- WPA_Kill.exe false positive in Avast?
- Posted by Al Smith on July 3rd, 2006
I've had the file "WPA_Kill.exe" (version 1.6.2) on my computer
for a couple of years. It never triggered an antivirus alert.
Recently, it tripped my Avast antivirus, which identified it as
the "Win32:Small-XC" trojan. I think this must be a false positive.
I submitted this file to the on-line scanner at Kaspersky Labs,
and it came up clean.
What do you think? Trojan? How likely is it that it would go
undetected for two years and dozens of antivirus and malware
scans, and now suddenly be identified by Avast as a trojan?
- Posted by Kerodo on July 3rd, 2006
In article <kmhqg.116145$S61.86028@edtnps90>, invalid@address.com
says...
I'd try a couple of reputable online scanners and then maybe submit the
file to the Avast people and tell them you think it's an FP... see what
they say.
--
Kerodo
- Posted by Al Smith on July 3rd, 2006
Yes, I'm thinking I should probably send it in to Avast to get
their response.
- Posted by Vanguard on July 4th, 2006
"Al Smith" <invalid@address.com> wrote in message
news:kmhqg.116145$S61.86028@edtnps90...
Upload it to http://www.virustotal.com/en/indexf.html and have them
run several anti-virus scanners against it.
- Posted by Al Smith on July 4th, 2006
I sent it in to Avast. This site you link to seems to require some
sort of plugin. I don't run stuff when I browse (no Active-X, no
Java, no JavaScript, no cookies, and so on), so it's probably not
my sort of site.
- Posted by David H. Lipman on July 4th, 2006
From: "Al Smith" <invalid@address.com>
|
| Yes, I'm thinking I should probably send it in to Avast to get
| their response.
Please submit a sample of "WPA_Kill.exe" to Virus Total --
http://www.virustotal.com/flash/index_en.html
The submission will then be tested against many different AV vendor's scanners.
That will give you an idea what it is and who recognizes it. In addition, unless told
otherwise, Virus Total will provide the sample to all participating vendors.
You can also submit a suspect, one at a time, via the following email URL...
mailto:scan@virustotal.com?subject=SCAN
When you get the report, please post back the exact results.
If it isn't recogized by the other vendors.
Use the following URL and submit the file to AVAST.
mailto:virus@avast.com?subject=False%20Positive
--
Dave
http://www.claymania.com/removal-trojan-adware.html
http://www.ik-cs.com/got-a-virus.htm
- Posted by David H. Lipman on July 4th, 2006
From: "Al Smith" <invalid@address.com>
..
|
| I sent it in to Avast. This site you link to seems to require some
| sort of plugin. I don't run stuff when I browse (no Active-X, no
| Java, no JavaScript, no cookies, and so on), so it's probably not
| my sort of site.
It is a *very* respectable site and in my previous reply, I provided an email URL that can
be used to submit the sample for vendor analysis.
--
Dave
http://www.claymania.com/removal-trojan-adware.html
http://www.ik-cs.com/got-a-virus.htm
- Posted by Al Smith on July 4th, 2006
Avast hasn't responded yet. I just sent the file off to the mail
address you provided for Virus Total.
- Posted by Al Smith on July 4th, 2006
Yes, I just ran across the mail address and used it. Thanks. It's
just that I don't turn on JavaScript and so on unless I'm really
forced to do so. If a Web site doesn't work without them, I
generally ignore the site.
- Posted by Al Smith on July 4th, 2006
Well, that was quick. Here are the results for the scan by Virus
Total. It looks to me as if Avast is the only one that flags the
file as an actual out-and-out trojan. Although BitDefender is a
bit ambiguous in calling it "Trojan. Tool. Wpakill.B." Not sure
what that means, exactly. It is indeed WPA_Kill. That is indeed a
tool. Whether it's a trojan in the nasty, active sense, I can't
quite figure. The other scans seem to say no. Again, I'm not sure
about Fortinet. It identifies the file by its name, then puts "tr"
after the name. What does that mean? Am I right in thinking that
the overall drift is that this isn't a trojan, but that some
scanners think it is a questionable file because of what it does?
...............
