Engine Bug!

yanzilme

Hi guys~

Yesterday i discover an interesting phenomenon!

The detail picture is about the sample property

Please do pay attention to the last number(271995)

BitDefender reports:Trojan.Generic.74723

AVIRA report:TR/Agent.271995

All is false positive!

These two vendors report false alarm while the file is clean

After i edit the file size(the file is a self-extracting document) or decompress

It then i use AVIRA and BD to rescan it once again,they do not detect it anymore

My dear friend tested it using other AVs,many of them get a false alarm

While edit the file size of the sample or decompress it,they all found nothing

thanks

yanzilme

Other vendors report:

Asquared :Trojan.Generic

Ikarus:Trojan.Generic

Norman:Trojan Smalltroj.BSXG

Norton:Trojan Horse

QuickHeal:TrojanDownloader.Agent.efy

TheHacker:Trojan/Downloader.Agent.efy

VBA32:infected Trojan-Downloader.Win32.Agent.efy

VirusBuster:Trojan.Agent.DZIW

Has nothing to do with the file size

So i thank unpack engine have some problem.

Niels

Hello yanzilme,

Thanks for the information.

It could be a false positiv but I can't judge on that. Can you please compress your sample in a password protected archive use infected as password. After that attach it to your next reply. I will move this topic to a more appropriate forum section more specifically the malware section. So the virus researchers can take a look at it.

Kind regards,

Niels

yanzilme

Hello yanzilme,

Thanks for the information.

It could be a false positiv but I can't judge on that. Can you please compress your sample in a password protected archive use infected as password. After that attach it to your next reply. I will move this topic to a more appropriate forum section more specifically the malware section. So the virus researchers can take a look at it.

Kind regards,

Niels

Hi Niels thank you for you reply

Please check you pm.

thanks

Niels

Hello yanzilme,

I received it. You could upload your attachment here also nobody except moderators,supermoderators and virus researchers can download here.

Kind regards,

Niels

To virus researchers the password is: 3321

/applications/core/interface/file/attachment.php?id=3010" data-fileid="3010" rel="">sample.rar

yanzilme

Hello yanzilme,

I received it. You could upload your attachment here also nobody except moderators,supermoderators and virus researchers can download here.

Kind regards,

Niels

To virus researchers the password is: 3321

Thanks!

report from avira:

Avira AntiVir Premium

Report file date: 2008年9月8日 18:44

Scanning for 1602105 virus strains and unwanted programs.

Licensed to: yang ciu

Serial number: 1101579278-PEPWE-0001

Platform: Windows XP

Windows version: (Service Pack 3) [5.1.2600]

Boot mode: Normally booted

Username: Administrator

Computer name: E6300_MYROOM

Version information:

