clue why.. FP?
     
  3. ctrlaltdelete

    ctrlaltdelete Registered Member

    Joined:
    Oct 16, 2005
    Posts:
    318
    Location:
    NL
    It is no FP it is detected as Win32/PSWTool.RAS.A application.
    A potentially dangerous application....
     
  4. rothko

    rothko Registered Member

    Joined:
    Jan 12, 2005
    Posts:
    579
    Location:
    UK
    Yep, and if the Potentially dangerous applications option is unticked from IMON/AMON then it wont trigger an alert.
     
  5. jayt

    jayt Registered Member

    Joined:
    Aug 30, 2004
    Posts:
    345
    Location:
    PA - USA
    Thanks Lee. That was the problem. I had recently downloaded a new version of Nod32 and used the automatic setup with BS's setting. I had forgotten that potentially dangerous applications was checked. Unchecked it in IMON and AMON and was able to download the file. BTW, it must really have dangerous properties. Ewido didn't want to let it run either. :D
     
  6. Lollan

    Lollan Registered Member

    Joined:
    Feb 2, 2006
    Posts:
    288
    Anyone have a description to what dangerous attributes it actually has?
     
  7. rothko

    rothko Registered Member

    Joined:
    Jan 12, 2005
    Posts:
    579
    Location:
    UK
    good stuff. it's best, or at least i'd rather, that it is flagged as a possible threat and then you can make your own mind up if you want to go ahead and use it.

    cheers, lee
     
  8. pykko

    pykko Registered Member

    Joined:
    Apr 27, 2005
    Posts:
    2,236
    Location:
    Romania...and walking to heaven
    NOD detects it also on my PC, but I couldn't find any info about it. :(
     
  9. Lollan

    Lollan Registered Member

    Joined:
    Feb 2, 2006
    Posts:
    288
    Yes, it detects it for me as well, but I've used it many times to get keys off and it's widely recommended, which is why I assumed it to be a FP.
     
  10. pykko

    pykko Registered Member

    Joined:
    Apr 27, 2005
    Posts:
    2,236
    Location:
    Romania...and walking to heaven
    Well, it's detected by KAV, Dr.Web and AntiVir also, so no FP I think. :)
     
  11. Elwood

    Elwood Registered Member

    Joined:
    Sep 12, 2005
    Posts:
    205
    Location:
    Mis'sippi
    Here's what Dr. Web has to say according to their Firefox extension:
     

    Attached Files:

  12. pykko

    pykko Registered Member

    Joined:
    Apr 27, 2005
    Posts:
    2,236
    Location:
    Romania...and walking to heaven
    I've scanned it on Jottis and the same result almost. :D
     
  13. kjempen

    kjempen Registered Member

    Joined:
    May 6, 2004
    Posts:
    379
    It's fairly logical that it's labeled as a potentially dangerous program if you think about it. It could be used together with a trojan to retrieve/steal Windows cd-keys.
     
  14. Alwill

    Alwill Registered Member

    Joined:
    Feb 26, 2004
    Posts:
    76
    Location:
    Sydney, Australia
    Had the same experience with Keyfinder this morning in the course of an In- Depth analysis scan which identified it as a Win32/PSWTool.RAS.A application (my first hit since using NOD). Although I have the Copy to Quarantine option selected there was no trace of the file in Quarantine nor was an Infected file created in the eset folder (the relevant Quarantine/Infected file entry in the Registry is in situ).

    From this can I assume that NOD does not move potentially dangerous applications which it identifies, to Quarantine?
     
  15. Alwill

    Alwill Registered Member

    Joined:
    Feb 26, 2004
    Posts:
    76
    Location:
    Sydney, Australia
    Any ideas anyone, please.
     
  16. dsi-ap

    dsi-ap Registered Member

    Joined:
    Jul 4, 2005
    Posts:
    118
    Location:
    UK
    Have been using jellybena keyfinder for few years now and found out about NOD32 picking it up as a potentially dangeorus app a few weeks ago.
    Should the use of it be stop all together or is it safe to use?
     
  17. rothko

    rothko Registered Member

    Joined:
    Jan 12, 2005
    Posts:
    579
    Location:
    UK
    I guess that is down to the user to decide. It is being identified as a 'POTENTIALLY dangerous application', keyword being potentially.
     
  18. YeOldeStonecat

    YeOldeStonecat Registered Member

    Joined:
    Apr 25, 2005
    Posts:
    2,345
    Location:
    Along the Shorelines somewhere in New England
    Bingo! Or used just by itself. It's a tool to get serial-product install keys. Think about it! ;)
     
  19. Lollan

    Lollan Registered Member

    Joined:
    Feb 2, 2006
    Posts:
    288
    If you know of one that does not contain a virus, please let me know. Windows product keys are encrypted, so when a customer has lost his or her key, it's the only way to use a program.

    This also does the office series, like I said, rather nice.. too bad it's a virus :p
     
  20. Marcelo

    Marcelo Registered Member

    Joined:
    Oct 11, 2005
    Posts:
    74
    Location:
    Rio de Janeiro, Brazil.

    It´s not actually a virus, it´s a POTENTIALLY dangerous application. Just imagine you have a company with a corporate windows serial. If it was not flagged any employee could use it to discover your company´s serial and then spread it however he saw fit.

    In other words, it´s a tool that can be POTENTIALLY used to steal someone´s rightful property, more than enough reason to flag it as a dangerous application.

    It does not mean, of course, it does not have LEGITIMATE uses, such as recovering someone´s lost serial number before reformatting the computer.

    So if you have legitimate uses for it, go on and use it :)
     
  21. YeOldeStonecat

    YeOldeStonecat Registered Member

    Joined:
    Apr 25, 2005
    Posts:
    2,345
    Location:
    Along the Shorelines somewhere in New England
    MagicJellyBean itself is not a virus...I'm not saying it's a virus. However...it's an application that has rather, well, "warez" types of uses. Similar to Kazaa or many of those peer to peer applications...ranted...there can be the rare occasional use that is legitimate, but more than oft...well, it's a tool used to "snag" serial-product install keys. A legitimate software owner would have that, on their CD case, or CD sleeve, or OEM sticker on their computer, or on a printed out e-mail from Microsoft Open Licensing, or...or...

    Most businesses would not want someone tromping through their network using MagicJellyBean keyfinder.
     
Thread Status:
Not open for further replies.