Virus Total
_______________________________________________
Scan results
File: WPA_Kill.exe
Date: 07/04/2006 19:44:18 (CET)
----
AntiVir 6.35.0.20/20060704 found nothing
Authentium 4.93.8/20060703 found nothing
Avast 4.7.844.0/20060703 found [Win32:Small-XC]
AVG 386/20060704 found nothing
BitDefender 7.2/20060704 found [Trojan.Tool.Wpakill.B]
CAT-QuickHeal 8.00/20060704 found nothing
ClamAV devel-20060426/20060704 found nothing
DrWeb 4.33/20060704 found nothing
eTrust-InoculateIT 23.72.59/20060704 found nothing
eTrust-Vet 12.6.2285/20060704 found nothing
Ewido 3.5/20060704 found nothing
Fortinet 2.77.0.0/20060703 found [WPAKill!tr]
F-Prot 3.16f/20060703 found nothing
F-Prot4 4.2.1.29/20060703 found nothing
Ikarus 0.2.65.0/20060704 found nothing
Kaspersky 4.0.2.24/20060704 found nothing
McAfee 4799/20060704 found [Tool-WPAKill]
Microsoft 1.1481/20060701 found nothing
NOD32v2 1.1643/20060704 found nothing
Norman 5.90.23/20060704 found nothing
Panda 9.0.0.4/20060704 found nothing
Sophos 4.07.0/20060704 found nothing
Symantec 8.0/20060704 found nothing
TheHacker 5.9.8.168/20060703 found nothing
UNA 1.83/20060704 found nothing
VBA32 3.11.0/20060704 found nothing
VirusBuster 4.3.7:9/20060704 found nothing
- Posted by David H. Lipman on July 4th, 2006
From: "Al Smith" <invalid@address.com>
| Well, that was quick. Here are the results for the scan by Virus
| Total. It looks to me as if Avast is the only one that flags the
| file as an actual out-and-out trojan. Although BitDefender is a
| bit ambiguous in calling it "Trojan. Tool. Wpakill.B." Not sure
| what that means, exactly. It is indeed WPA_Kill. That is indeed a
| tool. Whether it's a trojan in the nasty, active sense, I can't
| quite figure. The other scans seem to say no. Again, I'm not sure
| about Fortinet. It identifies the file by its name, then puts "tr"
| after the name. What does that mean? Am I right in thinking that
| the overall drift is that this isn't a trojan, but that some
| scanners think it is a questionable file because of what it does?
|
| ..............
|
| Virus Total
| _______________________________________________
|
| Scan results
| File: WPA_Kill.exe
| Date: 07/04/2006 19:44:18 (CET)
| ----
| Avast 4.7.844.0/20060703 found [Win32:Small-XC]
| BitDefender 7.2/20060704 found [Trojan.Tool.Wpakill.B]
| Fortinet 2.77.0.0/20060703 found [WPAKill!tr]
| McAfee 4799/20060704 found [Tool-WPAKill]
< snip
Tool-WPAKill -- http://vil.nai.com/vil/content/v_136760.htm
McAfee is mixed on this. On one hand it calls this a Trojan but defines it as a "Tool" and
a "Potentially unwanted program" so what I can discern from this is that the utility is NOT
in itelf malicious but can be used in a malicious fashion.
Based upon this, I would not call this a False Positive.
If it is a tool you like to use, legitimately, I suggest storing it in a password protected
ZIP file and disabling Avast prior to extracting it for use.
--
Dave
http://www.claymania.com/removal-trojan-adware.html
http://www.ik-cs.com/got-a-virus.htm
- Posted by Kerodo on July 4th, 2006
In article <Zayqg.8093$0G2.6046@trnddc07>, DLipman~nospam~@Verizon.Net
says...
Or, if Avast can handle exclusions, tell it to exclude this file from
any future scans.
--
Kerodo
- Posted by Al Smith on July 4th, 2006
That's a reasonable option. Another I thought of is simply copying
the file to a floppy and in that way getting it off my hard drive.
I don't want to delete it because, as I discovered this week while
poking around for it, WPA_Kill is becoming harder to find on the
Internet. I might have trouble locating it the next time I need it.
