Yahoo即時通安裝程式是病毒!?

發表時間: 2008-9-30 20:17 作者: w12345k 來源: AVPClub Security Home

下午的時候去yahoo下載了即時通安裝程式(9.0板)
下載下來後被小雨傘攔截..出現木馬警告!
我看完以後..傻眼了!!
馬上送小雨傘分析..就怕他誤報!!
剛剛收到回信了!
不敢相信的結果!!

Dear Sir or Madam,

Thank you for your email to Avira's virus lab.
Tracking number: INC00208894.
We received the following archive files:
File ID    Filename Size (Byte) Result
25148428    msgr9tw.zip 1.18 MB OK
A listing of files contained inside archives alongside their results can be found below:
File ID    Filename Size (Byte) Result
25148429    msgr9tw.exe    1.19 MB    MALWARE

Please find a detailed report concerning each individual sample below:
Filename Result
msgr9tw.exe    MALWARE

The file 'msgr9tw.exe' has been determined to be 'MALWARE'. Our analysts named the threat DR/Dldr.Swiftcleaner.D.12. The term "DR/" denotes a program that is able to place a virus or a malware discretely on a system.Detection is added to our virus definition file (VDF) starting with version 7.00.06.223.

因為論壇有上傳大小限制..就請各位到yahoo下載吧!!
http://rd.software.yahoo.com/msgr/9/msgr9tw.exe

Virustotal報告:
http://www.virustotal.com/zh-tw/ ... cc011aef3f1fcf8039e

[ 本帖最後由 w12345k 於 2008-9-30 20:24 編輯 ]

我也來說兩句 查看全部評論相關評論

megakotaro (2008-9-30 20:25:27)

看樣子是只有和紅傘買並毒碼的才報
因為名稱都差不多
一定藏了什麼東東，大概會回報使用者資訊

不過好像是誤報

[ 本帖最後由 megakotaro 於 2008-9-30 20:27 編輯 ]
w12345k (2008-9-30 20:31:02)

可是我已經尚傳過..讓他重新分析了...
真詭異!!
virus.org的報告在這!

http://scanner.virus.org/scan/q8 ... cc8417bba62882af1c7

Kaspersky 7.0.0.125 2008.09.30 not-a-virus:Downloader.Win32.SwiftCleaner.d
黑衣~魂 (2008-9-30 20:36:30)

kaspersky報not-a-virus:Downloader.Win32.SwiftCleaner.d
F-Secure報Downloader.Win32.SwiftCleaner.d
應該是誤報...這個檔案確實有avira所謂的DR行為,但是avira用自動分析,過度依賴自動分析...可以對的分析結果提出異議

我提交給kaspersky與F-Secure

[ 本帖最後由黑衣~魂於 2008-9-30 20:44 編輯 ]
000110 (2008-9-30 20:49:30)

估計 F-Secure 也是報 not-a-virus:Downloader.Win32.SwiftCleaner.d
不過 VT 無法顯示/不顯示 "not-a-virus:"
EQSecure (2008-9-30 21:28:39)

紅傘太隨便了
卡巴報not virus的東西
到了那裡就報毒了這個誤報太低級了
megakotaro (2008-9-30 21:57:21)

如果確定沒有病毒，就回報誤報
回報網頁那邊「file type」選「False positives」
然後提供連結
這樣avira就會重新分析
(但最後結果要聽avira的，可不一定會排除 )
megakotaro (2008-9-30 23:01:03)

剛剛安裝完後用avira掃描Yahoo!這個資料夾(安裝的東東)，並沒有任何威脅
不知道哪裡出問題
w12345k (2008-10-01 01:13:03)

Hello.

This is not a false detection, it is a risky downloader.
-----------------
Regards, Evgeny Aseev
Virus Analyst, Kaspersky Lab.

Ph.: +7(095) 797-8700
E-mail: newvirus@kaspersky.com
http://www.kaspersky.com http://www.viruslist.com

> Attachment: msgr9tw.zip

很抱歉...剛剛收到卡巴回信!!!
我跟她說這是誤報..他們回覆不是!!!
是risk downloader..

我看這根本是根據程式碼判讀的?
或者yahoo有陰謀?
wopti (2008-10-01 15:15:10)

驱逐舰没有发现病毒存在

打包
msgr9tw.rar
黑衣~魂 (2008-10-01 17:44:43)

QUOTE:
原帖由 megakotaro 於 2008-9-30 21:57 發表
如果確定沒有病毒，就回報誤報
回報網頁那邊「file type」選「False positives」
然後提供連結
這樣avira就會重新分析
(但最後結果要聽avira的，可不一定會排除 )
avira是一定要排除這個誤報的

Hello.
Sorry, it was a false detection. It will be fixed in the next updates.
Thank you for your help.
Please quote all when answering.
-----------------
Regards, Evgeny Aseev
Virus Analyst, Kaspersky Lab.
megakotaro (2008-10-01 17:52:01)

沒辦法.....
我即使用「回報誤報」這個選項(Suspected False positives)，但還是沒有用，並顯示下列資訊：
The file 'msgr9tw.exe' has been determined to be 'MALWARE'. Our analysts named the threat DR/Dldr.Swiftcleaner.D.12. The term "DR/" denotes a program that is able to place a virus or a malware discretely on a system.Detection is added to our virus definition file (VDF) starting with version 7.00.06.223.
有另外的管道可以通報嗎？

剛剛看了一下，從星期一開始報，不知道誰亂報了這個
要不然7.00.06.222以前是不會報的

7.00.06.222發布時間(德國)：Mon, 29 Sep 2008 11:09 (GMT+1)
7.00.06.223：Mon, 29 Sep 2008 13:52 (GMT+1)

[ 本帖最後由 megakotaro 於 2008-10-1 18:10 編輯 ]
天氣預報 (2008-10-01 17:57:44)

http://www.virustotal.com/zh-tw/ ... 7bcbba39af80ffec9ba
黑衣~魂 (2008-10-01 20:48:49)

Avira也排除了
Dear Sir or Madam,
Thank you for your email to Avira's virus lab.
Tracking number: INC00209265.

A listing of files alongside their results can be found below:
File ID 啫ilename Size (Byte) Result
25148429 msgr9tw.exe 1.19 MB FALSE POSITIVE

Please find a detailed report concerning each individual sample below:
啫ilename Result
msgr9tw.exe FALSE POSITIVE

The file 'msgr9tw.exe' has been determined to be 'FALSE POSITIVE'. In particular this means that this file is not malicious but a false alarm. Detection will be removed from our virus definition file (VDF) with one of the next updates.

Kind regards
Avira Virus Lab
天氣預報 (2008-10-01 22:15:01)

http://www.threatexpert.com/repo ... 7917bb5cdc94d85e3d0
megakotaro (2008-10-01 22:24:15)

我這裡也收到了......
Dear Sir or Madam,
Thank you for your email to Avira's virus lab.
Tracking number: INC00209248.

The file 'msgr9tw.exe' has been determined to be 'FALSE POSITIVE'. In particular this means that this file is not malicious but a false alarm. Detection will be removed from our virus definition file (VDF) with one of the next updates.

不過真奇怪，當初回報誤報的時候還顯示malware，現在又改口，avira不會顯示under analysis嗎，免得人家以為你就是不改......