Jump to content
The simFlight Network Forums

WideFS Download Contains a Trojan (Malware)


Recommended Posts

In the WideFS.zip download, my anti-malware program reported that the file WideFS Closer.exe contains Trojan.GenericKD.2079676. I submitted it to them for confirmation, and they just reported back that it was a false positive detection, and issued an update to their database.

 

I tried to change the Title of this thread but the forum won't let me do that.

Edited by HoggyDog
Link to comment
Share on other sites

http://totalhash.com/analysis/bb35384a793600a2c6aa55709cbdceed2cabf910

"Generic". "Suspicious". I'm afraid that it looks like your "beautiful" AV package has almost certainly generated a false positive... Which is normally Symantec's job!

 

A search for more details about "Trojan.GenericKD.2079676" reveals nothing but that page, this forum post and a lot of other posts with similar, but non-identical references. Most of them are stated as false positives, with a few being actual threats. Rather amusingly, according to one AV website which didn't recognise 2079676, but did recognise "Trojan.GenericKD", the name is a term used by Microsoft Security Essentials (which says this isn't malware) and it should be removed by running MalwareBytes (which says this isn't malware).

 

Pete is on holiday at present, so won't be able to comment, but it is definitely worth sending the files (or download links) to your AV provider, so that they can either investigate the included malware if it is present, or improve their detection routines if it is a false positive.

 

Cheers,

 

Ian P.

Link to comment
Share on other sites

Take a look at the link I posted, mgh - it shows the response of many different AV scanners to the file. A handful report it as being a "generic" trojan or "suspicious", which apart from zero-day attacks (which this clearly isn't, as the file has been in use for a while), pretty much always means it's a false positive.

 

You'll notice that serial offender Symantec says the file is "suspicious.MH690". According to their site; "Suspicious.MH690 is a detection technology designed to detect entirely new malware threats without traditional signatures. This technology is aimed at detecting malicious software that has been intentionally mutated or morphed by attackers." (http://www.symantec.com/security_response/writeup.jsp?docid=2008-121617-3748-99)

In other words, it's a heuristic detection. It looks like it might be a virus, which again means either a zero-day infection, or a false positive. As it cannot be a zero-day attack (i.e. released within the last few hours and as yet not assigned its own malware IDs by the AV companies) then it's a false positive.

 

Ian P.

Link to comment
Share on other sites

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now
×
×
  • Create New...

Important Information

By using this site, you agree to our Terms of Use. Guidelines Privacy Policy We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.