Trojan.Dropper.Win32.VB.Bag
komsboy_more
02 Jul 2008
hi guys ...
Today, when i was tried to update my autopatcher.... when gone to it's folder i alerted from KIS 9 that the file "uz.exe" is a Trojan Dropper.....
i delete my autopatcher to be sure that my files are not infected by my system .....when was downloading KIS 9 alerted that the autopatcher server is infected too....
it mean that the files is infected originally
anybody know anything
sorry for my English ...it's not good
Edited by komsboy_more, 03 July 2008 - 12:20 PM.
Today, when i was tried to update my autopatcher.... when gone to it's folder i alerted from KIS 9 that the file "uz.exe" is a Trojan Dropper.....
i delete my autopatcher to be sure that my files are not infected by my system .....when was downloading KIS 9 alerted that the autopatcher server is infected too....
it mean that the files is infected originally
anybody know anything
sorry for my English ...it's not good
Edited by komsboy_more, 03 July 2008 - 12:20 PM.
Guest_mrespman_* 03 Jul 2008
Yep, me too. The newest version of AVG also says that "uz.exe" is a Trojan.Dropper.
komsboy_more
04 Jul 2008
M2Ys4U, on Jul 4 2008, 04:53 AM, said:
False positive. uz.exe is a tool for unzipping files.
So what we do? .....we cant work with autopatcher
Erik Ramey
04 Jul 2008
Until the false positive is corrected by AVG, you will have to disable your firewall when running APUP to update AutoPatcher. I've created a case with them to have this looked into.
submix8c
04 Jul 2008
Erik Ramey, on Jul 4 2008, 03:37 AM, said:
Until the false positive is corrected by AVG, you will have to disable your firewall when running APUP to update AutoPatcher. I've created a case with them to have this looked into.
The only other solution would be to recode "uz.exe" so that the signature isn't present. A-V vendors are notorious for ignoring this kind of plea since it would open the door for real viruses.
(no offense, Erik, just making a minor correction to your statement
)
Edited by submix8c, 04 July 2008 - 07:24 PM.
Erik Ramey
04 Jul 2008
We didn't develope uz.exe. This is a small program that was developed by PC Magazine back in the 90's. It's pretty nice since it does the trick and it's so small.
It might be a while but I'll see what we can do.
It might be a while but I'll see what we can do.
Rudy
05 Jul 2008
Erik Ramey, on Jul 5 2008, 09:57 AM, said:
We didn't develope uz.exe. This is a small program that was developed by PC Magazine back in the 90's. It's pretty nice since it does the trick and it's so small.
It might be a while but I'll see what we can do.
It might be a while but I'll see what we can do.
Erik, same false positive with the latest Zonealarm update - it started yesterday.
komsboy_more
05 Jul 2008
hey guys ...... i don't know why this problem occured but i think that many antiviruses in a small period of time don't do false positive....i don't now 
I resolve this problem temporary by disabling Files and Memory scanning in KIS 2009 when want using APUP or Autopatcher
Edited by komsboy_more, 05 July 2008 - 05:38 AM.
I resolve this problem temporary by disabling Files and Memory scanning in KIS 2009 when want using APUP or Autopatcher
Edited by komsboy_more, 05 July 2008 - 05:38 AM.
komsboy_more
05 Jul 2008
This is the last report by Virus Portal : http://www.virustotal.com/analisis/5abefe0...a09c74b9b2c233e
PDF Version : http://komsboymore.persiangig.ir/www.virus...a09c74b9b2c.pdf
PDF Version : http://komsboymore.persiangig.ir/www.virus...a09c74b9b2c.pdf
James
05 Jul 2008
komsboy_more, on Jul 5 2008, 08:09 AM, said:
This is the last report by Virus Portal : http://www.virustotal.com/analisis/5abefe0...a09c74b9b2c233e
At first sight, this does not look good, but remember:
1. uz.exe itself is a simple unzip program. Bad people use it as well as good people. I know of a virus in October 2003 that used uz.exe and MSN Messenger to spread itself;
2. When a file is sent to virustotal.com, they send it to the anti-virus vendors as well;
3. uz.exe has not changed. It is not newly infected. The MD5 hash shown on the virustotal.com analysis page is the same as always (MD5 = 10776112cc253545a40462f6b1309e87).
