Windowsxp-kb920683-x86-enu.exe -> Trojan.generic.60459 False Positive?
I recently performed a full scan of my computer with BitDefender Free v10.2 and I was alerted to a few benign files and one "Trojan.Generic.60459" infection. I had BitDefender set to move to quarantine if disinfection is not possible. After the scan completed, I restored all of the identified files from quarantine.
I think the "Trojan.Generic.60459" infection report is a false positive because none of the several reputable anti-malware applications I use has ever flagged the file. The file BitDefender flagged as "Infected" (WindowsXP-KB920683-x86-ENU.exe) came directly from Microsoft located at the following URL:
http://www.microsoft.com/downloads/details...;DisplayLang=en
I downloaded the WindowsXP-KB920683-x86-ENU.exe file again today from Microsoft and compared the CRC-32, MD5, and SHA-1 hash values to confirm the downloaded file hash values match the hash values of the file that was flagged by BitDefender (according to FileAlyzer):
CRC-32: F9EA7711
MD5: 4C9411078B5DF667890E98D25C4DBABC
SHA1: EF1482C5B88557E56563DACE9B7549EBF6D7F9C7
Jotti's online malware scan of the file (ran today) showed no signs of malware except for BitDefender reporting "Found Trojan.Generic.60459".
Here are the contents of my BitDefender scan results and Jotti's online malware scan results.
//-----------------------------------------------------------------
//
// Product BitDefender Free Edition v10
// Product 10.2
//
// Created on: 26/10/2007 19:17:22
//
//-----------------------------------------------------------------
Virus Statistics
Scan path : C:\
G:\
H:\
Folders : 8537
Files : 42620
Memory processes scanned : 75
Archives : 14
Runtime packers : 2875
Identified viruses : 4
Infected files : 5
Memory processes infected : 0
Suspect files : 0
Warnings : 0
Disinfected files : 0
Deleted files : 0
Moved files : 5
I/O errors : 13
Scan time : 00:32:15
Scan speed (files/sec) : 22
Spyware Statistics
Registry keys scanned : 2474
Registry keys infected : 0
Cookies scanned : 0
Cookies infected : 0
Spyware files infected : 0
Spyware threats detected : 0
Virus definitions : 935465
Scan plugins : 16
Archive plugins : 41
Unpack plugins : 7
Mail plugins : 6
System plugins : 5
Virus scan options
Detection
[X] Scan boot sectors
[X] Memory Processes
[ ] Scan archives
[X] Scan runtime packers
[X] Scan email
File mask
[X] Programs
[ ] All files
[ ] User defined extensions:
[ ] Exclude extensions: ;
Action
Infected objects
[ ] Ignore
[X] Disinfect
[ ] Delete
[ ] Move to quarantine
[ ] Prompt user
Second action
[ ] Ignore
[ ] Delete
[X] Move to quarantine
[ ] Prompt user
Virus scan options
[X] Enable warnings
[ ] Enable heuristics
[ ] Show all files in log
[X] Report file: C:\Documents and Settings\All Users\Application Data\Bitdefender\Desktop\Profiles\Logs\full_scan\1193440642.log
Spyware scan options
[X] Scan for riskware
[ ] Skip dial and applications from scan
[X] Registry keys
[X] Cookies
Summary:
C:\Documents and Settings\Kinobe\Application Data\Microsoft\Internet Explorer\Quick Launch\UTILITIES\GRC\leaktest.exe Detected: Application.Leaktest.B
C:\Documents and Settings\Kinobe\Application Data\Microsoft\Internet Explorer\Quick Launch\UTILITIES\GRC\leaktest.exe Disinfection failed
C:\Documents and Settings\Kinobe\Application Data\Microsoft\Internet Explorer\Quick Launch\UTILITIES\GRC\leaktest.exe Moved
C:\Documents and Settings\Kinobe\Desktop\UTILITIES\GRC\leaktest.exe Detected: Application.Leaktest.B
C:\Documents and Settings\Kinobe\Desktop\UTILITIES\GRC\leaktest.exe Disinfection failed
C:\Documents and Settings\Kinobe\Desktop\UTILITIES\GRC\leaktest.exe Moved
G:\DL\GRC\DCOMbob.exe Detected: Application.Rpcdcom.B
G:\DL\GRC\DCOMbob.exe Disinfection failed
G:\DL\GRC\DCOMbob.exe Moved
G:\DL\GRC\leaktest.exe Detected: Application.Leaktest.B
G:\DL\GRC\leaktest.exe Disinfection failed
G:\DL\GRC\leaktest.exe Moved
G:\DL\Microsoft\Patches\Security\Post SP2 Hotfixes\WindowsXP-KB920683-x86-ENU.exe Infected: Trojan.Generic.60459
G:\DL\Microsoft\Patches\Security\Post SP2 Hotfixes\WindowsXP-KB920683-x86-ENU.exe Disinfection failed
G:\DL\Microsoft\Patches\Security\Post SP2 Hotfixes\WindowsXP-KB920683-x86-ENU.exe Moved
BTW, the leaktest.exe and DCOMbob.exe files BitDefender flagged are utilities I downloaded years ago from Steve Gibson's web site: http://www.grc.com/default.htm
I suspect BitDefender thinks those utilities are "riskware". 
Jotti's online malware scan results:
File: WindowsXP-KB920683-x86-ENU.exe
Status: POSSIBLY INFECTED/MALWARE (Note: this file has been scanned before. Therefore, this file's scan results will not be stored in the database) (Note: this file was only classified as malware by scanners known to generate more false positives than the average scanner. Do not consider these results definately accurate. Also, because of this, results of this scan will not be recorded in the database.)
