Auto download reports DR/Genome/kht dropper?

[Terry Pinnell]

I have a video editing program called VideoRedoPlus, version: 2. 5. 6. 512.
Recently I must have accepted an invitation to download an updated version
(and forgotten about installing it). Or possibly it was downloaded
automatically last night. Anyway, my overnight scan by AntiVir (Free) has
reported:
"VideoRedoPlus-2-1-1-413.exe contains...DR/Genome.kht dropper"

I've allowed it to send to quarantine. Can anyone tell me any more about this
please?

 

[Terry Pinnell]

I now see from its name that the file seems to be an OLDER version. So I'm
assuming it's been sitting in my downloads folder for ages. In which case I
don't understand why AntiVir should report this only now.

 

[David H. Lipman]

From: "Terry Pinnell" <[email protected]>

| I now see from its name that the file seems to be an OLDER version. So I'm
| assuming it's been sitting in my downloads folder for ages. In which case I
| don't understand why AntiVir should report this only now.

| --
| Terry, East Grinstead, UK

Have you sent the file(s) to Virus Total to cross-check it ?

 

[Terry Pinnell]

From: "Terry Pinnell" <[email protected]>

| I now see from its name that the file seems to be an OLDER version. So I'm
| assuming it's been sitting in my downloads folder for ages. In which case I
| don't understand why AntiVir should report this only now.

| --
| Terry, East Grinstead, UK

Have you sent the file(s) to Virus Total to cross-check it ?

No, but I will do so now (when I've found out the URL). Presumably that means
I have to restore it from quarantine first? Does that expose me to any risk?

 

[David H. Lipman]

From: "Terry Pinnell" <[email protected]>


| No, but I will do so now (when I've found out the URL). Presumably that means
| I have to restore it from quarantine first? Does that expose me to any risk?

Yes. If it is restored from the Quarantine back to its original location, it will become
"active" again if you reboot the PC and the PC reloads the file.

If you move the file to qurantine and reboot the PC and then restore the file it will NOT
be a risk until you reboot the PC again.

 

[FromTheRafters]

I have a video editing program called VideoRedoPlus, version: 2. 5. 6.
512.
Recently I must have accepted an invitation to download an updated
version
(and forgotten about installing it). Or possibly it was downloaded
automatically last night. Anyway, my overnight scan by AntiVir (Free)
has
reported:
"VideoRedoPlus-2-1-1-413.exe contains...DR/Genome.kht dropper"

I've allowed it to send to quarantine. Can anyone tell me any more
about this
please?

All antivirus programs will occasionally give you a false positive
declaration (FP). The best thing to do is to submit the suspect file to
virustotal.com and/or jotti.org where they can be checked by multiple
(various) scanners. If it is new malware, this is a good way to increase
awareness - the vendors supplying their scanners to the scanning service
get copies of the new malware to give to their researchers. If it is a
FP, likewise the vendor whos scan engine FPs will get the chance to
remedy the situation.

Unfortunately, new malware will sometimes have similar results to FP
detections - but usually, in my experience, a low amount of detections
from these services is indicative of an FP.

 

[Terry Pinnell]

All antivirus programs will occasionally give you a false positive
declaration (FP). The best thing to do is to submit the suspect file to
virustotal.com and/or jotti.org where they can be checked by multiple
(various) scanners. If it is new malware, this is a good way to increase
awareness - the vendors supplying their scanners to the scanning service
get copies of the new malware to give to their researchers. If it is a
FP, likewise the vendor whos scan engine FPs will get the chance to
remedy the situation.

Unfortunately, new malware will sometimes have similar results to FP
detections - but usually, in my experience, a low amount of detections
from these services is indicative of an FP.

Thanks, appreciate your help.

This is the first time I've used either of those online tools. But their
results seem inconsistent.

Jotti's malware scan gave these results:
http://virusscan.jotti.org/en-gb/scanresult/b5da81593cf9b0e3d126939e6187de07f83ed302
This appears to use bang up to date detection files and confirm that Avira is
one of 7 (out of 20) that reports this file as having the trojan or whatever
it is.

VirusTotal's results are here:
http://www.virustotal.com/analisis/...dca800c704495e9fc4cff5999d6cb3cfa7-1239602812
This has 'Last Update' dates from April of 2009! But it shows that 7 of 39
results (NOT including Avira!) show the trojan.

