Win32/Ralpha.A Trojan

Discussion in 'NOD32 version 2 Forum' started by denney, Jul 4, 2004.

Thread Status:
Not open for further replies.
  1. denney

    denney Registered Member

    Joined:
    May 23, 2003
    Posts:
    3
    In another thread titled "Why Should I Purchase Nod32" I saw a nearly identical experience to mine with regards to the above. I could repeat my experience in a post but like I said its darn near identical. Suffice to say that after sending a second sample on June 7 (the first sample was sent on 5-23). I still haven't heard back from ESET despite two subsequent emails to those who contacted me about the issue. The file is called randomize.dll and is part of a 4 year old graphics program (MGI Photosuite). It shows up whenever I reinstall the program from a factory CD

    Could somebody point me in the direction of a URL which describes the above trojan. I've been running NOD32 for over 2 years and it wasn't until the nearly the end of May that this file was detected. I'd like to believe its a false positive since neither my backup scanner or an online scan picks it up.
     
  2. ronjor

    ronjor Global Moderator

    Joined:
    Jul 21, 2003
    Posts:
    63,835
    Location:
    Texas

    It is listed here under Ralpha.

    NOD32 - v.1.769 (20040521)
    Virus signature database updates:
    BootKiller.E, Exploit.HTML/Mht.A, Exploit.HTML/Mht.B, Exploit.HTML/Mht.C, Exploit/CodeBase.gen, Exploit/HTML.Mht.B, IRC/SdBot.ASE, IRC/SdBot.ASF, IRC/SdBot.ASG, IRC/SdBot.ASH, IRC/SdBot.ASI, IRC/SdBot.ASJ, IRC/SdBot.ASK, IRC/SdBot.ASL, Unix/Acidet.A, VBS/Psyme.NAA, VBS/TrojanDownloader.Iwill.M, Win32/Aebot.C, Win32/Agent.Z, Win32/Agobot.3.AAA, Win32/Agobot.3.AAB, Win32/Agobot.3.AAC, Win32/Agobot.3.AAD, Win32/Agobot.3.AAE, Win32/Agobot.3.AAF, Win32/Agobot.3.AAG, Win32/Agobot.3.AAH, Win32/Agobot.3.AAI, Win32/Agobot.3.AAJ, Win32/Agobot.3.AAK, Win32/Agobot.3.AAL, Win32/Agobot.3.AAM, Win32/Agobot.3.AAN, Win32/Agobot.3.AAO, Win32/Agobot.3.AAP, Win32/Agobot.3.AAQ, Win32/Agobot.3.AAR, Win32/Agobot.3.AAS, Win32/Agobot.3.AAT, Win32/Agobot.3.AAU, Win32/Agobot.3.AAV, Win32/Agobot.3.AAW, Win32/Agobot.3.AAX, Win32/Agobot.3.AAY, Win32/Agobot.3.AAZ, Win32/Agobot.3.ABA, Win32/Agobot.3.ABB, Win32/Agobot.3.ABC, Win32/Agobot.3.ABD, Win32/Agobot.3.ABE, Win32/Agobot.3.ZN, Win32/Agobot.3.ZO, Win32/Agobot.3.ZP, Win32/Agobot.3.ZQ, Win32/Agobot.3.ZR, Win32/Agobot.3.ZS, Win32/Agobot.3.ZT, Win32/Agobot.3.ZU, Win32/Agobot.3.ZV, Win32/Agobot.3.ZW, Win32/Agobot.3.ZX, Win32/Agobot.3.ZY, Win32/Agobot.3.ZZ, Win32/Agobot.KR, Win32/Agobot.LC, Win32/Agobot.LD, Win32/Agobot.LF, Win32/Agobot.LN, Win32/Agobot.LT, Win32/Agobot.LU, Win32/Agobot.MG, Win32/Agobot.NE, Win32/Agobot.NH, Win32/Agobot.NJ, Win32/Agobot.OQ, Win32/Agobot.OU, Win32/Agobot.OV, Win32/Agobot.PM, Win32/Agobot.PN, Win32/Agobot.PO, Win32/Agobot.RB, Win32/Agobot.RG, Win32/Agobot.RT, Win32/Agobot.SF, Win32/Agobot.SN, Win32/Antinny.O, Win32/Bancodor.Q, Win32/Beastdoor.206.A, Win32/Bizten.F, Win32/Bizten.G, Win32/Bizten.H, Win32/Botten.F, Win32/Botten.G, Win32/Botten.H, Win32/Delf.BV, Win32/Delf.CA, Win32/Delf.CF, Win32/Dialer.A2, Win32/Dialer.G, Win32/Dialer.G1, Win32/Dialer.G2, Win32/Dialer.J1, Win32/Dialer.K1, Win32/Dialer.NAC, Win32/Dialer.O1, Win32/Dialer.P, Win32/Dialer.Q1, Win32/Dialer.T1, Win32/Dialer.Y, Win32/Doorila.A, Win32/DTR.16.D, Win32/HackTool.AldHack.B, Win32/Haxdoor.P, Win32/ICmd.A, Win32/Insom.A, Win32/IRCBot.KR, Win32/IRCBot.KS, Win32/Loony.I, Win32/Lovgate.AH, Win32/Nucledor.12.B, Win32/PSW.Bancban.A, Win32/PSW.Capwin.D, Win32/PSW.LdPinch.NAF, Win32/PSW.Legendmir.BY, Win32/PSW.Legendmir.KK, Win32/PSW.Legendmir.NAD, Win32/PSW.QQPass.AX, Win32/Ralpha.A, Win32/Razeny.A, Win32/Rbot.11, Win32/Sesame.A, Win32/Spy.Banbra.D, Win32/Spy.Dumarin.E, Win32/Spy.Small.V, Win32/Spy.Tofger.AL, Win32/SpyBot.ADB, Win32/SpyBot.ADC, Win32/SpyBot.ADE, Win32/SpyBot.ADF, Win32/SpyBot.ADG, Win32/SpyBot.ADH, Win32/SpyBot.ADI, Win32/SpyBot.ADJ, Win32/SpyBot.ADK, Win32/SpyBot.ADL, Win32/SpyBot.ADM, Win32/SpyBot.ADN, Win32/Spyboter.AG, Win32/Spyboter.BE, Win32/Spyboter.BF, Win32/Spyboter.BG, Win32/Spyboter.BH, Win32/Spyboter.BI, Win32/Spyboter.BZ, Win32/Spyboter.CJ, Win32/Spyboter.CY, Win32/StartPage.AAJ, Win32/StartPage.AQ1, Win32/StartPage.DT, Win32/StartPage.DZ, Win32/StartPage.EG, Win32/StartPage.EU, Win32/StartPage.FA, Win32/StartPage.FC, Win32/StartPage.FI, Win32/StartPage.GF, Win32/StartPage.GM, Win32/StartPage.GS, Win32/StartPage.GU, Win32/StartPage.HE, Win32/StartPage.HO, Win32/StartPage.NAH, Win32/StartPage.NAL, Win32/StartPage.NAM, Win32/TrojanClicker.Outwar.G, Win32/TrojanClicker.VB.BK, Win32/TrojanClicker.VB.CH, Win32/TrojanDownloader.Agent.AB, Win32/TrojanDownloader.Delf.CF, Win32/TrojanDownloader.Donn.NAA, Win32/TrojanDownloader.IstBar.CJ, Win32/TrojanDownloader.Lader.D, Win32/TrojanDownloader.Small.FB, Win32/TrojanDownloader.Small.IN, Win32/TrojanDownloader.Small.IQ, Win32/TrojanDownloader.Small.KA, Win32/TrojanDownloader.Small.KF, Win32/TrojanDownloader.Small.KG, Win32/TrojanDownloader.Swizzor.AG, Win32/TrojanDownloader.Swizzor.Z, Win32/TrojanDownloader.Vivia.A, Win32/TrojanDropper.Delf.CN, Win32/TrojanDropper.MultiDropper.AB, Win32/TrojanDropper.Small.GX, Win32/TrojanDropper.Small.NAA, Win32/TrojanProxy.Daemonize.R, Win32/WinRC.A


