Incorrect identification of Jeppesen FlightStar RoutePack?

  • Thread starter Thread starter Garrett
  • Start date Start date
G

Garrett

I recently installed:

Microsoft AntiSpyware Version: 1.0.501
This version expires on: 7/31/2005
Current User: Garrett
Spyware Definition Version: 5683 (1/21/2005 9:43:44 AM)

When it runs, it identifies I have the "Radlight
(Trojan)", with details that point to the following keys:

HKEY_CLASSES_ROOT\.rpk
HKEY_CLASSES_ROOT\.rpk Jeppesen.RoutePack
HKEY_LOCAL_MACHINE\software\classes\.rpk
HKEY_LOCAL_MACHINE\software\classes\.rpk Jeppesen
RoutePack

These registry hives contain only one key, a "(Default)
REG_SZ Jeppessen.RoutePack". Which seems to just be
related to the Jeppesen FlightStar product (Jeppesen is
one of the largest aviation hardware/software
companies).

I believe AntiSpyware is returning a false positive
here. Is there any way to confirm one way or the other
that the Radlight trojan is on my computer?

thanks,
Garrett

, and don't seem to have anything to do with a Trojan
 
Restart your computer in safe mode and run the scan again. On the scan page
choose Scan Options > Full Scan. Remember to turn off system restore at
first before you restart into safe mode.

Andre
 
Looks like a false positive. Jeppesen uses the .rpk file extension for its
"Route Packs". And, from some articles I read on the Radlight trojan, it
also has "RPK" in its name. So, I'm pretty sure AntiSpyware is wrong...

Garrett
 
I'd recommend doing what you can to be sure that any code identified as a
trojan is, in fact, bit for bit identical with the correct code from an
installation source for the reputable product you have installed.

False postives can be reported in these groups--ideally in the .signatures
group, or directly via a web form available here:

http://www.spynet.com/falsepositive.aspx
 
I am certain it is flagging an icon change. The icon for
routepacks are used in multiple applications (FliteStar,
Jeppview3, FliteDeck3), so the routepack has it's own icon
association. This has been done as identified in the
document:
http://msdn.microsoft.com/library/default.asp?
url=/library/en-
us/shellcc/platform/shell/programmersguide/shell_basics/she
ll_basics_extending/icon.asp
The problem is when the routepack is first used, Windows
associates it with the program that used it (an example
would be FliteStar). When Jeppesen tries to leave the
program association unchanged, but change the icon so it
reflects a routepack, this is seen as 'spyware behavior'.
I am not certain why, but it does.
 
Interesting--I don't know why such a change should be flagged, but it is
probably an issue I've not learned much about.

It might help to post a short message in appcompat detailing repro steps for
this issue, ideally with some demo or trial app from this vendor which can
be downloaded.
 
Hi Bill -

AntiSpyware doesn't actually identify any EXE's as having been infected --
just the 4 registry keys I mention below (none of which directly identify an
EXE -- just associate the extension RPK with the Jeppesen FlightStar.

Wouldn't AnitySpyware mention a particular file if it were infected, not
just registry keys? Also, the fact that the Radlight trojan and the
legitimate Jeppesen product use the .RPK extension seems very
coincidental... In addition, I don't have any of the registry keys that
have been identified as part of the Radlight trojan, nor do I have any of
the EXE/DLL's that have been identified as part of the Radlight trojan (see
http://www.pestpatrol.com/PestInfo/R/RadLight.asp).

So, I'm 99.999% certain we this is a false positive -- I will, however,
compare the Jeppesen directory file by file with a backup when I get a
chance...

Garrett
 
I agree--looks harmless, but bad--don't want that stuff removed, 'cause it
may break Jeppesen.
 
Back
Top