Skype downloaded with Packed.Win32.MUPX.Gen[at]129019204 malware

Hello. I was downloading Skype from Download Skype for mobile & desktop | Skype . I was surprised to see that my dear Comodo has discovered malware in that skype installation package! Comodo quarantined the file due to having Packed.Win32.MUPX.Gen[at]129019204 . I have faith on Comodo. But isn’t it a bit hard to believe that skype is getting downloaded with malware? I have searched comodo forum for reporting on this issue. But it seems that others have faced connection problem and not malware issue like this.

As Comodo has quarantined it I can no longer complete the download and install. Should I take that for sure that skype is packed with malware or this is a false positive? It will be very nice if experienced forum members shed some light on this.

UPDATE

Due to the fact that I was downloading skype with DownThemAll download manager in Firefox, Comodo quaretined the *.dtapart file which the download manager creates for running downloads. This made me curious and I have again started downloading skype but this time with default Firefox download manager. NOTHING HAPPENED. Comodo took no action!!!

This incident made me try the download with DTA again. NOTHING HAPPENED. It got downloaded successfully!!! Later I installed the fisrt downloaded copy of skype and from comodo’s point, that was ok.

How the first ever copy got contaminated that I was downloading a couple of hours ago? The quarantined file is still visible from comodo’s quarantined files section.

I have uploaded the quarantined file to Comodo. I will be very glad if someone from comodo verify that file and shed some light on this issue.

Assuming it is digitally signed you can check the signature. If it is intact then it was not tampered with. And since it is coming from skype.com it is safe to assume it is a false positive.

Could you submit it in AV False Positive/Negative Detection Reporting following How to report False Positives - Please read this before submitting !

Dear EricJ, thanks for replying. I tried to upload the file from Documents and Settings\All Users\Application Data\Comodo\Cis\Quarantine\data on Comodo Antivirus Database | Submit Files for Malware Analysis . But it failed several times due to upload error after sometime. So I gave up.

But I have uploaded the file from CIS quarantine interface. Still my copy of CIS list them as quarantined. Can you guys please check the section of uploaded files via CIS interface?

I am not posting this to false positive section. I think whether the file got contaminated from skype or in the middle of its travel path is not clear. Answer of which surely is the subject of your interest!

If it is possible to let anything know about that file, i’ll be happy to check this page with regular interval.

Thanks again for responding.

Just after posting the previous reply I have checked the quarantined files online. From VirusTotal and https://www.metascan-online.com/en/scanresult/file/986aa021a2a341619a072beffd59f3fd the results are -

Comodo Packed.Win32.MUPX.Gen 20140429

Bkav HW32.CDB.47d2 20140428

ByteHero Trojan.Win32.Heur.087 2014-04-28

Did you check the digital signature of the Skype installer? If it is intact then it was not tampered with. And since it comes from the Skype site it is not likely it is infected.

When only a couple of AV’s flag it is likely a false positive. Bytehero detects it with Heuristics (Trojan.Win32.Heur.087) which is always has elements of speculation in it. Comodo flags the packer method (Packed.Win32.MUPX.Gen); a package type in its self does not determine something to be malicious, it makes more likely. The detection of BKAV is not obvious to me.

Because of the limited number of AV’s flagging it, the speculative nature of some detections and because it has not been on the tech news sites over the past couple of days that Skype had provided an infected installer I conclude it is most likely a false positive.

When submitting it as a false positive it will be checked whether it is malicious or not. Please let your doubts not keep you from submitting it. Did you check the digital signature? If not, please do so. Digital signatures help to determine whether a file was tampered with or not.

Dear EricJ, as per your suggestion I will make a post on the false positive section.

Did you check the digital signature? If not, please do so. Digital signatures help to determine whether a file was tampered with or not.

While downloading I didn’t use the checksum feature of download manager. Moreover, like some other tools those shows hash values on download page, skype offered nothing similar so that I could put that number in the box for checking. However i did calculate the MD5 and SHA1 values of the quarantined file with fciv.exe which shows -

MD5 - 9f18a63462be098a9eb56af36b4c3ce1
SHA1- a923e9ec282a3ff56350b27d0db83f9ec6d2ea42

I do not know whether these numbers are off any use now.
As the download didn’t complete due to interception of Comodo, the file in quarantine data folder is less than 2 mb. Including the file in zip and screenshot of hash calculation.
Thanks.

[attachment deleted by admin]

If the file was not completely downloaded then checking its signature will fail.

I downloaded the installer which is the full set up of Skype which is 33,2 MB in size.

I am running the full set up and I get no AV alert. When I unpacked the file you put in the zip file it got flagged immediately. Your file is approx 1,6 MB. Which is confusing.

I am not sure what happened with you.

Dear EricJ, you are right in saying that the installer was 33mb and there was no virus detected after downloading. Same thing happened to me! DON’T GET CONFUSED. Please have a look again on the first post.

First two downloads [one with dta and the other with FF default] were intercepted by comodo saying that they are infected. Thus the downloads failed.

I have another file in the quarantined folder which is 33.2mb. If you want I can upload that big file too. But comodo does not more than 15mb attachment.

After 2/3 hours later when I again attempted downloading, nothing was said by comodo.

The entries are still listed in the quarantined section. Including screeshoot. May be they got contaminated while they were traveling from skype to pc. But later two files were left untouched.

If that is the case, we may not be able to know that who did these. But you can find out what was done. What actually that Packed.Win32.MUPX.Gen[at]129019204 does? Eavesdropping?

As per your suggestion I have posted this in false positive section - https://forums.comodo.com/av-false-positivenegative-detection-reporting/skype-packedwin32mupxgenat129019204-t104189.0.html . If it is possible to let anything know about that file, i’ll be happy to check this page with regular interval.

I highly appreciate your regular response.

[attachment deleted by admin]

It looks like DTA download manager (is that the correct name?) chops up a download as part of how it works and that CIS is responding to those dtapart files.

Are you using DTA download manager also in FF?

Hello again and thanks. Yes, DownThemAll add on works within FireFox - https://addons.mozilla.org/en-US/firefox/addon/downthemall/ .

Point to be noted: Comodo not only blocked skype download via DTA, but also blocked skype download while I was using FF’s default download system.

AFTER 2/3 HOURS, both DTA and FF default system downloaded skype successfully without any challenge from comodo.

In the quarantine folder I not only have that small sized file but also another one with the size of 33.2 MB (34,828,960 bytes) named {56D3642D-F917-4008-83EA-86E8A192BE40} . This one is also skype.

Dear EricJ, False positive team said that it was a “false positive”. So I think this topic is solved for now without answers to my curiosities. I will delete the quarantined files after 48 hours. Thanks for your help. https://forums.comodo.com/av-false-positivenegative-detection-reporting/skype-packedwin32mupxgenat129019204-t104189.0.html