I woke up yesterday to find the first BoClean detection alert I have ever witnessed. It reported that a trojan, WEBDL4LITE, has been found in memory and was killed along with a warning that the file that started it is still on the disk. What I found strange about it is the following:
The file in question, msfeedssync.exe (approx 1Xkb in size, close to what CA reports to be the the original WEBDL variant’s size) seems to belong to Windows and does not appear to have been modified since it’s original creation date.
The warning occured only once, after closing the original detection window it hasn’t popped up again even though the msfeedsync app supposedly runs in regullary scheduled intervals.
The only reference to this file and suspicious activity / detections / fp was on Kaspersky forums where it was flagged as a fp with very little info. Avira remained silent the whole time, Virustotal and Jotti found nothing in the file which was expected, neither did Kaspersky’s file upload scanner. VT reported the file being scanned already on 26th so there is a chance that someone else ran into the same detection.
No unknown new executable files dated 01/28/08 can be found on the machine. Machine performance has not been visibly degraded or affected in any way.
Any ideas as to why the detection popped up? False positive? Exploit? Random disturbance in the Force? I am kind of worried.
Submitted file to the Comodo email address I found in a FAQ thread, no response yet.