BUILD.DAT : 8.1.0.367 20012 Bytes 2008/8/12 11:31:00

AVSCAN.EXE : 8.1.4.7 315649 Bytes 2008/7/18 05:52:37

AVSCAN.DLL : 8.1.4.0 40705 Bytes 2008/7/18 05:52:37

LUKE.DLL : 8.1.4.5 164097 Bytes 2008/7/18 05:52:38

LUKERES.DLL : 8.1.4.0 12033 Bytes 2008/7/18 05:52:38

ANTIVIR0.VDF : 6.40.0.0 11030528 Bytes 2007/7/18 04:33:34

ANTIVIR1.VDF : 7.0.5.1 8182784 Bytes 2008/6/24 12:47:31

ANTIVIR2.VDF : 7.0.6.94 2998784 Bytes 2008/8/31 05:17:02

ANTIVIR3.VDF : 7.0.6.125 226816 Bytes 2008/9/7 05:16:49

Engineversion : 8.1.1.28

AEVDF.DLL : 8.1.0.5 102772 Bytes 2008/2/25 03:58:21

AESCRIPT.DLL : 8.1.0.70 319866 Bytes 2008/9/3 18:54:51

AESCN.DLL : 8.1.0.23 119156 Bytes 2008/7/16 12:48:06

AERDL.DLL : 8.1.1.1 397683 Bytes 2008/9/3 18:54:49

AEPACK.DLL : 8.1.2.1 364917 Bytes 2008/7/16 12:48:01

AEOFFICE.DLL : 8.1.0.23 196987 Bytes 2008/9/3 18:54:45

AEHEUR.DLL : 8.1.0.51 1397111 Bytes 2008/9/3 18:54:44

AEHELP.DLL : 8.1.0.15 115063 Bytes 2008/7/16 12:47:49

AEGEN.DLL : 8.1.0.36 315764 Bytes 2008/8/19 08:02:13

AEEMU.DLL : 8.1.0.7 430452 Bytes 2008/7/31 15:42:19

AECORE.DLL : 8.1.1.11 172406 Bytes 2008/9/3 18:54:37

AEBB.DLL : 8.1.0.1 53617 Bytes 2008/7/17 12:45:28

AVWINLL.DLL : 1.0.0.12 15105 Bytes 2008/7/18 05:52:37

AVPREF.DLL : 8.0.2.0 38657 Bytes 2008/7/18 05:52:37

AVREP.DLL : 8.0.0.2 98344 Bytes 2008/7/31 15:42:14

AVREG.DLL : 8.0.0.1 33537 Bytes 2008/7/18 05:52:37

AVARKT.DLL : 1.0.0.23 307457 Bytes 2008/2/12 02:29:23

AVEVTLOG.DLL : 8.0.0.16 119041 Bytes 2008/7/18 05:52:37

SQLITE3.DLL : 3.3.17.1 339968 Bytes 2008/1/22 11:28:02

SMTPLIB.DLL : 1.2.0.23 28929 Bytes 2008/7/18 05:52:38

NETNT.DLL : 8.0.0.1 7937 Bytes 2008/1/25 06:05:10

RCIMAGE.DLL : 8.0.0.51 2564353 Bytes 2008/7/18 05:52:36

RCTEXT.DLL : 8.0.51.0 86273 Bytes 2008/7/18 05:52:36

Configuration settings for the scan:

Jobname..........................: ShlExt

Configuration file...............: C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\05b60aa3.avp

Logging..........................: high

Primary action...................: interactive

Secondary action.................: ignore

Scan master boot sector..........: on

Scan boot sector.................: on

Boot sectors.....................: C:,

Process scan.....................: off

Scan registry....................: off

Search for rootkits..............: off

Scan all files...................: All files

Scan archives....................: on

Recursion depth..................: 20

Smart extensions.................: on

Macro heuristic..................: on

File heuristic...................: high

Expanded search settings.........: 0x00300432

Start of the scan: 2008年9月8日 18:44

Starting the file scan:

Begin scan in 'C:\Documents and Settings\Administrator\桌面\sample.exe'

C:\Documents and Settings\Administrator\桌面\

sample.exe

[0] Archive type: RAR SFX (self extracting)