What conclusions should I draw please?

 

[Terry Pinnell]

From: "Terry Pinnell" <[email protected]>



| No, but I will do so now (when I've found out the URL). Presumably that means
| I have to restore it from quarantine first? Does that expose me to any risk?

Yes. If it is restored from the Quarantine back to its original location, it will become
"active" again if you reboot the PC and the PC reloads the file.

If you move the file to qurantine and reboot the PC and then restore the file it will NOT
be a risk until you reboot the PC again.

OK, thanks, duly submitted. But please see my reply to FromTheRafters about
how to interpret the results. Have you used Virus Total yourself recently?
Isn't it way out of date?

Not surprisingly, Antivir didn't like me sending the file to these two
services! I've now quarantined it again.

 

[David H. Lipman]

From: "Terry Pinnell" <[email protected]>



| Thanks, appreciate your help.

| This is the first time I've used either of those online tools. But their
| results seem inconsistent.

| Jotti's malware scan gave these results:
| http://virusscan.jotti.org/en-gb/scanresult/b5da81593cf9b0e3d126939e6187de07f83ed302
| This appears to use bang up to date detection files and confirm that Avira is
| one of 7 (out of 20) that reports this file as having the trojan or whatever
| it is.

| VirusTotal's results are here:
| http://www.virustotal.com/analisis/
| c54ea930b7cd8f7d3b1251378242ecdca800c704495e9fc4cff5999d6cb3cfa7-1239602812
| This has 'Last Update' dates from April of 2009! But it shows that 7 of 39
| results (NOT including Avira!) show the trojan.

| What conclusions should I draw please?


That it is a Genome trojan and that was determined in April '09 and you should have told
Virus Total to re-examine the file so we see the results produced 9 months later.

 

[FromTheRafters]

Thanks, appreciate your help.

This is the first time I've used either of those online tools. But
their
results seem inconsistent.

Jotti's malware scan gave these results:
http://virusscan.jotti.org/en-gb/scanresult/b5da81593cf9b0e3d126939e6187de07f83ed302
This appears to use bang up to date detection files and confirm that
Avira is
one of 7 (out of 20) that reports this file as having the trojan or
whatever
it is.

VirusTotal's results are here:
http://www.virustotal.com/analisis/...dca800c704495e9fc4cff5999d6cb3cfa7-1239602812
This has 'Last Update' dates from April of 2009! But it shows that 7
of 39
results (NOT including Avira!) show the trojan.

What conclusions should I draw please?

I can only say what conclusions *I* would draw.

Do you *need* this file? When in doubt, throw it out (or put it in
quarantine, check it later to see if it still FPs - if indeed that is
what it is doing).

By the numbers alone, it smells like an FP, but I am concerned about the
specificity of the detections and it seems the better scanners (IMO) are
the ones detecting it.

Have you tried contacting the maker of the editing software? If this is
a FP I'm sure their helpdesk phones would light up.

 

[Terry Pinnell]

I can only say what conclusions *I* would draw.

Do you *need* this file? When in doubt, throw it out (or put it in
quarantine, check it later to see if it still FPs - if indeed that is
what it is doing).

By the numbers alone, it smells like an FP, but I am concerned about the
specificity of the detections and it seems the better scanners (IMO) are
the ones detecting it.

Have you tried contacting the maker of the editing software? If this is
a FP I'm sure their helpdesk phones would light up.

Thanks for follow-ups. Here's a summary:

I reported it simultaneously to VideoRedo Support. But their reply doesn't
really move me forward:
"Perhaps it's a false positive. Check for an update to the virus database.
Since the file is rather old, are you certain you downloaded it from our
website?"
(I wasn't sure earlier, but it's now clear that it was a download from the
Avira site.)

I also posted in the Antivir forum and submitted it to Antivir's own
detection service. The result was:
"The file 'VideoReDoPlus-2-1-1-413.exe' has been determined to be 'MALWARE'.
Our analysts named the threat DR/Genome.kht. The term "DR/" denotes a program
that is able to place a virus or a malware discretely on a system."

