24 replies to this topic

[komsboy_more]

hi guys ...
Today, when i was tried to update my autopatcher.... when gone to it's folder i alerted from KIS 9 that the file "uz.exe" is a Trojan Dropper.....
i delete my autopatcher to be sure that my files are not infected by my system .....when was downloading KIS 9 alerted that the autopatcher server is infected too....
it mean that the files is infected originally

anybody know anything
sorry for my English ...it's not good

Edited by komsboy_more, 03 July 2008 - 12:20 PM.

[M2Ys4U]

False positive. uz.exe is a tool for unzipping files.

[komsboy_more]

M2Ys4U, on Jul 4 2008, 04:53 AM, said:

False positive. uz.exe is a tool for unzipping files.

So what we do? .....we cant work with autopatcher

[Erik Ramey]

Until the false positive is corrected by AVG, you will have to disable your firewall when running APUP to update AutoPatcher. I've created a case with them to have this looked into.

[submix8c]

Erik Ramey, on Jul 4 2008, 03:37 AM, said:

Until the false positive is corrected by AVG, you will have to disable your firewall when running APUP to update AutoPatcher. I've created a case with them to have this looked into.

Nuh-uh... Either temporarily disable whatever AV software is detecting this (don't disable the firewall part. only the AV part) or set an "exclusion" for "uz.exe" or the whole folder where you are running. This is a known problem for many "home-grown" legitimate programs in many AntiVirus products.

The only other solution would be to recode "uz.exe" so that the signature isn't present. A-V vendors are notorious for ignoring this kind of plea since it would open the door for real viruses.

(no offense, Erik, just making a minor correction to your statement )

Edited by submix8c, 04 July 2008 - 07:24 PM.

[Erik Ramey]

We didn't develope uz.exe. This is a small program that was developed by PC Magazine back in the 90's. It's pretty nice since it does the trick and it's so small.

It might be a while but I'll see what we can do.

[Rudy]

Erik Ramey, on Jul 5 2008, 09:57 AM, said:

We didn't develope uz.exe. This is a small program that was developed by PC Magazine back in the 90's. It's pretty nice since it does the trick and it's so small.

It might be a while but I'll see what we can do.

Erik, same false positive with the latest Zonealarm update - it started yesterday.

[komsboy_more]

hey guys ...... i don't know why this problem occured but i think that many antiviruses in a small period of time don't do false positive....i don't now

I resolve this problem temporary by disabling Files and Memory scanning in KIS 2009 when want using APUP or Autopatcher

Edited by komsboy_more, 05 July 2008 - 05:38 AM.

[James]

This appears to be the same as THIS TOPIC

[komsboy_more]

This is the last report by Virus Portal : http://www.virustotal.com/analisis/5abefe0...a09c74b9b2c233e
PDF Version : http://komsboymore.persiangig.ir/www.virus...a09c74b9b2c.pdf

[James]

komsboy_more, on Jul 5 2008, 08:09 AM, said:

This is the last report by Virus Portal : http://www.virustotal.com/analisis/5abefe0...a09c74b9b2c233e

At first sight, this does not look good, but remember:
1. uz.exe itself is a simple unzip program. Bad people use it as well as good people. I know of a virus in October 2003 that used uz.exe and MSN Messenger to spread itself;
2. When a file is sent to virustotal.com, they send it to the anti-virus vendors as well;
3. uz.exe has not changed. It is not newly infected. The MD5 hash shown on the virustotal.com analysis page is the same as always (MD5 = 10776112cc253545a40462f6b1309e87).
4. Erik Ramey (see above) has opened a case with AVG for a false positive. I have opened a case with F-Secure for a false positive. We will have to wait and see

--

[James]

Erik Ramey, on Jul 4 2008, 11:57 PM, said:

This is a small program that was developed by PC Magazine back in the 90's.

In early 1994 actually - I remember it. (That dates me!!!) I was never convinced that they had written the unzip engine code themselves.

Why don't we use Info-Zip's UnZip instead? (Which is, I suspect, the source of the unzip engine). That will also solve the "folder spaces" bug.

--

[komsboy_more]

thx james for following topic...... i hope that this problem resolve soon by security companies

[palisade]

The #1 antivirus, AntiVir, also detects uz.exe that comes with AutoPatcher as TR/Drop.VB.bag. Just thought I'd give you a heads up that its not just crap antivirus like AVG detecting this.

[James]

Well, without getting into a flame war about the best (or worst) AV, I'll just point out that the OP has Kapersky, not AVG.

Meanwhile, none of the AV vendors have come up with improved/newer updates, (but they are always slow on a Saturday & Sunday) so I repeat what I said earlier:

Quote

3. uz.exe has not changed. It is not newly infected. The MD5 hash shown on the virustotal.com analysis page is the same as always (MD5 = 10776112cc253545a40462f6b1309e87).

--

Edited by James, 06 July 2008 - 06:47 AM.

[James]

GOOD NEWS!

I now have confirmation that apup.zip and uz.exe are not infected. F-Secure have responded to my case:

Quote

Thank you for your e-mail.
The file you submitted is indeed clean. A database update will be released to resolve this issue.

In addition, they say:

Quote

We apologize for any inconveniences that this may have brought you.

I can now confirm that, with the latest update, released this morning, F-Secure no longer detects Trojan-Dropper.Win32.VB.bag in apup.zip nor in uz.exe.
Make sure that you have update 2008-07-07_01 (or later)

Because of the close links between F-Secure and Kaspersky, I expect Kaspersky will soon correct their detection as well.

--

[komsboy_more]

Kaspersky Internet Security 9 resolve this isue and with newdatabase, it don't detect uz.exe as a Tojan Dropper
i think this topic is finished

[Erik Ramey]

Looks like we are back in business. My case with Kaspersky was also resolved last night which they updated their detection routine. Just as mentioned above, please update your virus definitions to the latest database in order to use APUP.exe

[froof]

CounterSpy is now also listing as a Trojan...

I have emailed the false positive to supp@cs

[indent]CS 2.5.1043 def version 844
Name - Trojan-Dropper.VB.Bag
Type - Trojan Downloader
Level - High[/indent]

rgds,

froof