8 replies to this topic

[Tallman]

A few days ago I downloaded AutoPatcher and ran the updater to download updates for Widows XP, Office XP, Office 2003 and Office 2007. Tonight I scanned my computer with Kaspersky 7.0. Kaspersky identified the following 11 fiels as, "Infected: Trojan program Trojan-Dropper.Win32.VB.bag"

d:\system volume information\_restore{c93052a1-5220-4ae1-b383-a045cab1e828}\rp505\a0079902.exe 72KB
d:\computer backups\updates\downloaded\other\autopatcher\apup.zip 705.8 KB
D:\System Volume Information\_restore{C93052A1-5220-4AE1-B383-A045CAB1E828}\RP506\A0080195.exe 72 KB
d:\computer backups\updates\downloaded\other\autopatcher\office 2003\apup_bin\uz.exe 72 KB
d:\computer backups\updates\downloaded\other\autopatcher\office 2007\apup_bin\uz.exe 72 KB
d:\system volume information\_restore{c93052a1-5220-4ae1-b383-a045cab1e828}\rp505\a0079894.exe 72 KB
D:\System Volume Information\_restore{C93052A1-5220-4AE1-B383-A045CAB1E828}\RP506\A0080475.exe 72 KB
D:\System Volume Information\_restore{C93052A1-5220-4AE1-B383-A045CAB1E828}\RP506\A0080277.exe 72 KB
d:\computer backups\updates\downloaded\other\autopatcher\office xp\apup_bin\uz.exe 72 KB
D:\System Volume Information\_restore{C93052A1-5220-4AE1-B383-A045CAB1E828}\RP506\A0080268.exe 72 KB
d:\computerbackups\updates\downloaded\other\autopatcher\windows xp\apup_bin\uz.exe 72 KB

I am thinking this is a false positive on Kaspersky's part as far as the AutoPatcher files are concerned. But what about the System Volume Information files, are they part of AutoPatcher as well?

Does anyone have any information or thoughts on this?

[James]

Tallman, on Jul 5 2008, 06:12 AM, said:

I am thinking this is a false positive on Kaspersky's part as far as the AutoPatcher files are concerned.

I think this is a false positive too. The apup.zip file (and the uz.exe file it contains) are unchanged on the autopatcher.com server since the file was uploaded on 23 March 2008. I have downloaded a fresh copy today to check and it still gives the same MD5 hash as before (MD5 Hash = 3E2FA4B4C99CCE5CF04B149523E84AF2)

AutoPatcher has had false positives before as you can see in THIS TOPIC.

Tallman, on Jul 5 2008, 06:12 AM, said:

But what about the System Volume Information files, are they part of AutoPatcher as well?

The "System Volume Information files" are all part of a Restore Point. They look like copies of uz.exe, but I can only guess without direct access to your computer.

[Tallman]

James, on Jul 4 2008, 10:36 PM, said:

I think this is a false positive too. The apup.zip file (and the uz.exe file it contains) are unchanged on the autopatcher.com server since the file was uploaded on 23 March 2008. I have downloaded a fresh copy today to check and it still gives the same MD5 hash as before (MD5 Hash = 3E2FA4B4C99CCE5CF04B149523E84AF2)

AutoPatcher has had false positives before as you can see in THIS TOPIC.

I submitted the file to Virus Total and it appers that there are a view other AVs that flag uz.exe as a virus. Most AVs however pass over it. I am currently in communication with the folks at the Kaspersky Labs forum but have not gotten any deffinitive answer on this issue yet.

[James]

Tallman, on Jul 5 2008, 11:43 PM, said:

I am currently in communication with the folks at the Kaspersky Labs forum but have not gotten any deffinitive answer on this issue yet.

Thanks for taking this to Kapersky - so far they have released NO details of what Trojan-Dropper.Win32.VB.bag is supposed to be. It is NOT listed in any virus database I have llooked at. All very unsatisfactory

--

[freeloader]

Also looks like AVG Antivirus is detecting it as a " Trojan horse dropper.Generic.ZLV "
Think this might also be a false/positive response?

[James]

freeloader, on Jul 6 2008, 09:36 AM, said:

Also looks like AVG Antivirus is detecting it as a " Trojan horse dropper.Generic.ZLV "
Think this might also be a false/positive response?

This question has already been answered.

Please read THIS TOPIC.

--

[Tallman]

James, on Jul 5 2008, 10:19 PM, said:

Thanks for taking this to Kapersky - so far they have released NO details of what Trojan-Dropper.Win32.VB.bag is supposed to be. It is NOT listed in any virus database I have llooked at. All very unsatisfactory

--

I have not heard anything from Kaspersky mysself but as is stated in the related thread after applying the latest upates from Kaspersky uz.exe is no longer being flagged as Trojan-Dropper.Win32.VB.bag.

[James]

Thanks Tallman for the feedback. I did follow your thread over at the Kaspersky forums.

As posted in THIS TOPIC it looks like this subject is now finished.

Final advice to everyone:
If you have F-Secure or Kaspersky just update your AV with the current definitions.

Anything else - keep trying until your AV supplier updates their definitions.
If there is still a false alarm, just exclude apup.zip and uz.exe from being scanned.

--