[SOLVED] FP for Mercury Mail - graywallsetup.exe

TeutonJon78 · February 12, 2009, 10:17pm

I just installed CIS 3.8.64263.468. During the installation scan for malware, it detected malware in the file graywallsetup.exe, which is part of Mercury Mail. Mercury Mail was in this case part of the XAMPP software package (bundled open source web server software). It happened for the files contained in XAMPP 1.6.8 and XAMPP 1.7.0.

It marked the file as having Application.Win32.FraudTool.MacroVirus.~A(ID=0x2cd256).

Now, I’m not personally sure it is virus free, but I’d be very surprised if it was (CIS 3.5 and Avast 4.8 don’t trigger on it), and there would have been a huge outcry if XAMPP was packaging a virus/malware.

TeutonJon78 · February 12, 2009, 10:19pm

Here is the virustotal.com link for it:

http://www.virustotal.com/analisis/bc9b91e57912eaa0974d3994f67939fd

Someone had already checked the same file, but that was in 2008-01, so I also rescanned it:

http://www.virustotal.com/analisis/582b3057694a697df2a9d9ecf83a32ca

sriramp · February 13, 2009, 9:54am

Hi,

Please update your CIS bases, scan the files and check if the file is detected in the latest update

Regards,
Sriram.P

TeutonJon78 · February 13, 2009, 8:14pm

No change…it’s still showing up.

The Threat has changed to Application.Win32.FraudTool.MacroVirus.~A@2937430

TeutonJon78 · February 27, 2009, 6:56pm

As of 3.8 v477 with DB 1005, it is no longer reporting as a virus. So at some point, it was fixed.