When downloading the Swedish Version of Comodo Firewall Pro 2.4 my AV software warns that the file is infected (with trojan Generic4.WYC)! I’ve tried searching this forum but found nothing relevant, so… Isn’t this a cause for some serious ALaRm!??
My AV (AVG Free) sends this report:
-
@HL_ReportFindRS
C:\Documents and Settings\Seth\....\Commodo Firewall Pro 2.4\CFP_Setup_English_Swedish_2.4.16.174.exe
@EID_Id_trj
Generic4.WYC
-
But then I downloaded the standard English version and manually downloaded the Swedish language pack… And this generated no warning at all! …
Well! I find any warning from my antivirus software to be quite alarming, but I also would like to find out if I’m the only one here who’s had this “problem”?? How can there be a trojan in a download from a “serious” security software company?
/ Seth
PS: I’ve not checked what this trojan is (yet) but will return here when I’ve found something…
How can you be so sure it is realy a Trojan ? I bet this is a False Positive from AVG. I think you should post on their forum
But I have uploaded the file to VirusTotal :
Complete scanning result of “CFP_Setup_English_Swedish_2.4.16.”, received in VirusTotal at 06.15.2007, 21:42:21 (CET).
Antivirus Version Update Result
AhnLab-V3 2007.6.16.0 06.15.2007 no virus found
AntiVir 7.4.0.32 06.15.2007 no virus found
Authentium 4.93.8 06.15.2007 no virus found
Avast 4.7.997.0 06.15.2007 no virus found
AVG 7.5.0.467 06.15.2007 Generic4.WYC
BitDefender 7.2 06.15.2007 no virus found
CAT-QuickHeal 9.00 06.15.2007 no virus found
ClamAV devel-20070416 06.15.2007 no virus found
DrWeb 4.33 06.15.2007 no virus found
eSafe 7.0.15.0 06.14.2007 no virus found
eTrust-Vet 30.7.3720 06.15.2007 no virus found
Ewido 4.0 06.15.2007 no virus found
FileAdvisor 1 06.15.2007 no virus found
Fortinet 2.85.0.0 06.15.2007 no virus found
F-Prot 4.3.2.48 06.15.2007 no virus found
F-Secure 6.70.13030.0 06.15.2007 no virus found
Ikarus T3.1.1.8 06.15.2007 no virus found
Kaspersky 4.0.2.24 06.15.2007 no virus found
McAfee 5054 06.15.2007 New Malware.bx
Microsoft 1.2607 06.15.2007 no virus found
NOD32v2 2334 06.15.2007 no virus found
Norman 5.80.02 06.15.2007 no virus found
Panda 9.0.0.4 06.15.2007 no virus found
Prevx1 V2 06.15.2007 no virus found
Sophos 4.18.0 06.12.2007 no virus found
Sunbelt 2.2.907.0 06.14.2007 VIPRE.Suspicious
Symantec 10 06.15.2007 no virus found
TheHacker 6.1.6.133 06.15.2007 no virus found
VBA32 3.12.0.2 06.15.2007 no virus found
VirusBuster 4.3.23:9 06.15.2007 no virus found
Webwasher-Gateway 6.0.1 06.15.2007 Win32.Malware.gen#PECompact!92 (suspicious)
Aditional Information
File size: 8974928 bytes
MD5: 2ec03ce85aa393ade11c55624f0f1b7c
SHA1: 4bb17128663ebbb4f587c00407cdea93cecd6146
packers: PECOMPACT, BINARYRES, PECOMPACT
packers: PecBundle, PECompact
Sunbelt info: VIPRE.Suspicious is a generic detection for potential threats that are deemed suspicious through heuristics.
Also McAfee, Sunbelt and Webwasher flag the file, but don’t have more to say than that the file is “suspicious”, all the other vendors say the file is clean. So it is a false positive.
I’m not sure, but a warning is a warning… I’ve now also tried to get some info about this supposed trojan, but what did I find? Nothing! Not more than some healing tutorials but nothing on the virus/trojan itself… Quite strange…
My next step will certainly be to post some questions in AVG’s forum too… Thank you for that advice!
I agree with you that you should always investigate a warning. But on the other hand you should use your common sense too. You should ask yourself what would happen to a leading security company like Comodo when they would hide trojans in their products. They would be out of bussines immediately !
I’ll have to trust your “investigation” for now… It actually seems like nothing (really) to worry about, and I’ve posted some questions (with a capital Q) on the AVG forum too, so I’ll have to see what that gives?
Anyway! As I mentioned in my original post here I got “around the problem” (so to say) by downloading the english version instead and installing the swe language pack… So… No real worries here!
PS: I’ll post more here if I find some additional info from the AVG foros… Or from somewhere else.
Assuming the Swedish version was downloaded from a Comodo authorised location, then its certainly a False Positive. But… what about CFPs hidden Commercial DLL Hook Injection driver? That had a freeware version. But, was withdrawn last year due to malware abuse. Perhaps the commercial driver “looks a bit like” the freeware one in the Swedish build… for whatever reason. [Complete guess, I’ve no real idea other than that… its an obvious False Positive]
To kail : Ofcource it’s a false positive But I can understand Seth’s worries, and I think it is good he asks questions and tries to learn from it
To Seth : I saw that the AVG guys would like to see a Jotti scan and you have probs with it. Here are the results :
Service load: 0% 100%
File: CFP_Setup_English_Swedish_2.4.16.174.exe
Status: INFECTED/MALWARE (Note: this file has been scanned before. Therefore, this file’s scan results will not be stored in the database)
MD5 2ec03ce85aa393ade11c55624f0f1b7c
Packers detected: PE_PATCH.PECOMPACT, PECBUNDLE, PECOMPACT
Scanner results
Scan taken on 15 Jun 2007 22:38:06 (GMT)
A-Squared Found nothing
AntiVir Found nothing
ArcaVir Found nothing
Avast Found nothing
AVG Antivirus Found Generic4.WYC
BitDefender Found nothing
ClamAV Found nothing
Dr.Web Found nothing
F-Prot Antivirus Found nothing
F-Secure Anti-Virus Found nothing
Fortinet Found nothing
Kaspersky Anti-Virus Found nothing
NOD32 Found nothing
Norman Virus Control Found nothing
Panda Antivirus Found nothing
Rising Antivirus Found nothing
VirusBuster Found nothing
VBA32 Found nothing
Well, I downloaded the file from: download.comodo.com so I suppose that it should be an authorised location (link leads to the actual download)…
But anyway… Thanx to you all! It’s obviously a “false positive” (… I suppose :-\ ) and I’ve e-mailed the file to AVG (Grisoft), so that they can modify their software updates in the future…