MD5: 4c9411078b5df667890e98d25c4dbabc
Packers detected: PE_PATCH
Bit9 reports: No threat detected (more info)
Scanner results
Scan taken on 28 Oct 2007 16:33:56 (GMT)
A-Squared Found nothing
AntiVir Found nothing
ArcaVir Found nothing
Avast Found nothing
AVG Antivirus Found nothing
BitDefender Found Trojan.Generic.60459
ClamAV Found nothing
CPsecure Found nothing
Dr.Web Found nothing
F-Prot Antivirus Found nothing
F-Secure Anti-Virus Found nothing
Fortinet Found nothing
Kaspersky Anti-Virus Found nothing
NOD32 Found nothing
Norman Virus Control Found nothing
Panda Antivirus Found nothing
Rising Antivirus Found nothing
Sophos Antivirus Found nothing
VirusBuster Found nothing
VBA32 Found nothing
Comments
-
BTW, I had Googled bitdefender WindowsXP-KB920683-x86-ENU.exe and came up with only one result (which appears might be a Chinese hacker BBS forum thread). I translated the page to English but the information appears to not be related to this issue.
0 -
Hello Kinobe,
I moved your topic to a more appropriate section.
Please put the file in a ZIP file, protected by the password infected and upload it here. BD Virus Analysts will take a look at it and remove detection if necessary.
Note that there's a 2MB upload limit on the forum. If the ZIP file exceeds this limit, please use a free file uploading service for larger files (megaupload.com, etc.), but make sure to archve the samples with the password infected (or the sample might be blocked by some AV on the way).
Cris.0 -
Thanks, Cris. I will try to remember to use the Malware Talk forum for reports of potential false positives in the future.
Please put the file in a ZIP file, protected by the password infected and upload it here. BD Virus Analysts will take a look at it and remove detection if necessary.
I cannot "add" the .EXE file to a ZIP file with WinZip 11.1 because it appears to already be a self-extracting ZIP archive. Therefore, I simply changed the file extension from .EXE to .ZIP and scanned the file again with BitDefender. BitDefender still flags the file with the .ZIP extension as infected with "Trojan.Generic.60459".
I did extract the contents of the WindowsXP-KB920683-x86-ENU.exe file and then I scanned the individual files from the self-extracting archive. That did NOT produce any "Infected" reports.
It also appears I cannot password protect the file since WinZip does not appear offer that option for a file that is already a ZIP file and the forum software does not appear to offer such an option either.
I thought the Microsoft link I provided in my first message of this thread would be sufficient for BitDefender Virus Analysts to obtain and analyze the file.
http://www.microsoft.com/downloads/details...;DisplayLang=en
Anyway, as requested, I attached the file with the renamed file extension to this post (but it is not NOT password-protected).0 -
I also have contracted this virus. I sent an email to customer service. Not sure if that is the right course of action or not. BD, while it identified it, didn't seem able to do anything with it. When I re-scan my computer the virus isn't detected again so I don't know what the status of my system is.
//-----------------------------------------------------------------
//
// Product BitDefender Antivirus v10
// Product 10.2
//
// Created on: 29/10/2007 18:57:33
//
//-----------------------------------------------------------------
Virus Statistics
Scan path : C:\
\
Folders : 4932
Files : 38285
Memory processes scanned : 50
Archives : 6
Runtime packers : 2503
Identified viruses : 1
Infected files : 1
Memory processes infected : 0
Suspect files : 0
Warnings : 0
Disinfected files : 0
Deleted files : 0
Moved files : 1
I/O errors : 12
Scan time : 00:13:38
Scan speed (files/sec) : 46
Spyware Statistics
Registry keys scanned : 1696
Registry keys infected : 0
Cookies scanned : 323
Cookies infected : 0
Spyware files infected : 0
Spyware threats detected : 0
Virus definitions : 936165
Scan plugins : 16
Archive plugins : 41
Unpack plugins : 7
Mail plugins : 6
System plugins : 5
Virus scan options
Detection
[X] Scan boot sectors
[X] Memory Processes
[ ] Scan archives
[X] Scan runtime packers
[X] Scan email
File mask
[X] Programs
[ ] All files
[ ] User defined extensions:
[ ] Exclude extensions: ;
Action
Infected objects
[ ] Ignore
[X] Disinfect
[ ] Delete
[ ] Move to quarantine
[ ] Prompt user
Second action
[ ] Ignore
[ ] Delete
[X] Move to quarantine
[ ] Prompt user
Virus scan options
[X] Enable warnings
[ ] Enable heuristics
[ ] Show all files in log
[X] Report file: C:\Documents and Settings\All Users\Application Data\Bitdefender\Desktop\Profiles\Logs\full_scan\1193709453.log
Spyware scan options
[X] Scan for riskware
[ ] Skip dial and applications from scan
[X] Registry keys
[X] Cookies
Summary:
C:\i386\KB920683.exe Infected: Trojan.Generic.60459
C:\i386\KB920683.exe Disinfection failed
C:\i386\KB920683.exe Move failed: Quarantine internal failure0 -
This is indeed a FP (False Positive). Detection will be removed after the next update. Thank you for the detailed report.
Best regards.0 -
You're very welcome, Cd-MaN.
Thank you for confirming it is indeed a FP.0
