After today’s CIS update antivirus’ detected a trojan program, that’s supposed to be a key logger (TrojWare.Win32.Magania.~AB@25568567) in one of the programs I use. I can’t tell for sure this program is not malware, but this program worked for a few months and as far as I can tell there were no incidents or suspicious behavior.
So I’ve uploaded that app to virusscan.jotti.org and all reports were the file was “clean” (here’s summary: http://virusscan.jotti.org/en/scanresult/e89427ddf1d7f1931ecfd8ebdfdf4448260f48f3)
Then I tried to use Comodo Instant Malware Analysis, and it hasn’t found anything suspicious either: http://camas.comodo.com/cgi-bin/submit?file=4d2a6120316eb1bc04df029e76bb92357cf3035abe3cde4c31fc9a405bb6e2e3
I’ve also searched the internet for this virus description and removal instructions, but haven’t found any files or registry keys that should’ve been created by this virus.
On the other hand, the program’s function is somewhat close to that of keyloggers, it’s actually a hotkey helper: it watches a certain program’s window for certain keystrokes and when found, sends another combination to the program window (through Win32 API WM_CHAR).
So my question is, if Comodo antivirus identifies a threat by its name (in this case, Magania), is there still a possibility of “false positive” or is it definite? Could a legitimate program have a piece of code that matches a signature of some known virus?