Is this file really malicious / viral / trojan?

Virus Guy · Oct 23, 2011

The file in question is a keygen for Corel WinDVD Pro 2010. I've zipped
up just the keygen and made it available here:

http://www.fileden.com/files/2008/7/19/2010382/keygen.zip

Password is "a" (no quotes). When unzipped, you'll have keygen.xex.
Rename to exe and you'll have it.

Now here's the strange part. Have a look at this VT scan result and
tell me what's going on with this file:

http://www.virustotal.com/file-scan...58134bcc9337d4d98b536098ce1dec2df2-1319333503

It's saying that according to the "VT community", it's got a 100% saftey
score as "goodware". This score is coming primarily from a user named
"jeje".

I see a lot of "trojan dropper" id's here, as well as this:

Ikarus not-a-virus.Keygen.Corel.WinDVDPro2010

So Ikarus has specifically ID'd this for what it is, and it's not a
virus (apparently).

(note - I'm having lots of problems connecting with vt tonight)

http://downorjustforme.com/virustotal.com

virustotal.com seems to be down

David H. Lipman · Oct 23, 2011

From: "Virus Guy said:
The file in question is a keygen for Corel WinDVD Pro 2010. I've zipped
up just the keygen and made it available here:

http://www.fileden.com/files/2008/7/19/2010382/keygen.zip

Password is "a" (no quotes). When unzipped, you'll have keygen.xex.
Rename to exe and you'll have it.

Now here's the strange part. Have a look at this VT scan result and
tell me what's going on with this file:

http://www.virustotal.com/file-scan...58134bcc9337d4d98b536098ce1dec2df2-1319333503

It's saying that according to the "VT community", it's got a 100% saftey
score as "goodware". This score is coming primarily from a user named
"jeje".

I see a lot of "trojan dropper" id's here, as well as this:

Ikarus not-a-virus.Keygen.Corel.WinDVDPro2010

So Ikarus has specifically ID'd this for what it is, and it's not a
virus (apparently).

(note - I'm having lots of problems connecting with vt tonight)

http://downorjustforme.com/virustotal.com

virustotal.com seems to be down

I don't see much going with that sample. It doesn't communicate on the 'net and the only
URL associated with it is; http://www.corel.com/

It has a French origin with strings like..
Erreur d'application<Le format '%s' est incorrect ou incompatible avec l'argument"Aucun
argument pour le format '%s'(Appels de m

This was an interesting string...
IE(AL("%s",4),"AL(\"%0:s\",3)","JK(\"%1:s\",\"%0:s\")")

Usually with Keygens they open a window with some form of keygen dialogue. This didn't
create any such dialogue.

Is it malicious ?
I didn't se any malicious activity from it.

RayLopez99 · Oct 23, 2011

Is it malicious ?
I didn't se any malicious activity from it.

Why would you open a virus, are you crazy or something? Never ever
open a zip file that somebody told you has a virus! I guess you have
a spare PC that you don't mind getting hosed.

RL

FromTheRafters · Oct 23, 2011

RayLopez99 said:
Why would you open a virus, are you crazy or something? Never ever
open a zip file that somebody told you has a virus! I guess you have
a spare PC that you don't mind getting hosed.

A VM is sufficient, no need for a spare PC. Although a spare isolated PC
would be better security wise. Besides, zip is a data filetype, so no virus.

Virus Guy · Oct 23, 2011

David H. Lipman said:
I don't see much going with that sample. It doesn't communicate
on the 'net and the only URL associated with it is;
http://www.corel.com/

Is it malicious ?
I didn't se any malicious activity from it.

These 18 AV packages detect no threat in the file:

AhnLab-V3 Avast AVG
BitDefender ByteHero CAT-QuickHeal
Comodo DrWeb eTrust-Vet
F-Secure GData Kaspersky
Microsoft NOD32 Panda
Prevx Rising ViRobot

Ikarus knows what the file is, but tells us it's not a virus:

Ikarus not-a-virus.Keygen.Corel.WinDVDPro2010

These 2 tell us it's "riskware" - but not viral/trojan or otherwise
malicious.

Emsisoft Riskware.Keygen.Corel.WinDVDPro2010!IK
K7AntiVirus Riskware

These 4 or 5 packages don't give clear guidance based on their choice of
ID string. Why are they needlessly vague?

ClamAV PUA.Packed.PECompact-1 (wtf is this?)
Fortinet W32/KeyGen.A (so?)
McAfee Generic.grp!n (wtf is grp?)
McAfee-GW-Edition Generic.grp!n (wtf is grp?)
Sophos Mal/KeyGen-A (malware?)

These 14 packages give a clear impression that the file is malicious in
some way (mostly trojan):

AntiVir TR/Drop.Lmir.DH.2 (trojan dropper?)
Antiy-AVL Trojan/win32.agent.gen (trojan)
Commtouch W32/MalwareF.NSSW (malware)
F-Prot W32/MalwareF.NSSW (malware)
Jiangmin TrojanDropper.LMir.an (trojan dropper)
nProtect Trojan/W32.Agent.163840.GN (trojan)
PCTools Trojan.Gen (trojan)
SUPERAntiSpyware Trojan.Dropper/Gen (trojan dropper)
Symantec Trojan.Gen (trojan)
TheHacker Trojan/Dropper.Lmir.dy (trojan)
TrendMicro TROJ_SPNR.08I911 (trojan)
TrendMicro-HseCl TROJ_SPNR.08I911 (trojan)
VIPRE Trojan.Win32.Generic!BT (trojan)
VirusBuster Trojan.PEPM!71yxiHZtHQk (trojan)

So to summarize:

45% say nothing about the file
35% say the file is a trojan or is otherwise malware
17% give a vague or indeterminate reading for the file

I see the term or string "gen" or "generic" quite a bit. Should that be
taken as an indication of a "generic" detection that may (or likely is)
a false-positive?