    Here is a thread. Ralpha
     
  3. denney

    denney Registered Member

    Joined:
    May 23, 2003
    Posts:
    3
    Thanks for the information. With the definition being added on 5-21 that explains why NOD32 never detected it all those years before. I do note however that the thread implies that not all the AV vendors agree that its a trojan. Is there a URL that actually describes this trojan's purpose or has its since been deemed a false postive?
     
  4. ronjor

    ronjor Global Moderator

    Joined:
    Jul 21, 2003
    Posts:
    63,835
    Location:
    Texas

    Denney

    I haven't found it yet! Have you talked to Roxio about this file?

    This page lists Ralpha as a backdoor program. Ralpha
     
    Last edited: Jul 5, 2004
  5. denney

    denney Registered Member

    Joined:
    May 23, 2003
    Posts:
    3
    Roxio evidently does own MGI now but they don't support this old a version of Photosuite. I've gone through Roxio's forums as thorough as I could but I couldn't find any reference to the randomizer.dll issue.

    You'd think if a couple of AV vendors would list the same trojan, a description of what it did (besides being a backdoor) would exist somewhere. Maybe I'm expecting to much.

    Does anybody know why some of the AV vendors believe the file is clean while others consider it a trojan?
     
Thread Status:
Not open for further replies.
  1. This site uses cookies to help personalise content, tailor your experience and to keep you logged in if you register.
    By continuing to use this site, you are consenting to our use of cookies.