4. Erik Ramey (see above) has opened a case with AVG for a false positive. I have opened a case with F-Secure for a false positive. We will have to wait and see
--
James
05 Jul 2008
Erik Ramey, on Jul 4 2008, 11:57 PM, said:
This is a small program that was developed by PC Magazine back in the 90's.
In early 1994 actually - I remember it. (That dates me!!!) I was never convinced that they had written the unzip engine code themselves.
Why don't we use Info-Zip's UnZip instead? (Which is, I suspect, the source of the unzip engine). That will also solve the "folder spaces" bug.
--
komsboy_more
05 Jul 2008
thx james for following topic...... i hope that this problem resolve soon by security companies 
palisade
05 Jul 2008
The #1 antivirus, AntiVir, also detects uz.exe that comes with AutoPatcher as TR/Drop.VB.bag. Just thought I'd give you a heads up that its not just crap antivirus like AVG detecting this.
James
06 Jul 2008
Well, without getting into a flame war about the best (or worst) AV, I'll just point out that the OP has Kapersky, not AVG.
Meanwhile, none of the AV vendors have come up with improved/newer updates, (but they are always slow on a Saturday & Sunday) so I repeat what I said earlier:
--
Edited by James, 06 July 2008 - 06:47 AM.
Meanwhile, none of the AV vendors have come up with improved/newer updates, (but they are always slow on a Saturday & Sunday) so I repeat what I said earlier:
Quote
3. uz.exe has not changed. It is not newly infected. The MD5 hash shown on the virustotal.com analysis page is the same as always (MD5 = 10776112cc253545a40462f6b1309e87).
--
Edited by James, 06 July 2008 - 06:47 AM.
James
07 Jul 2008
GOOD NEWS!
I now have confirmation that apup.zip and uz.exe are not infected. F-Secure have responded to my case:
In addition, they say:
I can now confirm that, with the latest update, released this morning, F-Secure no longer detects Trojan-Dropper.Win32.VB.bag in apup.zip nor in uz.exe.
Make sure that you have update 2008-07-07_01 (or later)
Because of the close links between F-Secure and Kaspersky, I expect Kaspersky will soon correct their detection as well.
--
I now have confirmation that apup.zip and uz.exe are not infected. F-Secure have responded to my case:
Quote
Thank you for your e-mail.
The file you submitted is indeed clean. A database update will be released to resolve this issue.
The file you submitted is indeed clean. A database update will be released to resolve this issue.
Quote
We apologize for any inconveniences that this may have brought you.
I can now confirm that, with the latest update, released this morning, F-Secure no longer detects Trojan-Dropper.Win32.VB.bag in apup.zip nor in uz.exe.
Make sure that you have update 2008-07-07_01 (or later)
Because of the close links between F-Secure and Kaspersky, I expect Kaspersky will soon correct their detection as well.
--
komsboy_more
07 Jul 2008
Kaspersky Internet Security 9 resolve this isue and with newdatabase, it don't detect uz.exe as a Tojan Dropper 
i think this topic is finished
i think this topic is finished
Erik Ramey
07 Jul 2008
Looks like we are back in business. My case with Kaspersky was also resolved last night which they updated their detection routine. Just as mentioned above, please update your virus definitions to the latest database in order to use APUP.exe
froof
17 Jul 2008
CounterSpy is now also listing as a Trojan...
I have emailed the false positive to supp@cs
[indent]CS 2.5.1043 def version 844
Name - Trojan-Dropper.VB.Bag
Type - Trojan Downloader
Level - High[/indent]
rgds,
froof
I have emailed the false positive to supp@cs
[indent]CS 2.5.1043 def version 844
Name - Trojan-Dropper.VB.Bag
Type - Trojan Downloader
Level - High[/indent]
rgds,
froof
