44 replies to this topic

[dvk01]

Heads up warning

There has been a FP in the regnow downloader for MBAM & most probably all regnow sold products via affiliate links

I have been in touch with the AV companies to get it fixed & expect a speedy resolution, but watch out for a few complaints for the next couple of hours

It isn't the actual MBAM file but in the system that regnow use where they download a download manager first and it is the download manager that is the problem



---[ www.virustotal.com ]---------------------------

File Download_mbam-setup.exe received on 03.14.2008 09:15:31 (CET)

Antivirus Version Last Update Result
AhnLab-V3 2008.3.14.0 2008.03.14 no virus found
AntiVir 7.6.0.73 2008.03.13 no virus found
Authentium 4.93.8 2008.03.13 no virus found
Avast 4.7.1098.0 2008.03.13 no virus found
AVG 7.5.0.516 2008.03.13 no virus found
BitDefender 7.2 2008.03.14 no virus found
CAT-QuickHeal 9.50 2008.03.13 Downloader.Keylogger.a (Not a Virus)
ClamAV 0.92.1 2008.03.14 no virus found
DrWeb 4.44.0.09170 2008.03.14 no virus found
eSafe 7.0.15.0 2008.03.09 no virus found
eTrust-Vet 31.3.5614 2008.03.14 no virus found
Ewido 4.0 2008.03.13 no virus found
FileAdvisor 1 2008.03.14 no virus found
Fortinet 3.14.0.0 2008.03.14 Download/Keylogger
F-Prot 4.4.2.54 2008.03.13 no virus found
F-Secure 6.70.13260.0 2008.03.14 no virus found
Ikarus T3.1.1.20 2008.03.14 no virus found
Kaspersky 7.0.0.125 2008.03.14 not-a-virus:Downloader.Win32.Keylogger.a
McAfee 5251 2008.03.13 no virus found
Microsoft 1.3301 2008.03.13 no virus found
NOD32v2 2946 2008.03.14 no virus found
Norman 5.80.02 2008.03.13 no virus found
Panda 9.0.0.4 2008.03.13 no virus found
Prevx1 V2 2008.03.14 no virus found
Rising 20.35.40.00 2008.03.14 no virus found
Sophos 4.27.0 2008.03.14 no virus found
Sunbelt 3.0.963.0 2008.03.14 no virus found
Symantec 10 2008.03.14 no virus found
TheHacker 6.2.92.245 2008.03.14 no virus found
VBA32 3.12.6.2 2008.03.13 Downloader.Win32.Keylogger.a
VirusBuster 4.3.26:9 2008.03.13 no virus found
Webwasher-Gateway 6.6.2 2008.03.13 no virus found

Additional information

File size: 128368 bytes
MD5: 4971a5730dc3fb83d66935578f0cd388
SHA1: 69c1143c716a2261dbb6fe5411d6f1b03ae61fee
PEiD: Armadillo v1.71

[RubbeR DuckY]

Derek, I will have to either contact each of these vendors, or RegNow to stop using silly packers.

[dvk01]

I have just heard back from KAV and after a bit of a s=discussion with one analyst I have bypassed & gone to a higher level who is getting it fixed

[RubbeR DuckY]

Good to hear .. unfortunately I believe it is unacceptable that RegNow is using these types of packers. I will have a talk with them tonight.

[dvk01]

it isn't the packer they are detecting or worried about this time but th actual downloader

Regnow don't put an actual download on the site BUT when you follow an affiliate link you get a small downloader which acts as a download manager and the downloader downloads the actual file

I can see why they do it as it makes it easier for them to track and for the developer to upload new versions more easily

The downloader contains the affiliate code which on contacting the main file injects the affiliate code into the actual program that is downloaded

I can see why the antivirus companies consider it a risk as it would not be difficult to alter the downloader to inject malicious code

[RubbeR DuckY]

Any ideas to get the file whitelisted?

[dvk01]

fixed in Kaspersky now

I haven't heard from the others who did detect it but as they all seem to follow or use KAV detections in some way they should hopefully soon fix it

[RubbeR DuckY]

Thanks .

[lordpake]

dvk01, on Mar 14 2008, 11:51 PM, said:

fixed in Kaspersky now

I haven't heard from the others who did detect it but as they all seem to follow or use KAV detections in some way they should hopefully soon fix it

Well someone fixed something alright ^^

This time it's NOT a keylogger detection from Kaspersky, but a Winfixer
http://www.virustotal.com/analisis/1a94c96...3a72756fe3fb6c1


I'm sure you can appreciate my surprise when, while doing some maintenance on my brother's laptop, I decided to check it with MBAM. Lo and behold, KAV jumps into action when I downloaded via MajorGeeks - 'Authors site' link.

[RubbeR DuckY]

Grr .. anybody have any ideas on how to whitelist this?

[dvk01]

I have emailed Kaspersky again today as it is still detecting it
detected: riskware not-a-virus:Downloader.Win32.WinFixer.fs File: C:\Documents and Settings\Derek Knight\Desktop\mbam\Download_mbam-setup.exe

If no response I will speak direct to someone high up who has the power to deal with

the problem seems to be with regnow using a stupid download system & not downloading the file itself but the detection is for the regnow downloader for the download

[RubbeR DuckY]

I am in talks with Regnow as of yesterday to help solve this issue.

[Scotty]

I had one yesterday where Zone Alarm id'd MBAM as Winfixer too.

[lordpake]

Scotty, on Apr 13 2008, 08:01 PM, said:

I had one yesterday where Zone Alarm id'd MBAM as Winfixer too.

If you have the AV version from ZoneLabs then this is the same Kaspersky detection. I recall they licensed the AV from Kaspersky.

[RubbeR DuckY]

This is becoming RIDICULOUS. I am personally contacting each of these companies right now. Let's see who is worthy enough to call themselves an Anti-Virus.

CAT-QuickHeal 9.50 2008.04.16 Downloader.Keylogger.a (Not a Virus)
DrWeb 4.44.0.09170 2008.04.16 Adware.Winfixer
Kaspersky 7.0.0.125 2008.04.16 not-a-virus:Downloader.Win32.WinFixer.fs
Norman 5.80.02 2008.04.16 W32/DLoader.GBVM
TheHacker 6.2.92.280 2008.04.16 Aplicacion/Keylogger.a
VirusBuster 4.3.26:9 2008.04.16 Adware.WinFixer.AH

Wish me luck.

[RubbeR DuckY]

All companies have been contacted. The e-mail to Kaspersky bounced back as undeliverable, great! . Now I contact RegNow and yell at them.

[dvk01]

I will sort Kaspersky tomorrow morning UK time

[leofelix]

RubbeR DuckY, on Apr 16 2008, 10:19 PM, said:

All companies have been contacted. The e-mail to Kaspersky bounced back as undeliverable, great! . Now I contact RegNow and yell at them.

Hi Marcin,
I tried to send e-mail to Kaspersky Techincal Support with no response , Ithink the only way to get in touch with them consists in subscribing to their forum.

[lordpake]

leofelix, on Apr 17 2008, 08:10 PM, said:

Ithink the only way to get in touch with them consists in subscribing to their forum.

And from the little information I've managed to gather while lurking in their forums, I'd say you are wrong. Approaching support via email is the right path to take, it's just that they may be swamped under work load, and they probably, not surprisingly, prioritize their customers. The few times I've been in contact with them, I have no complaints.

[dvk01]

I am speaking to Kaspersky about it but my contact is away at the moment but he will deal when he comes back

he fixed it last time but another submission must have been done & a more junior one must have not seen it properly

I will see if he can do a permanent whitelisting for it