I also submitted it to these two online services:

Jotti's malware scan gave these results:
http://virusscan.jotti.org/en-gb/scanresult/b5da81593cf9b0e3d1269 ...
07f83ed302
This appears to use bang up to date detection files and confirm that Avira is
one of 7 (out of 20) that reports this file as having the trojan.

VirusTotal gave these results:
http://www.virustotal.com/analisis/...dca800c704495e9fc4cff5999d6cb3cfa7-1239602812
This has 'Last Update' dates from April of 2009! But it shows that 7 of 39
results detect the trojan.
I was puzzled why Avira was not one of those 7. But I now see I should have
resubmitted to get an updated result. I expect that would show a malware
detection against Avira Antivir.

Anyway, the file and its backup are now back in quarantine. As it's an old
version of VideoRedo, I never need to access it. It seems pretty clear to me
that it's a false positive. Apart from the fact that the original has been
sitting in my Downloads folder for months or years, I reckon I must have
executed the file at some early stage to install or update the application.

But I'm still curious why only 7 out of 39 programs report it as malware. And
puzzled why Antivir got it right last September but now reports it as
malware. I've asked about that in the Antivir forum.

 

[FromTheRafters]

Thanks for follow-ups. Here's a summary:

I reported it simultaneously to VideoRedo Support. But their reply
doesn't
really move me forward:
"Perhaps it's a false positive. Check for an update to the virus
database.
Since the file is rather old, are you certain you downloaded it from
our
website?"
(I wasn't sure earlier, but it's now clear that it was a download from
the
Avira site.)

I also posted in the Antivir forum and submitted it to Antivir's own
detection service. The result was:
"The file 'VideoReDoPlus-2-1-1-413.exe' has been determined to be
'MALWARE'.
Our analysts named the threat DR/Genome.kht. The term "DR/" denotes a
program
that is able to place a virus or a malware discretely on a system."

I also submitted it to these two online services:

Jotti's malware scan gave these results:
http://virusscan.jotti.org/en-gb/scanresult/b5da81593cf9b0e3d1269 ...
07f83ed302
This appears to use bang up to date detection files and confirm that
Avira is
one of 7 (out of 20) that reports this file as having the trojan.

VirusTotal gave these results:
http://www.virustotal.com/analisis/...dca800c704495e9fc4cff5999d6cb3cfa7-1239602812
This has 'Last Update' dates from April of 2009! But it shows that 7
of 39
results detect the trojan.
I was puzzled why Avira was not one of those 7. But I now see I should
have
resubmitted to get an updated result. I expect that would show a
malware
detection against Avira Antivir.

Anyway, the file and its backup are now back in quarantine. As it's an
old
version of VideoRedo, I never need to access it. It seems pretty clear
to me
that it's a false positive. Apart from the fact that the original has
been
sitting in my Downloads folder for months or years, I reckon I must
have
executed the file at some early stage to install or update the
application.

But I'm still curious why only 7 out of 39 programs report it as
malware. And
puzzled why Antivir got it right last September but now reports it as
malware. I've asked about that in the Antivir forum.

Too bad it was a downloaded program rather than one on read only media.
Only once you submit a 4 year old program from a read only optical disk
to a vendor that detects it as new non-infecting malware will it be
proof enough for some people.

In my view, old programs don't suddenly become non-infecting trojan
malware.

Anyway, thanks for the update, and I'm still thinking FP. If you ever
find out "for sure" please do update again.

 

[Terry Pinnell]

Too bad it was a downloaded program rather than one on read only media.
Only once you submit a 4 year old program from a read only optical disk
to a vendor that detects it as new non-infecting malware will it be
proof enough for some people.

In my view, old programs don't suddenly become non-infecting trojan
malware.

Anyway, thanks for the update, and I'm still thinking FP. If you ever
find out "for sure" please do update again.

I had a reply from Avira Labs confirming that "This is a false positive."

They plan to "take out the pattern recognition in one of our next updates."

 

[FromTheRafters]

I had a reply from Avira Labs confirming that "This is a false
positive."

They plan to "take out the pattern recognition in one of our next
updates."

This was a good excercise in the use of online submission scanners
(VirusTotal, Jotti, VirScan) in helping to determine FP declarations by
your resident AV program. The same results could have led one to believe
the opposite - especially in view of the Avira forum submission where
they shouted "MALWARE". )

Thanks for updating this thread.