--> Langs\ChartPlg\nl_lang_cht.ini

--> Langs\ChartPlg\nl_lang_de.ini

--> Langs\ChartPlg\nl_lang_en.ini

--> Langs\ChartPlg\nl_lang_es.ini

--> Langs\ChartPlg\nl_lang_fr.ini

--> Langs\ChartPlg\nl_lang_Kr.ini

--> Langs\ChartPlg\nl_lang_pl.ini

--> Langs\ChartPlg\nl_lang_ru.ini

--> Langs\ChartPlg\nl_lang_si.ini

--> Langs\FltEdPlg\nl_lang_cht.ini

--> Langs\FltEdPlg\nl_lang_cz.ini

--> Langs\FltEdPlg\nl_lang_de.ini

--> Langs\FltEdPlg\nl_lang_en.ini

--> Langs\FltEdPlg\nl_lang_es.ini

--> Langs\FltEdPlg\nl_lang_fr.ini

--> Langs\FltEdPlg\nl_lang_Kr.ini

--> Langs\FltEdPlg\nl_lang_pl.ini

--> Langs\FltEdPlg\nl_lang_ru.ini

--> Langs\FltEdPlg\nl_lang_si.ini

--> Langs\InfoPlg\nl_lang_cht.ini

--> Langs\InfoPlg\nl_lang_cz.ini

--> Langs\InfoPlg\nl_lang_de.ini

--> Langs\InfoPlg\nl_lang_en.ini

--> Langs\InfoPlg\nl_lang_es.ini

--> Langs\InfoPlg\nl_lang_fr.ini

--> Langs\InfoPlg\nl_lang_Kr.ini

--> Langs\InfoPlg\nl_lang_pl.ini

--> Langs\InfoPlg\nl_lang_ru.ini

--> Langs\InfoPlg\nl_lang_si.ini

--> Langs\lang_list.xml

--> Langs\Menu\nl_lang_cht.ini

--> Langs\Menu\nl_lang_cz.ini

--> Langs\Menu\nl_lang_de.ini

--> Langs\Menu\nl_lang_en.ini

--> Langs\Menu\nl_lang_es.ini

--> Langs\Menu\nl_lang_fr.ini

--> Langs\Menu\nl_lang_Kr.ini

--> Langs\Menu\nl_lang_pl.ini

--> Langs\Menu\nl_lang_ru.ini

--> Langs\Menu\nl_lang_si.ini

--> Langs\NLVClient\nl_lang_cht.ini

--> Langs\NLVClient\nl_lang_cz.ini

--> Langs\NLVClient\nl_lang_de.ini

--> Langs\NLVClient\nl_lang_en.ini

--> Langs\NLVClient\nl_lang_es.ini

--> Langs\NLVClient\nl_lang_fr.ini

--> Langs\NLVClient\nl_lang_Kr.ini

--> Langs\NLVClient\nl_lang_pl.ini

--> Langs\NLVClient\nl_lang_ru.ini

--> Langs\NLVClient\nl_lang_si.ini

--> Langs\nl_lang_cht.ini

--> Langs\nl_lang_cz.ini

--> Langs\nl_lang_de.ini

--> Langs\nl_lang_en.ini

--> Langs\nl_lang_es.ini

--> Langs\nl_lang_fr.ini

--> Langs\nl_lang_Kr.ini

--> Langs\nl_lang_pl.ini

--> Langs\nl_lang_ru.ini

--> Langs\nl_lang_si.ini

--> Langs\NodeView\nl_lang_cht.ini

--> Langs\NodeView\nl_lang_cz.ini

--> Langs\NodeView\nl_lang_de.ini

--> Langs\NodeView\nl_lang_en.ini

--> Langs\NodeView\nl_lang_es.ini

--> Langs\NodeView\nl_lang_fr.ini

--> Langs\NodeView\nl_lang_Kr.ini

--> Langs\NodeView\nl_lang_pl.ini

--> Langs\NodeView\nl_lang_ru.ini

--> Langs\NodeView\nl_lang_si.ini

--> Langs\NtwMgrPlg\nl_lang_cz.ini

--> Langs\NtwMgrPlg\nl_lang_de.ini

--> Langs\NtwMgrPlg\nl_lang_en.ini

--> Langs\NtwMgrPlg\nl_lang_es.ini

--> Langs\NtwMgrPlg\nl_lang_fr.ini

--> Langs\NtwMgrPlg\nl_lang_Kr.ini

--> Langs\NtwMgrPlg\nl_lang_pl.ini

--> Langs\NtwMgrPlg\nl_lang_ru.ini

--> Langs\NtwMgrPlg\nl_lang_si.ini

--> Langs\Options\nl_lang_cht.ini

--> Langs\Options\nl_lang_cz.ini

--> Langs\Options\nl_lang_de.ini

--> Langs\Options\nl_lang_en.ini

--> Langs\Options\nl_lang_es.ini

--> Langs\Options\nl_lang_fr.ini

--> Langs\Options\nl_lang_Kr.ini

--> Langs\Options\nl_lang_pl.ini

--> Langs\Options\nl_lang_ru.ini

--> Langs\Options\nl_lang_si.ini

--> Langs\PermEdPlg\nl_lang_cht.ini

--> Langs\PermEdPlg\nl_lang_cz.ini

--> Langs\PermEdPlg\nl_lang_de.ini

--> Langs\PermEdPlg\nl_lang_en.ini

--> Langs\PermEdPlg\nl_lang_es.ini

--> Langs\PermEdPlg\nl_lang_fr.ini

--> Langs\PermEdPlg\nl_lang_Kr.ini

--> Langs\PermEdPlg\nl_lang_pl.ini

--> Langs\PermEdPlg\nl_lang_ru.ini

--> Langs\PermEdPlg\nl_lang_si.ini

--> Langs\RAdminPlg\nl_lang_cht.ini

--> Langs\RAdminPlg\nl_lang_cz.ini

--> Langs\RAdminPlg\nl_lang_de.ini

--> Langs\RAdminPlg\nl_lang_en.ini

--> Langs\RAdminPlg\nl_lang_es.ini

--> Langs\RAdminPlg\nl_lang_fr.ini

--> Langs\RAdminPlg\nl_lang_Kr.ini

--> Langs\RAdminPlg\nl_lang_pl.ini

--> Langs\RAdminPlg\nl_lang_ru.ini

--> Langs\RAdminPlg\nl_lang_si.ini

--> Langs\Resolver\nl_lang_cht.ini

--> Langs\Resolver\nl_lang_de.ini

--> Langs\Resolver\nl_lang_es.ini

--> Langs\Resolver\nl_lang_fr.ini

--> Langs\Resolver\nl_lang_Kr.ini

--> Langs\Resolver\nl_lang_pl.ini

