Win32/Ralpha.A Trojan

Discussion in 'NOD32 version 2 Forum' started by denney, Jul 4, 2004.

Thread Status:
Not open for further replies.
  1. denney

    denney Registered Member

    Joined:
    May 23, 2003
    Posts:
    3
    In another thread titled "Why Should I Purchase Nod32" I saw a nearly identical experience to mine with regards to the above. I could repeat my experience in a post but like I said its darn near identical. Suffice to say that after sending a second sample on June 7 (the first sample was sent on 5-23). I still haven't heard back from ESET despite two subsequent emails to those who contacted me about the issue. The file is called randomize.dll and is part of a 4 year old graphics program (MGI Photosuite). It shows up whenever I reinstall the program from a factory CD

    Could somebody point me in the direction of a URL which describes the above trojan. I've been running NOD32 for over 2 years and it wasn't until the nearly the end of May that this file was detected. I'd like to believe its a false positive since neither my backup scanner or an online scan picks it up.
     
  2. ronjor

    ronjor Global Moderator

    Joined:
    Jul 21, 2003
    Posts:
    57,794
    Location:
    Texas

    It is listed here under Ralpha.

    NOD32 - v.1.769 (20040521)
    Virus signature database updates:
    BootKiller.E, Exploit.HTML/Mht.A, Exploit.HTML/Mht.B, Exploit.HTML/Mht.C, Exploit/CodeBase.gen, Exploit/HTML.Mht.B, IRC/SdBot.ASE, IRC/SdBot.ASF, IRC/SdBot.ASG, IRC/SdBot.ASH, IRC/SdBot.ASI, IRC/SdBot.ASJ, IRC/SdBot.ASK, IRC/SdBot.ASL, Unix/Acidet.A, VBS/Psyme.NAA, VBS/TrojanDownloader.Iwill.M, Win32/Aebot.C, Win32/Agent.Z, Win32/Agobot.3.AAA, Win32/Agobot.3.AAB, Win32/Agobot.3.AAC, Win32/Agobot.3.AAD, Win32/Agobot.3.AAE, Win32/Agobot.3.AAF, Win32/Agobot.3.AAG, Win32/Agobot.3.AAH, Win32/Agobot.3.AAI, Win32/Agobot.3.AAJ, Win32/Agobot.3.AAK, Win32/Agobot.3.AAL, Win32/Agobot.3.AAM, Win32/Agobot.3.AAN, Win32/Agobot.3.AAO, Win32/Agobot.3.AAP, Win32/Agobot.3.AAQ, Win32/Agobot.3.AAR, Win32/Agobot.3.AAS, Win32/Agobot.3.AAT, Win32/Agobot.3.AAU, Win32/Agobot.3.AAV, Win32/Agobot.3.AAW, Win32/Agobot.3.AAX, Win32/Agobot.3.AAY, Win32/Agobot.3.AAZ, Win32/Agobot.3.ABA, Win32/Agobot.3.ABB, Win32/Agobot.3.ABC, Win32/Agobot.3.ABD, Win32/Agobot.3.ABE, Win32/Agobot.3.ZN, Win32/Agobot.3.ZO, Win32/Agobot.3.ZP, Win32/Agobot.3.ZQ, Win32/Agobot.3.ZR, Win32/Agobot.3.ZS, Win32/Agobot.3.ZT, Win32/Agobot.3.ZU, Win32/Agobot.3.ZV, Win32/Agobot.3.ZW, Win32/Agobot.3.ZX, Win32/Agobot.3.ZY, Win32/Agobot.3.ZZ, Win32/Agobot.KR, Win32/Agobot.LC, Win32/Agobot.LD, Win32/Agobot.LF, Win32/Agobot.LN, Win32/Agobot.LT, Win32/Agobot.LU, Win32/Agobot.MG, Win32/Agobot.NE, Win32/Agobot.NH, Win32/Agobot.NJ, Win32/Agobot.OQ, Win32/Agobot.OU, Win32/Agobot.OV, Win32/Agobot.PM, Win32/Agobot.PN, Win32/Agobot.PO, Win32/Agobot.RB, Win32/Agobot.RG, Win32/Agobot.RT, Win32/Agobot.SF, Win32/Agobot.SN, Win32/Antinny.O, Win32/Bancodor.Q, Win32/Beastdoor.206.A, Win32/Bizten.F, Win32/Bizten.G, Win32/Bizten.H, Win32/Botten.F, Win32/Botten.G, Win32/Botten.H, Win32/Delf.BV, Win32/Delf.CA, Win32/Delf.CF, Win32/Dialer.A2, Win32/Dialer.G, Win32/Dialer.G1, Win32/Dialer.G2, Win32/Dialer.J1, Win32/Dialer.K1, Win32/Dialer.NAC, Win32/Dialer.O1, Win32/Dialer.P, Win32/Dialer.Q1, Win32/Dialer.T1, Win32/Dialer.Y, Win32/Doorila.A, Win32/DTR.16