You are here

false positive? Vundo.gen.42 found in Pidgin Portable

3 posts / 0 new
Last post
Jan_HJT
Offline
Last seen: 16 years 8 months ago
Joined: 2008-02-20 13:44
false positive? Vundo.gen.42 found in Pidgin Portable

Today I testet the 'Norman Malware Cleaner':

http://download.norman.no/public/Norman_Malware_Cleaner.exe

The scanner told me, that it found Vundo in Portable Pidgin:

X:\PortableApps\PidginPortable\App\GTK\lib\gtk-2.0\2.10.0\engines\libthinice.dll

So I decided to double-check the file with:

http://www.virustotal.com/
http://www.virscan.org/
http://virusscan.jotti.org/

Unfortunately three other scanners found suspicious code in this file. I'm now pretty uncertain about this - ok, I won't even care about one false positive, but four?

regards, Jan

John T. Haller
John T. Haller's picture
Offline
Last seen: 1 hour 31 min ago
AdminDeveloperModeratorTranslator
Joined: 2005-11-28 22:21
False Positive

Actually, of the four, 3 of them have had false positives in the past: AVG, F-Secure and NOD32. AVG has frequent false positive issues. Plus the fact that all of the bigger AV products rate it as clean. Add to that the fact that this was released 3 weeks ago, so if there were an actual problem in it, it would have cropped up quite a while ago.

You can recreate this issue yourself if you'd like. Grab a thinice.dll from a standard local install of the version of GTK that ships with Pidgin. You'll notice it scans clean. Then UPX compress it using the open source UPX software compression utility with the following options:

upx.exe --best --compress-icons=0 --nrv2e --crp-ms=999999 -k thinice.dll

Scan that file and you'll notice that Norman will think it is infected with malware. Now, uncompress the file using UPX again:

upx.exe -d thinice.dll

Scan the result and it will again come up as clean.

Basically, what this means is that whatever value these 4 products are using as a check for this particular malware just happens to coincide with a part of that file when compressed. Some antivirus/antimalware products aren't checked for false positives as well as they should be. Even the ones that are will occasionally ship bad definitions files.

Sometimes, the impossible can become possible, if you're awesome!

Jan_HJT
Offline
Last seen: 16 years 8 months ago
Joined: 2008-02-20 13:44
Thanks...

So again some AV-vendors flagged a file as suspicious code just because it was compressed with UPX. That's annoying...

Anyway, thanks for your explanation, John!

regards, Jan

Log in or register to post comments