Is this file really malicious / viral / trojan?

  • Thread starter Thread starter Virus Guy
  • Start date Start date
V

Virus Guy

The file in question is a keygen for Corel WinDVD Pro 2010. I've zipped
up just the keygen and made it available here:

http://www.fileden.com/files/2008/7/19/2010382/keygen.zip

Password is "a" (no quotes). When unzipped, you'll have keygen.xex.
Rename to exe and you'll have it.

Now here's the strange part. Have a look at this VT scan result and
tell me what's going on with this file:

http://www.virustotal.com/file-scan...58134bcc9337d4d98b536098ce1dec2df2-1319333503

It's saying that according to the "VT community", it's got a 100% saftey
score as "goodware". This score is coming primarily from a user named
"jeje".

I see a lot of "trojan dropper" id's here, as well as this:

Ikarus not-a-virus.Keygen.Corel.WinDVDPro2010

So Ikarus has specifically ID'd this for what it is, and it's not a
virus (apparently).

(note - I'm having lots of problems connecting with vt tonight)

http://downorjustforme.com/virustotal.com

virustotal.com seems to be down :(
 
From: "Virus Guy said:
The file in question is a keygen for Corel WinDVD Pro 2010. I've zipped
up just the keygen and made it available here:

http://www.fileden.com/files/2008/7/19/2010382/keygen.zip

Password is "a" (no quotes). When unzipped, you'll have keygen.xex.
Rename to exe and you'll have it.

Now here's the strange part. Have a look at this VT scan result and
tell me what's going on with this file:

http://www.virustotal.com/file-scan...58134bcc9337d4d98b536098ce1dec2df2-1319333503

It's saying that according to the "VT community", it's got a 100% saftey
score as "goodware". This score is coming primarily from a user named
"jeje".

I see a lot of "trojan dropper" id's here, as well as this:

Ikarus not-a-virus.Keygen.Corel.WinDVDPro2010

So Ikarus has specifically ID'd this for what it is, and it's not a
virus (apparently).

(note - I'm having lots of problems connecting with vt tonight)

http://downorjustforme.com/virustotal.com

virustotal.com seems to be down :(
Click to expand...

I don't see much going with that sample. It doesn't communicate on the 'net and the only
URL associated with it is; http://www.corel.com/

It has a French origin with strings like..
Erreur d'application<Le format '%s' est incorrect ou incompatible avec l'argument"Aucun
argument pour le format '%s'(Appels de m

This was an interesting string...
IE(AL("%s",4),"AL(\"%0:s\",3)","JK(\"%1:s\",\"%0:s\")")

Usually with Keygens they open a window with some form of keygen dialogue. This didn't
create any such dialogue.

Is it malicious ?
I didn't se any malicious activity from it.
 
Is it malicious ?
I didn't se any malicious activity from it.
Click to expand...

Why would you open a virus, are you crazy or something? Never ever
open a zip file that somebody told you has a virus! I guess you have
a spare PC that you don't mind getting hosed.

RL
 
RayLopez99 said:
Why would you open a virus, are you crazy or something? Never ever
open a zip file that somebody told you has a virus! I guess you have
a spare PC that you don't mind getting hosed.
Click to expand...

A VM is sufficient, no need for a spare PC. Although a spare isolated PC
would be better security wise. Besides, zip is a data filetype, so no virus.
 
David H. Lipman said:
I don't see much going with that sample. It doesn't communicate
on the 'net and the only URL associated with it is;
http://www.corel.com/

Is it malicious ?
I didn't se any malicious activity from it.
Click to expand...

These 18 AV packages detect no threat in the file:

AhnLab-V3 Avast AVG
BitDefender ByteHero CAT-QuickHeal
Comodo DrWeb eTrust-Vet
F-Secure GData Kaspersky
Microsoft NOD32 Panda
Prevx Rising ViRobot

Ikarus knows what the file is, but tells us it's not a virus:

Ikarus not-a-virus.Keygen.Corel.WinDVDPro2010

These 2 tell us it's "riskware" - but not viral/trojan or otherwise
malicious.

Emsisoft Riskware.Keygen.Corel.WinDVDPro2010!IK
K7AntiVirus Riskware

These 4 or 5 packages don't give clear guidance based on their choice of
ID string. Why are they needlessly vague?

ClamAV PUA.Packed.PECompact-1 (wtf is this?)
Fortinet W32/KeyGen.A (so?)
McAfee Generic.grp!n (wtf is grp?)
McAfee-GW-Edition Generic.grp!n (wtf is grp?)
Sophos Mal/KeyGen-A (malware?)

