AVAST reports Murlo in ADOBE files

[Kevin Renn]

I have a question I can't seem to google the answer to. I recently
installed Adobe Acrobat reader. I'm running AVAST (free version) and it
started reporting that several files in the c:\program files\adobe\acrobat
7.0\reader subdir are infected with win32:murlo [tri].

I then did a PANDA and TRENDMICRO online scan and they do not report any
infection in these files, but when they are scanned, AVAST alerts again.

Is this a false positive?

Could someone please give me the URL were I can submit these files for
analysis?

Thanks,
Kevin Renn

 

[David H. Lipman]

From: "Kevin Renn" <[email protected]>

| I have a question I can't seem to google the answer to. I recently
| installed Adobe Acrobat reader. I'm running AVAST (free version) and it
| started reporting that several files in the c:\program files\adobe\acrobat
| 7.0\reader subdir are infected with win32:murlo [tri].
|
| I then did a PANDA and TRENDMICRO online scan and they do not report any
| infection in these files, but when they are scanned, AVAST alerts again.
|
| Is this a false positive?
|
| Could someone please give me the URL were I can submit these files for
| analysis?
|
| Thanks,
| Kevin Renn

Most likely -- Yes, it is a False Positive declaration.

If you got Adobe Reader directly from Adobe, not some third party, then the files are clean.

What are the EXACT files being declared as being infected ?

Those files should be submitted to Virus Total --
http://www.virustotal.com/flash/index_en.html
The submission will then be tested against 18 different AV vendor's scanners.
That will give you an idea what it is and who recognizes it.

This ay you will see if it is truly a False Positive declaration.

When you get the report, please post back the exact results.

 

[Art]

I have a question I can't seem to google the answer to. I recently
installed Adobe Acrobat reader. I'm running AVAST (free version) and it
started reporting that several files in the c:\program files\adobe\acrobat
7.0\reader subdir are infected with win32:murlo [tri].

I then did a PANDA and TRENDMICRO online scan and they do not report any
infection in these files, but when they are scanned, AVAST alerts again.

Is this a false positive?

Could someone please give me the URL were I can submit these files for
analysis?

Not a url but a email addy. Try (e-mail address removed)

Meanwhile, upload suspect files to Virus Total:

http://www.virustotal.com/flash/index_en.html

If none of the other av products alert, you can assume Avast is
producing a false positive. They should be notified so they can
correct the problem.

Art

http://home.epix.net/~artnpeg

 

[Kevin Renn]

Most likely -- Yes, it is a False Positive declaration.

If you got Adobe Reader directly from Adobe, not some third party,
then the files are clean.

What are the EXACT files being declared as being infected ?

Those files should be submitted to Virus Total --
http://www.virustotal.com/flash/index_en.html
The submission will then be tested against 18 different AV vendor's
scanners. That will give you an idea what it is and who recognizes it.

This ay you will see if it is truly a False Positive declaration.

When you get the report, please post back the exact results.

I'm not sure exactly where the files came from. I recently re-installed
windows so when I was browsing and needed to look at a PDF file, I just
clicked along and automatically had ACROBAT READER installed without really
paying a lot of attention. Yes, its the lazy way and thats my fault.

There are 4 files that were being declared as infected. They are all in
the same subdir: C:\program files\adobe\acrobat7.0\reader\

AcroRd32.dll
Acrord32.dll.700.bak
Acrord32.dll.701.bak

except the third file which is:

C:\Program Files\Adobe\Acrobat 7.0\Setup Files\RdBig\ENU\Data1.cab
\AcroRd32.dll

This is being reported by AVAST 4.6

Results of VIRUSTOTAL:

Antivirus Version Update Result
AntiVir 6.31.1.0 09.09.2005 no virus found
Avast 4.6.695.0 09.09.2005 no virus found
AVG 718 09.09.2005 no virus found
Avira 6.31.1.0 09.09.2005 no virus found
BitDefender 7.0 09.02.2005 no virus found
CAT-QuickHeal 8.00 09.09.2005 no virus found
ClamAV devel-20050725 09.09.2005 no virus found
DrWeb 4.32b 09.09.2005 no virus found
eTrust-Iris 7.1.194.0 09.09.2005 no virus found
eTrust-Vet 11.9.1.0 09.09.2005 no virus found
Fortinet 2.41.0.0 09.07.2005 no virus found
F-Prot 3.16c 09.09.2005 no virus found
Ikarus 0.2.59.0 09.09.2005 no virus found
Kaspersky 4.0.2.24 09.09.2005 no virus found
McAfee 4578 09.09.2005 no virus found
NOD32v2 1.1213 09.09.2005 no virus found
Norman 5.70.10 09.09.2005 no virus found
Panda 8.02.00 09.09.2005 no virus found
Sophos 3.97.0 09.09.2005 no virus found
Symantec 8.0 09.09.2005 no virus found
TheHacker 5.8.2.102 09.08.2005 no virus found
VBA32 3.10.4 09.09.2005 no virus found

When I do a quick scan with Avast (right click and select folder to scan)
it does not report any invections.

 

[David H. Lipman]

From: "Kevin Renn" <[email protected]>

< snip >


|
| When I do a quick scan with Avast (right click and select folder to scan)
| it does not report any invections.
|

Yes, it was a False Positive declaration

 

[Dave Cohen]

I have a question I can't seem to google the answer to. I recently
installed Adobe Acrobat reader. I'm running AVAST (free version) and it
started reporting that several files in the c:\program files\adobe\acrobat
7.0\reader subdir are infected with win32:murlo [tri].

I then did a PANDA and TRENDMICRO online scan and they do not report any
infection in these files, but when they are scanned, AVAST alerts again.

Is this a false positive?

Could someone please give me the URL were I can submit these files for
analysis?

Not a url but a email addy. Try (e-mail address removed)

Meanwhile, upload suspect files to Virus Total:

http://www.virustotal.com/flash/index_en.html

If none of the other av products alert, you can assume Avast is
producing a false positive. They should be notified so they can
correct the problem.

I'm running latest free Avast and acroread 7. Just scanned to adobe
directory in Program Files. Nothing.
Dave Cohen