Possible false positive on smtp.ocx

[JJ]

We have some software that uses a "smtp.ocx" control, which I downloaded as
freeware a few years ago from the web (the file is dated Feb 23, 2001, size
73,728 bytes).

This is being reported (on multiple systems here, as we all have it
installed, as do our customers) as the Holar.G trojan.

 

[Alan]

The Lagel worm creates four new files: MPLAYER.EXE, which
is run every time windows is started up, ILLEGAL.EXE,
which contains the worm's code, MMAILS.DLL, which stores
the e-mail addresses the worm obtains from the system, and
SMTP.OCX, an application used to mail messages.

False Positive.

Regards, Alan.

 

[Bill Sanderson]

If you still have contact with the original vendor I've posted later in this
group a form for vendor dispute of listing.

Worst case, however, is that the malware your other reply mentions has taken
the original OCX and used it directly, in which case it will be hard for the
app to distinguish!

 

[Steve Wechsler [MVP]]

Some of the latest variants are known to infest legit files. One must
then depend on the AV or spyware app vendors to discern what is legit
and what is not.
Wish I could tell you definitively that it's a false positive or not.
Kapersky's online scanner, limited to one file of 1MB or less, is very
useful for this determination.

Steve Wechsler (akaMowGreen)
MVP Windows Server
AumHa VSOP

 

[Bill Sanderson]

I believe that's why there's an MD5 hash generated by the Advanced File
Analyzer. They are generating hashes which ought to distinguish the legit
files from ones infected by a virus, or simply the same name and size.