Tuesday, September 19, 2006

Trojan or Not?

Last night I was playing on Lavie's laptop, showing her the finer points of Vista RC1 (Virtual PC session).

I had installed AVG-Free on it (which went just fine, thank them very much), and after installing a new theme in Firefox 2.0b2, I restarted Firefox and AVG alerted me that it had found Trojan horse PSW.Generic2.ILX.

Yikes! (All this was going on in the virtual session of Vista RC1.

The file in question was xpicleanup.exe located in the Firefox application folder.

Filename: xpicleanup.exe
Discovery: Trojan horse PSW.Generic2.ILX
File size: 66.11 KB (67700 bytes)
Healable: No
Status: Infected.

Did I just fall victim to a bad bait-and-switch theme install?

I dumped the file and the application. Rescanned. Clean.

I reinstalled the Beta version of Firefox directly from the developer's site. Bam. AVG alerted again.

What's up?

I was kinda leaning to it being a false-positive, but not sure.

I did some quick Google searches that let me to believe that the file was valid, but no other reports of it being reported as a Trojan.

Today I went to work on my desktop system.

Yep. AVG scans on the file on my desktop system also alerted on the file. I hadn't done any Firefox updates on this one, so I was pretty curious if this was indeed a false-positive alarm.

Program version 7.1.405
Virus base: 268.12.5/450
Release Date: 09/18/2006 3:20:00 PM

I dropped in at Grisoft's AVG-Free page, but didn't find any info there about how to submit a request to check for a false-positive.

Next, I logged into their AVG-Free Forum. A search seemed to find one other individual experiencing the same thing. Based on that post, I:

1) Uploaded the suspect file to www.virustotal.com to test "on-line". The results of feeding it through their 27 different scan engines came back clean. (bookmark this site! Great for testing a suspect file!)

2) Zipped the file up, passworded it, and emailed it to virus "at" grisoft.com with the technical details and zip password. (9:47 am)

3) Posted my information (so far) to the AVG-Free Forum under a new topic post. (Dat's the Rulz Dere Man!)

4) While waiting for some response, uploaded the suspect file to www.virusscan.jotti.org like the forum Moderator recommended in the previous post I had reviewed in the forums. Results came back clean from 15 scan engines...except for AVG's which confirmed what my local version of AVG was reporting.

5) The Moderator responded to do what I had already done. And reminded me not to post a new topic into another's thread (which is why my first post had been deleted). Rodger-dodger, chief. Won't try that again. Scout's promise.

6) Sent an email to ISC-SANS handlers just in case they were interested. (They have posted about AVG false positives before...)

7) Ran some errands. When I got back, I had an email from AVG Technical Support in my in-box that they sent back to me at 10:07 am. Reported that they confirmed that it was a false-positive and would be issuing a revised DAT update soon. What was that response time? Twenty minutes? I'm sure they already had been working on this, but still...that was a darn-fast response to a customer report!

8) Updated my Forum post with the new information. Posted a comment over in the TechBlog.

9) An ISC-SANS handler responded to me via email that they (AV vendors) have had problems in the past with components of the Nullsoft installer engine before--might be related...interesting tidbit...

10) AVG Responded. Got a new DAT update pack from AVG. AVG-Free Program version 7.1.405, Virus base: 268.12.5/451, Release Date: 09/19/2006 2:45:00 PM. Scans on the xpiupdater.exe file don't alert anymore.

Cleaned up all the alerts from my virus-vault (had to disable my XP System Restore to remove them--then re-enable it again).

Mischief managed. Grisoft/AVG again prove to me just how responsive and serious they take their customer's needs--even the free-loading ones like me!

Whew. So much for a day off from the office.



Ian Oxley said...

All *I* want to say here is that I only found out last weekend where the phrase "mischief managed" comes from!

Just saying!

Claus said...

Hi Ian,

Our family reads a chapter from the Harry Potter series out loud together every night before bedtime. Just one of those "routines" we've done for many, many years. We look forward to spending that "quiet-time" together at the end of each crazy day.

Been reading them for so long that many of the phrases and words (like mischief managed) have crept into our daily language...Good Thing or not, I'm not sure.... ;)

So I'm not surprised some readers will see some of these phrases sneak in here from time to time!

Maybe I need to add a link to a Harry Potter "lexicon"....