.D, Win32/HackTool.AldHack.B, Win32/Haxdoor.P, Win32/ICmd.A, Win32/Insom.A, Win32/IRCBot.KR, Win32/IRCBot.KS, Win32/Loony.I, Win32/Lovgate.AH, Win32/Nucledor.12.B, Win32/PSW.Bancban.A, Win32/PSW.Capwin.D, Win32/PSW.LdPinch.NAF, Win32/PSW.Legendmir.BY, Win32/PSW.Legendmir.KK, Win32/PSW.Legendmir.NAD, Win32/PSW.QQPass.AX, Win32/Ralpha.A, Win32/Razeny.A, Win32/Rbot.11, Win32/Sesame.A, Win32/Spy.Banbra.D, Win32/Spy.Dumarin.E, Win32/Spy.Small.V, Win32/Spy.Tofger.AL, Win32/SpyBot.ADB, Win32/SpyBot.ADC, Win32/SpyBot.ADE, Win32/SpyBot.ADF, Win32/SpyBot.ADG, Win32/SpyBot.ADH, Win32/SpyBot.ADI, Win32/SpyBot.ADJ, Win32/SpyBot.ADK, Win32/SpyBot.ADL, Win32/SpyBot.ADM, Win32/SpyBot.ADN, Win32/Spyboter.AG, Win32/Spyboter.BE, Win32/Spyboter.BF, Win32/Spyboter.BG, Win32/Spyboter.BH, Win32/Spyboter.BI, Win32/Spyboter.BZ, Win32/Spyboter.CJ, Win32/Spyboter.CY, Win32/StartPage.AAJ, Win32/StartPage.AQ1, Win32/StartPage.DT, Win32/StartPage.DZ, Win32/StartPage.EG, Win32/StartPage.EU, Win32/StartPage.FA, Win32/StartPage.FC, Win32/StartPage.FI, Win32/StartPage.GF, Win32/StartPage.GM, Win32/StartPage.GS, Win32/StartPage.GU, Win32/StartPage.HE, Win32/StartPage.HO, Win32/StartPage.NAH, Win32/StartPage.NAL, Win32/StartPage.NAM, Win32/TrojanClicker.Outwar.G, Win32/TrojanClicker.VB.BK, Win32/TrojanClicker.VB.CH, Win32/TrojanDownloader.Agent.AB, Win32/TrojanDownloader.Delf.CF, Win32/TrojanDownloader.Donn.NAA, Win32/TrojanDownloader.IstBar.CJ, Win32/TrojanDownloader.Lader.D, Win32/TrojanDownloader.Small.FB, Win32/TrojanDownloader.Small.IN, Win32/TrojanDownloader.Small.IQ, Win32/TrojanDownloader.Small.KA, Win32/TrojanDownloader.Small.KF, Win32/TrojanDownloader.Small.KG, Win32/TrojanDownloader.Swizzor.AG, Win32/TrojanDownloader.Swizzor.Z, Win32/TrojanDownloader.Vivia.A, Win32/TrojanDropper.Delf.CN, Win32/TrojanDropper.MultiDropper.AB, Win32/TrojanDropper.Small.GX, Win32/TrojanDropper.Small.NAA, Win32/TrojanProxy.Daemonize.R, Win32/WinRC.A


    Here is a thread. Ralpha
     
  3. denney

    denney Registered Member

    Joined:
    May 23, 2003
    Posts:
    3
    Thanks for the information. With the definition being added on 5-21 that explains why NOD32 never detected it all those years before. I do note however that the thread implies that not all the AV vendors agree that its a trojan. Is there a URL that actually describes this trojan's purpose or has its since been deemed a false postive?
     
  4. ronjor

    ronjor Global Moderator

    Joined:
    Jul 21, 2003
    Posts:
    57,794
    Location:
    Texas

    Denney

    I haven't found it yet! Have you talked to Roxio about this file?

    This page lists Ralpha as a backdoor program. Ralpha
     
    Last edited: Jul 5, 2004
  5. denney

    denney Registered Member

    Joined:
    May 23, 2003
    Posts:
    3
    Roxio evidently does own MGI now but they don't support this old a version of Photosuite. I've gone through Roxio's forums as thorough as I could but I couldn't find any reference to the randomizer.dll issue.

    You'd think if a couple of AV vendors would list the same trojan, a description of what it did (besides being a backdoor) would exist somewhere. Maybe I'm expecting to much.

    Does anybody know why some of the AV vendors believe the file is clean while others consider it a trojan?
     
Thread Status:
Not open for further replies.