These 14 packages give a clear impression that the file is malicious in
some way (mostly trojan):

AntiVir TR/Drop.Lmir.DH.2 (trojan dropper?)
Antiy-AVL Trojan/win32.agent.gen (trojan)
Commtouch W32/MalwareF.NSSW (malware)
F-Prot W32/MalwareF.NSSW (malware)
Jiangmin TrojanDropper.LMir.an (trojan dropper)
nProtect Trojan/W32.Agent.163840.GN (trojan)
PCTools Trojan.Gen (trojan)
SUPERAntiSpyware Trojan.Dropper/Gen (trojan dropper)
Symantec Trojan.Gen (trojan)
TheHacker Trojan/Dropper.Lmir.dy (trojan)
TrendMicro TROJ_SPNR.08I911 (trojan)
TrendMicro-HseCl TROJ_SPNR.08I911 (trojan)
VIPRE Trojan.Win32.Generic!BT (trojan)
VirusBuster Trojan.PEPM!71yxiHZtHQk (trojan)

So to summarize:

45% say nothing about the file
35% say the file is a trojan or is otherwise malware
17% give a vague or indeterminate reading for the file

I see the term or string "gen" or "generic" quite a bit. Should that be
taken as an indication of a "generic" detection that may (or likely is)
a false-positive?
 
Virus said:
It's saying that according to the "VT community", it's got a 100%
saftey score as "goodware". This score is coming primarily from
a user named "jeje".
Click to expand...

Strange thing.

This is now twice that when I try to view "jeje"'s profile on VT, I seem
to cause the VT site to crash.

http://www.virustotal.com/vt-community/user-profile.html?nick=jeje

But I finally got this profile:

=============
Hello @jeje,

The VirusTotal team would like to give you a warm welcome to VT
Community. We hope you find the information in this application useful
and we strongly encourage you to make your own contributions in order to
help the whole community.

Time to start chasing the bad guys ;)
written by @VirusTotalTeam, 2010-09-05 20:28:54 (UTC)
=============

So I guess if the "Virustotalteam" says this file is harmless, they must
be right!
 
Virus Guy wrote:
[...]
ClamAV PUA.Packed.PECompact-1 (wtf is this?)
Click to expand...

Potentially Unwanted Application.

I don't know many of the rest, and I feel your pain. Naming systems
really do produce some cryptic names, and it's not easy to decipher.

[...]
 
The file in question is a keygen for Corel WinDVD Pro 2010. I've zipped
up just the keygen and made it available here:

http://www.fileden.com/files/2008/7/19/2010382/keygen.zip
Click to expand...

If you really have to execute the program inside, use VirtualBox to
install a jailed WinXP, then copy and run the program inside the virtual
machine. No harm to your host OS guaranteed.

--
@~@ You have the right to remain silence.
/ v \ Simplicity is Beauty! May the Force and farces be with you!
/( _ )\ (Fedora 15 i686) Linux 3.0.4
^ ^ 14:18:02 up 8 days 22:54 0 users load average: 0.05 0.08 0.06
ä¸å€Ÿè²¸! ä¸è©é¨™! ä¸æ´äº¤! ä¸æ‰“交! ä¸æ‰“劫! ä¸è‡ªæ®º! è«‹è€ƒæ…®ç¶œæ´ (CSSA):
http://www.swd.gov.hk/tc/index/site_pubsvc/page_socsecu/sub_addressesa
 
Man-wai Chang said:
If you really have to execute the program inside, use VirtualBox to
install a jailed WinXP, then copy and run the program inside the virtual
machine. No harm to your host OS guaranteed.
Click to expand...
....but what if it's a network enumerating worm?
 
...but what if it's a network enumerating worm?

I just read about a fake virtual machine that could capture keystrokes
from the host OS from PC World in a nearby public library.

As long as you are careful, it's fine.

--
@~@ You have the right to remain silent.
/ v \ Simplicity is Beauty!
/( _ )\ May the Force and farces be with you!
^ ^ (x86_64 Ubuntu 9.10) Linux 2.6.39.3
ä¸å€Ÿè²¸! ä¸è©é¨™! ä¸æ´äº¤! ä¸æ‰“交! ä¸æ‰“劫! ä¸è‡ªæ®º! è«‹è€ƒæ…®ç¶œæ´ (CSSA):
http://www.swd.gov.hk/tc/index/site_pubsvc/page_socsecu/sub_addressesa
 
Man-wai Chang said:
I just read about a fake virtual machine that could capture keystrokes
from the host OS from PC World in a nearby public library.

As long as you are careful, it's fine.
Click to expand...
My point was that just because an infestation isn't persistent doesn't
mean it can't do evil things within the current session. Malware steals
your clock cycles for its own use, a virtual machine is no different in
that respect.
 
My point was that just because an infestation isn't persistent doesn't
mean it can't do evil things within the current session. Malware steals
your clock cycles for its own use, a virtual machine is no different in
that respect.
Click to expand...

At least, the stuff inside a VM would not directly interact with the
host OS.

--
@~@ You have the right to remain silence.
/ v \ Simplicity is Beauty! May the Force and farces be with you!
/( _ )\ (Fedora 15 i686) Linux 3.0.4
^ ^ 09:49:01 up 11 days 13:55 0 users load average: 0.00 0.01 0.05
ä¸å€Ÿè²¸! ä¸è©é¨™! ä¸æ´äº¤! ä¸æ‰“交! ä¸æ‰“劫! ä¸è‡ªæ®º! è«‹è€ƒæ…®ç¶œæ´ (CSSA):
http://www.swd.gov.hk/tc/index/site_pubsvc/page_socsecu/sub_addressesa
 
Back
Top