File suspected as HEUR/Cryted. Should I delete the file?

n1sh1k4ze · April 16, 2008, 11:09am

Sorry to bother again… I just use virustotal.com to check on one file that is suspected as HEUR/Cryted by Avira Antivir 8.0… The results are: 10 out of 32 antivirus stated the file as malware/suspicious file… Should I delete the file? 'Coz this file is a part of a Japanese game files that I installed recently… I doubt wheter I should erase it or not. Thx…

Here is the results from virustotal.com:

File reg.000 received on 04.16.2008 12:41:47 (CET)
Current status: finished
Result: 10/32 (31.25%)

AntiVir 7.6.0.85 2008.04.16 HEUR/Crypted
CAT-QuickHeal 9.50 2008.04.14 (Suspicious) - DNAScan
ClamAV 0.92.1 2008.04.16 PUA.Packed.SVKP
eSafe 7.0.15.0 2008.04.16 Suspicious File
F-Secure 6.70.13260.0 2008.04.16 Suspicious:W32/Malware!Gemini
Panda 9.0.0.4 2008.04.16 Suspicious file
Sophos 4.28.0 2008.04.16 Sus/ComPack
Sunbelt 3.0.1041.0 2008.04.12 VIPRE.Suspicious
TheHacker 6.2.92.279 2008.04.16 W32/Behav-Heuristic-071
Webwasher-Gateway 6.6.2 2008.04.16 Heuristic.Crypted

Additional information
File size: 167936 bytes
MD5…: 15f82849a32a379d0112a1c274ed0be1
SHA1…: 9e54a2d668fa0b65b6de562782d07b905abc1e35
SHA256: 3a7b10ef609cd903e4a22272a3d5224eb793168e4b8768c41b7ae4cc260b90a3
SHA512: cab0fb24be30a6a761120fde6fd741cf4efa940df6a428f7b56597968c8a025c
7202d15b79abe530037dc4b0d654649b405a8f48568dbe8254ca1f187ddafd74
PEiD…: -
PEInfo: PE Structure information

( base data )
entrypointaddress.: 0x409000
timedatestamp…: 0x4733fafc (Fri Nov 09 06:15:24 2007)
machinetype…: 0x14c (I386)

( 4 sections )
name viradd virsiz rawdsiz ntrpy md5
0x1000 0x4000 0x4000 7.99 c635d1201ae2496b835c54fe923c106c
0x5000 0x1000 0x1000 7.96 ba453871ba1d974d726678403f4e1906
0x6000 0x3000 0x3000 7.99 4bf322ed59e240b0b9e6f11f9bb9e97f
.text 0x9000 0x20000 0x20000 7.28 323ad12ec6126385973d5feaa6c5d3e8

( 3 imports )

KERNEL32.DLL: _lopen, ExitProcess
USER32.DLL: MessageBoxA
SHELL32.DLL: ShellExecuteA

( 0 exports )
packers: SVKProtector

EricCryptid · April 16, 2008, 11:51am

I think you should at least quarantine the item and submit it to whoever is your Antivirus Vendor.

Eric

gordon · April 16, 2008, 3:25pm

You should note the following :

1 : The file is packed with SVKProtector .
Many AV-programs, especially those using “heuristics” aka “guessing” and the cheapo ones
don’t like files packed with such tools and will flag them as “suspicious” or even call them “trojan” or
“mallware” instead of telling the truth : “Unable to scan the content of the file”
( and that is also why “hackers” use packers and obfuscators when trying to hide their evil code btw)

2 : None of the “big” AV-programs (Kaspersky, Symantec etc etc)
seem to have a problem with the file . This is usually a good indicator for a “false positive”

When I get a file like that I usually wait a couple of days and re-submit it to virustotal .
If the “big” AV’s still don’t have a problem with the file then it’s a false positive …

n1sh1k4ze · April 29, 2008, 12:50pm

Thx for the reply… It really enrich my knowledge… Well, i submit it to avira.com and they said that the file is a damaged file (Malware). 'Coz they found some malicious codes in it.

EricCryptid · April 30, 2008, 7:45am

Great news! At least Avira managed to catch the file as Suspicious.

Eric

system · June 1, 2008, 4:50am

Topic Locked.

Reason: Out-Dated post.

Josh