FYI: Real Alternative 1.23 browser plugin reported suspicious

[fred]

My latest virus defs for F-Prot for dos are flagging
realmedia_browser_plugin.exe (118,924bytes modified 14/05/04 as "a
dropper for W32/Fyga.A@dro" but a search for this trojan on the web,
including the F-Prot site, yields no results.

File details make it look like it was part my Real Alternative 1.23 install.
The file is a self extracting SFX RAR archive which extracts:
nppl3260.xpt 6,789bytes modified 14/05/04 19:47:52 and
nsJSRealPlayerPlugin.xpt 531bytes modified 14/05/04 19:47:44 to
..\Components\
and
nppl3260.dll 139,305bytes modified 27/04/04 12:05:22
nprpjplug.dll 81,967bytes modified 14/04/04 19:47:44 to
..\Plugins\
deleting the existing nprjplug.dll and with overwrite set true.

The extracted components don't flag any alerts.

Not much to show about this on the web with the exception of a couple of
forum posts, one in French, one in Dutch, reporting that Pest Patrol is
reporting the file as a RAT (Remote Access Tool?). Speaking neither
language, the replies mean little to me, but I reckon this is a false positive.

Any comments?

 

[John Corliss]

My latest virus defs for F-Prot for dos are flagging
realmedia_browser_plugin.exe (118,924bytes modified 14/05/04 as "a
dropper for W32/Fyga.A@dro" but a search for this trojan on the web,
including the F-Prot site, yields no results.

File details make it look like it was part my Real Alternative 1.23 install.
The file is a self extracting SFX RAR archive which extracts:
nppl3260.xpt 6,789bytes modified 14/05/04 19:47:52 and
nsJSRealPlayerPlugin.xpt 531bytes modified 14/05/04 19:47:44 to
.\Components\
and
nppl3260.dll 139,305bytes modified 27/04/04 12:05:22
nprpjplug.dll 81,967bytes modified 14/04/04 19:47:44 to
.\Plugins\
deleting the existing nprjplug.dll and with overwrite set true.

The extracted components don't flag any alerts.

Not much to show about this on the web with the exception of a couple of
forum posts, one in French, one in Dutch, reporting that Pest Patrol is
reporting the file as a RAT (Remote Access Tool?). Speaking neither
language, the replies mean little to me, but I reckon this is a false positive.

Any comments?

You're right. I looked and could find nothing on any Trojan or virus
by that name. If you're using a firewall (and why would you not?),
keep an eye out for suspicious outcalling.

 

[fred]

You're right. I looked and could find nothing on any Trojan or virus
by that name. If you're using a firewall (and why would you not?),
keep an eye out for suspicious outcalling.

I'm keeping an eye out but as the files in the RAR payload report as safe
I've assumed they think the installer is compromised in some way and
that it would need to establish a connection at install time to create a
threat.

I'll be passing a report to F-Prot but I'm not really expecting much in the
way of support as I'm on the free product.

I probably wouldn't have jumped to report just a suspicion but my ears
always prick up when a Real Media derived product throws up a
trojan/virus/spy warning ;-)

I'll report any news back here.

 

[Mark Warner]

John Corliss writes

I'll be passing a report to F-Prot but I'm not really expecting much
in the way of support as I'm on the free product.

I probably wouldn't have jumped to report just a suspicion but my ears
always prick up when a Real Media derived product throws up a
trojan/virus/spy warning ;-)

I'll report any news back here.

Reports elsewhere are calling it a false positive.

 

[fred]

Reports elsewhere are calling it a false positive.

Confirmed as a false positive today by email from F-Prot labs, thanks for
the info.

 

[Aaron]

FYI, RAT usually means Remote admin tool.