Virus Guy · Oct 23, 2011

Virus said:
It's saying that according to the "VT community", it's got a 100%
saftey score as "goodware". This score is coming primarily from
a user named "jeje".

Strange thing.

This is now twice that when I try to view "jeje"'s profile on VT, I seem
to cause the VT site to crash.

http://www.virustotal.com/vt-community/user-profile.html?nick=jeje

But I finally got this profile:

=============
Hello @jeje,

The VirusTotal team would like to give you a warm welcome to VT
Community. We hope you find the information in this application useful
and we strongly encourage you to make your own contributions in order to
help the whole community.

Time to start chasing the bad guys

written by @VirusTotalTeam, 2010-09-05 20:28:54 (UTC)
=============

So I guess if the "Virustotalteam" says this file is harmless, they must
be right!

FromTheRafters · Oct 24, 2011

Virus Guy wrote:
[...]

ClamAV PUA.Packed.PECompact-1 (wtf is this?)

Potentially Unwanted Application.

I don't know many of the rest, and I feel your pain. Naming systems
really do produce some cryptic names, and it's not easy to decipher.

[...]

Man-wai Chang · Oct 24, 2011

The file in question is a keygen for Corel WinDVD Pro 2010. I've zipped
up just the keygen and made it available here:

http://www.fileden.com/files/2008/7/19/2010382/keygen.zip

If you really have to execute the program inside, use VirtualBox to
install a jailed WinXP, then copy and run the program inside the virtual
machine. No harm to your host OS guaranteed.

--
@~@ You have the right to remain silence.
/ v \ Simplicity is Beauty! May the Force and farces be with you!
/( _ )\ (Fedora 15 i686) Linux 3.0.4
^ ^ 14:18:02 up 8 days 22:54 0 users load average: 0.05 0.08 0.06
ä¸å€Ÿè²¸! ä¸è©é¨™! ä¸æ´äº¤! ä¸æ‰“äº¤! ä¸æ‰“åŠ«! ä¸è‡ªæ®º! è«‹è€ƒæ…®ç¶œæ´ (CSSA):
http://www.swd.gov.hk/tc/index/site_pubsvc/page_socsecu/sub_addressesa

FromTheRafters · Oct 24, 2011

Man-wai Chang said:
If you really have to execute the program inside, use VirtualBox to
install a jailed WinXP, then copy and run the program inside the virtual
machine. No harm to your host OS guaranteed.

....but what if it's a network enumerating worm?

Man-wai Chang · Oct 26, 2011

...but what if it's a network enumerating worm?

I just read about a fake virtual machine that could capture keystrokes
from the host OS from PC World in a nearby public library.

As long as you are careful, it's fine.

--
@~@ You have the right to remain silent.
/ v \ Simplicity is Beauty!
/( _ )\ May the Force and farces be with you!
^ ^ (x86_64 Ubuntu 9.10) Linux 2.6.39.3
ä¸å€Ÿè²¸! ä¸è©é¨™! ä¸æ´äº¤! ä¸æ‰“äº¤! ä¸æ‰“åŠ«! ä¸è‡ªæ®º! è«‹è€ƒæ…®ç¶œæ´ (CSSA):
http://www.swd.gov.hk/tc/index/site_pubsvc/page_socsecu/sub_addressesa

FromTheRafters · Oct 27, 2011

Man-wai Chang said:
I just read about a fake virtual machine that could capture keystrokes
from the host OS from PC World in a nearby public library.

As long as you are careful, it's fine.

My point was that just because an infestation isn't persistent doesn't
mean it can't do evil things within the current session. Malware steals
your clock cycles for its own use, a virtual machine is no different in
that respect.

Man-wai Chang · Oct 27, 2011

My point was that just because an infestation isn't persistent doesn't

mean it can't do evil things within the current session. Malware steals
your clock cycles for its own use, a virtual machine is no different in
that respect.

At least, the stuff inside a VM would not directly interact with the
host OS.

--
@~@ You have the right to remain silence.
/ v \ Simplicity is Beauty! May the Force and farces be with you!
/( _ )\ (Fedora 15 i686) Linux 3.0.4
^ ^ 09:49:01 up 11 days 13:55 0 users load average: 0.00 0.01 0.05
ä¸å€Ÿè²¸! ä¸è©é¨™! ä¸æ´äº¤! ä¸æ‰“äº¤! ä¸æ‰“åŠ«! ä¸è‡ªæ®º! è«‹è€ƒæ…®ç¶œæ´ (CSSA):
http://www.swd.gov.hk/tc/index/site_pubsvc/page_socsecu/sub_addressesa

FromTheRafters · Oct 27, 2011

Man-wai Chang said:
At least, the stuff inside a VM would not directly interact with the
host OS.

Yeah, that's mostly true. :blush:

)

Is this file really malicious / viral / trojan?

Virus Guy

David H. Lipman

RayLopez99

FromTheRafters

Virus Guy

Virus Guy

FromTheRafters

Man-wai Chang

FromTheRafters

Man-wai Chang

FromTheRafters

Man-wai Chang

FromTheRafters