--> Langs\Resolver\nl_lang_ru.ini

--> Langs\RulesPlg\nl_lang_cht.ini

--> Langs\RulesPlg\nl_lang_cz.ini

--> Langs\RulesPlg\nl_lang_de.ini

--> Langs\RulesPlg\nl_lang_en.ini

--> Langs\RulesPlg\nl_lang_es.ini

--> Langs\RulesPlg\nl_lang_fr.ini

--> Langs\RulesPlg\nl_lang_Kr.ini

--> Langs\RulesPlg\nl_lang_pl.ini

--> Langs\RulesPlg\nl_lang_ru.ini

--> Langs\RulesPlg\nl_lang_si.ini

--> Langs\Stats\nl_lang_cht.ini

--> Langs\Stats\nl_lang_cz.ini

--> Langs\Stats\nl_lang_de.ini

--> Langs\Stats\nl_lang_en.ini

--> Langs\Stats\nl_lang_es.ini

--> Langs\Stats\nl_lang_fr.ini

--> Langs\Stats\nl_lang_Kr.ini

--> Langs\Stats\nl_lang_pl.ini

--> Langs\Stats\nl_lang_ru.ini

--> Langs\Stats\nl_lang_si.ini

--> Langs\VerChk\nl_lang_cht.ini

--> Langs\VerChk\nl_lang_cz.ini

--> Langs\VerChk\nl_lang_de.ini

--> Langs\VerChk\nl_lang_en.ini

--> Langs\VerChk\nl_lang_es.ini

--> Langs\VerChk\nl_lang_fr.ini

--> Langs\VerChk\nl_lang_Kr.ini

--> Langs\VerChk\nl_lang_pl.ini

--> Langs\VerChk\nl_lang_ru.ini

--> Langs\VerChk\nl_lang_si.ini

--> Langs\ZoneStats\nl_lang_cht.ini

--> Langs\ZoneStats\nl_lang_cz.ini

--> Langs\ZoneStats\nl_lang_de.ini

--> Langs\ZoneStats\nl_lang_en.ini

--> Langs\ZoneStats\nl_lang_es.ini

--> Langs\ZoneStats\nl_lang_fr.ini

--> Langs\ZoneStats\nl_lang_Kr.ini

--> Langs\ZoneStats\nl_lang_pl.ini

--> Langs\ZoneStats\nl_lang_ru.ini

--> Langs\ZoneStats\nl_lang_si.ini

[DETECTION] Is the TR/Agent.271995 Trojan

[WARNING] The file was ignored!

End of the scan: 2008年9月8日 18:44

Used time: 00:05 Minute(s)

The scan has been done completely.

0 Scanning directories

157 Files were scanned

1 viruses and/or unwanted programs were found

0 Files were classified as suspicious:

0 files were deleted

0 files were repaired

0 files were moved to quarantine

0 files were renamed

0 Files cannot be scanned

156 Files not concerned

1 Archives were scanned

1 Warnings

0 Notes

report from BD10

//-----------------------------------------------------------------

//

// Product BitDefender Free Edition v10

// Product 10.2

//

// Created on: 07/09/2008 18:39:57

//

//-----------------------------------------------------------------

Virus Statistics

Scan path : C:\sample.exe

Folders : 0

Files : 1

Memory processes scanned : 0

Archives : 0

Runtime packers : 0

Identified viruses : 1

Infected files : 1

Memory processes infected : 0

Suspect files : 0

Warnings : 0

Disinfected files : 0

Deleted files : 1

Moved files : 0

I/O errors : 0

Scan time : 00:00:01

Scan speed (files/sec) : 1

Virus definitions : 1732030

Scan plugins : 16

Archive plugins : 43

Unpack plugins : 7

Mail plugins : 6

System plugins : 4

Virus scan options

Detection

[ ] Scan boot sectors

[ ] Memory Processes

[X] Scan archives

[X] Scan runtime packers

[X] Scan email

File mask

[ ] Programs

[X] All files

[ ] User defined extensions:

[ ] Exclude extensions: ;

Action

Infected objects

[ ] Ignore

[X] Disinfect

[ ] Delete

[ ] Move to quarantine

[ ] Prompt user

Second action

[ ] Ignore

[ ] Delete

[X] Move to quarantine

[ ] Prompt user

Virus scan options

[X] Enable warnings

[X] Enable heuristics

[X] Show all files in log

[X] Report file: C:\Documents and Settings\Administrator\Application Data\BitDefender\Desktop\Profiles\Logs\contextual\1220783997.log

Spyware scan options

[X] Scan for riskware

[ ] Skip dial and applications from scan

[ ] Registry keys

[ ] Cookies

Summary:

C:\sample.exe Infected: Trojan.Generic.74723

C:\sample.exe Deleted

Scanned files

C:\sample.exe Infected: Trojan.Generic.74723

C:\sample.exe Deleted

AVIRA can decompress sample.exe,but AVIRA get a false alarm.!

BD can`t decompress sample.exe,only show "C:\sample.exe Infected: Trojan.Generic.74723"!

csalgau

Dear sir.

Unfortunately that was a bad signature. It will be removed in a few hours.

Thank you for reporting.

Theoracle117

Wierd that so many av detects that file. becareful