Worm in download?

pbb · 2008-11-04, 08:25 PM

I just tried to download the zip file for BurnDVDX2. AVG said there was a worm in the download. Has anyone else seen this?

pbb · 2008-11-04, 09:06 PM

When I did the install, AVG narrowed the problem down to an example for dvd shrink.

pBS · 2008-11-04, 09:25 PM

AVG has lots of false positives...so i'm not surprised.. i would try scanning it with another couple of antiviruses to be sure, tho it's most likely a false positive from AVG because of compression methods..[it flags things that look even *close* to viruses without being sure]

martint123 · 2008-11-04, 10:27 PM

Upload the suspect file to http://virusscan.jotti.org/ and see what it reports.

It uses multiple scan engines and I've found it fairly useful and have junked AVG becaus eof all its false positives.

JavaWiz · 2008-11-05, 12:26 AM

I downloaded BurndDVDX2 and also triggered a virus detection with Avast: Win32:Trojan-gen {Other}.

pBS · 2008-11-05, 12:43 AM

example for dvd shrink? been a while, i wonder if it's an autoit script? [they often gave same error if certain autoit ver used] tho it's been fixed in newer versions..
what kind of file is it in? [name]

JavaWiz · 2008-11-05, 12:48 AM

From Avast Log:

Code:
11/4/2008 1:32:46 PM SYSTEM 1496 Sign of "Win32:Trojan-gen {Other}" has been found in "[URL]http://gbpvr.com/pmwiki/pmwiki.php/Plugin/BurnDVDX2?action=downloadman&upname=BurnDVDX2.zip\BurnDVDX2Install.exe\$INSTDIR\third[/URL] party\burndvd\cmddvdshrink100.exe" file.

pastro · 2008-11-05, 05:52 AM

JavaWiz Wrote:From Avast Log:

Code:
11/4/2008 1:32:46 PM SYSTEM 1496 Sign of "Win32:Trojan-gen {Other}" has been found in "[url=http://gbpvr.com/pmwiki/pmwiki.php/Plugin/BurnDVDX2?action=downloadman&upname=BurnDVDX2.zip%5CBurnDVDX2Install.exe%5C$INSTDIR%5Cthird]http://gbpvr.com/pmwiki/pmwiki.php/Plugin/BurnDVDX2?action=downloadman&upname=BurnDVDX2.zip\BurnDVDX2Install.exe\$INSTDIR\third[/url] party\burndvd\cmddvdshrink100.exe" file.

That's an autohotkey file that get's detected by AVS as a worm. It is a false positive.

JavaWiz · 2008-11-05, 06:42 AM

pastro Wrote:That's an autohotkey file that get's detected by AVS as a worm. It is a false positive.

Good to know. Should that be noted in the Wiki somewhere around the download link?

pBS · 2008-11-05, 08:58 PM

ahh.those are same as autoit problem..in fact, i think that was made based on autoit..
it's mostly the upx compression, and it actually IS a problem, because the compression in question allows other trojans to be hidden inside as well, so while it may appear to be a false positive, it doesn't mean there isn't any danger in running it...so not truly a false positive... Sad

[false positives have been used to get you to let your guard down, so they can get in]

i would seriously look into replacing/rebuilding that file if possible...if you don't have the source then you really don't know what's in it...so the alerts could be warranted..

all that file really is is a autoit style macro to control the dvdshrink window automatically...
not that hard to reproduce from scratch....probably only needs updating, if it's decompilable..

****is that file even necessary?***