Google Groups no longer supports new Usenet posts or subscriptions. Historical content remains viewable.
Dismiss

Question about a Backdoor/Delf.emx detection by Jiangmin

3 views
Skip to first unread message

Virus Guy

unread,
Dec 10, 2009, 11:37:23 PM12/10/09
to
Virustotal is reporting that this file is potentially malicious:

http://gpass1.com/download/GPass.exe

Specifically, only 1 AV program is reporting it as a threat:

Jiangmin -> Backdoor/Delf.emx

Is this a correct detection, or a false positive?

David H. Lipman

unread,
Dec 11, 2009, 6:31:44 AM12/11/09
to
From: "Virus Guy" <Vi...@Guy.com>

| Virustotal is reporting that this file is potentially malicious:

| h**p://gpass1.com/download/GPass.exe

| Specifically, only 1 AV program is reporting it as a threat:

| Jiangmin -> Backdoor/Delf.emx

| Is this a correct detection, or a false positive?

You must think it is becuase you posted that URL unobfuscated.
It probably may be a FP.

--
Dave
http://www.claymania.com/removal-trojan-adware.html
Multi-AV - http://www.pctipp.ch/downloads/dl/35905.asp


Ant

unread,
Dec 11, 2009, 12:02:02 PM12/11/09
to
"Virus Guy" wrote:

> Jiangmin -> Backdoor/Delf.emx
> Is this a correct detection, or a false positive?

http://gpass1.com/gpass/about
"GPass is a product of the World's Gate, Inc. The World's Gate, Inc.
is a private IT company offering Internet solutions for information
freedom in China and other regions under suppressive regimes".

Interesting that an entity called "Jiangmin", whoever they are but
sounding Chinese, detected it. Perhaps they don't want you penetrating
the Great Firewall of China or perhaps they're trying to warn you of
something else...

It's packed with PECompact 2, has a simple to bypass anti-unpacking
trick, but once unpacked is obviously a Borland Delphi executable
(hence 'Delf') with network capabilities that appears to do what it
says on the tin; some of which is: "Encrypted socks tunnels and backup
tunnels using Skype and Tor".

I haven't looked at in detail (the unpacked exe is 3 meg) but there
is no obvious sign it's malware. The question is, do you trust the
gpass1 website? If it came from there and that site is not a front of
the Chinese govt (it's hosted in the US) then I'd say it's probably a
false positive.


Virus Guy

unread,
Dec 12, 2009, 9:07:58 AM12/12/09
to
Ant wrote:

> > Jiangmin -> Backdoor/Delf.emx
> > Is this a correct detection, or a false positive?

> If it came from there and that site is not a front of the


> Chinese govt (it's hosted in the US) then I'd say it's probably
> a false positive.

F-Secure is now reporting it as:

Suspicious:W32/Riskware!Online

0 new messages