Is this file really malicious / viral / trojan?

[Virus Guy]

The file in question is a keygen for Corel WinDVD Pro 2010. I've zipped
up just the keygen and made it available here:

http://www.fileden.com/files/2008/7/19/2010382/keygen.zip

Password is "a" (no quotes). When unzipped, you'll have keygen.xex.
Rename to exe and you'll have it.

Now here's the strange part. Have a look at this VT scan result and
tell me what's going on with this file:

http://www.virustotal.com/file-scan/report.html?id=3c28afa30e7e43c3b502bd5343306958134bcc9337d4d98b536098ce1dec2df2-1319333503

It's saying that according to the "VT community", it's got a 100% saftey
score as "goodware". This score is coming primarily from a user named
"jeje".

I see a lot of "trojan dropper" id's here, as well as this:

Ikarus not-a-virus.Keygen.Corel.WinDVDPro2010

So Ikarus has specifically ID'd this for what it is, and it's not a
virus (apparently).

(note - I'm having lots of problems connecting with vt tonight)

http://downorjustforme.com/virustotal.com

virustotal.com seems to be down :(

[David H. Lipman]

From: "Virus Guy" <Vi...@Guy.com>

I don't see much going with that sample. It doesn't communicate on the 'net and the only
URL associated with it is; http://www.corel.com/

It has a French origin with strings like..
Erreur d'application<Le format '%s' est incorrect ou incompatible avec l'argument"Aucun
argument pour le format '%s'(Appels de m

This was an interesting string...
IE(AL("%s",4),"AL(\"%0:s\",3)","JK(\"%1:s\",\"%0:s\")")

Usually with Keygens they open a window with some form of keygen dialogue. This didn't
create any such dialogue.

Is it malicious ?
I didn't se any malicious activity from it.

--
Dave
Multi-AV Scanning Tool - http://multi-av.thespykiller.co.uk
http://www.pctipp.ch/downloads/dl/35905.asp

[RayLopez99]

On Oct 24, 1:57 am, "David H. Lipman" <DLipman~nosp...@Verizon.Net>
wrote:

> Is it malicious ?
> I didn't se any malicious activity from it.
>
> --
> Dave
> Multi-AV Scanning Tool -http://multi-av.thespykiller.co.ukhttp://www.pctipp.ch/downloads/dl/35905.asp

Why would you open a virus, are you crazy or something? Never ever
open a zip file that somebody told you has a virus! I guess you have
a spare PC that you don't mind getting hosed.

RL

[FromTheRafters]

A VM is sufficient, no need for a spare PC. Although a spare isolated PC
would be better security wise. Besides, zip is a data filetype, so no virus.

[Virus Guy]

"David H. Lipman" wrote:

> > The file in question is a keygen for Corel WinDVD Pro 2010.
>

> I don't see much going with that sample. It doesn't communicate
> on the 'net and the only URL associated with it is;
> http://www.corel.com/
>

> Is it malicious ?
> I didn't se any malicious activity from it.

These 18 AV packages detect no threat in the file:

AhnLab-V3 Avast AVG
BitDefender ByteHero CAT-QuickHeal
Comodo DrWeb eTrust-Vet
F-Secure GData Kaspersky
Microsoft NOD32 Panda
Prevx Rising ViRobot

Ikarus knows what the file is, but tells us it's not a virus:

Ikarus not-a-virus.Keygen.Corel.WinDVDPro2010

These 2 tell us it's "riskware" - but not viral/trojan or otherwise
malicious.

Emsisoft Riskware.Keygen.Corel.WinDVDPro2010!IK
K7AntiVirus Riskware

These 4 or 5 packages don't give clear guidance based on their choice of
ID string. Why are they needlessly vague?

ClamAV PUA.Packed.PECompact-1 (wtf is this?)
Fortinet W32/KeyGen.A (so?)
McAfee Generic.grp!n (wtf is grp?)
McAfee-GW-Edition Generic.grp!n (wtf is grp?)
Sophos Mal/KeyGen-A (malware?)

These 14 packages give a clear impression that the file is malicious in
some way (mostly trojan):

AntiVir TR/Drop.Lmir.DH.2 (trojan dropper?)
Antiy-AVL Trojan/win32.agent.gen (trojan)
Commtouch W32/MalwareF.NSSW (malware)
F-Prot W32/MalwareF.NSSW (malware)
Jiangmin TrojanDropper.LMir.an (trojan dropper)
nProtect Trojan/W32.Agent.163840.GN (trojan)
PCTools Trojan.Gen (trojan)
SUPERAntiSpyware Trojan.Dropper/Gen (trojan dropper)
Symantec Trojan.Gen (trojan)
TheHacker Trojan/Dropper.Lmir.dy (trojan)
TrendMicro TROJ_SPNR.08I911 (trojan)
TrendMicro-HseCl TROJ_SPNR.08I911 (trojan)
VIPRE Trojan.Win32.Generic!BT (trojan)
VirusBuster Trojan.PEPM!71yxiHZtHQk (trojan)

So to summarize:

45% say nothing about the file
35% say the file is a trojan or is otherwise malware
17% give a vague or indeterminate reading for the file

I see the term or string "gen" or "generic" quite a bit. Should that be
taken as an indication of a "generic" detection that may (or likely is)
a false-positive?

[Virus Guy]

Virus Guy wrote:

> It's saying that according to the "VT community", it's got a 100%
> saftey score as "goodware". This score is coming primarily from
> a user named "jeje".

Strange thing.

This is now twice that when I try to view "jeje"'s profile on VT, I seem
to cause the VT site to crash.

http://www.virustotal.com/vt-community/user-profile.html?nick=jeje

But I finally got this profile:

=============
Hello @jeje,

The VirusTotal team would like to give you a warm welcome to VT
Community. We hope you find the information in this application useful
and we strongly encourage you to make your own contributions in order to
help the whole community.

Time to start chasing the bad guys ;)
written by @VirusTotalTeam, 2010-09-05 20:28:54 (UTC)
=============

So I guess if the "Virustotalteam" says this file is harmless, they must
be right!

[FromTheRafters]

Virus Guy wrote:
[...]

> ClamAV PUA.Packed.PECompact-1 (wtf is this?)

Potentially Unwanted Application.

I don't know many of the rest, and I feel your pain. Naming systems
really do produce some cryptic names, and it's not easy to decipher.

[...]

[Man-wai Chang]

On 23/10/11 10:11 AM, Virus Guy wrote:
> The file in question is a keygen for Corel WinDVD Pro 2010. I've zipped
> up just the keygen and made it available here:
>
> http://www.fileden.com/files/2008/7/19/2010382/keygen.zip

If you really have to execute the program inside, use VirtualBox to
install a jailed WinXP, then copy and run the program inside the virtual
machine. No harm to your host OS guaranteed.

--
@~@ You have the right to remain silence.
/ v \ Simplicity is Beauty! May the Force and farces be with you!
/( _ )\ (Fedora 15 i686) Linux 3.0.4
^ ^ 14:18:02 up 8 days 22:54 0 users load average: 0.05 0.08 0.06
不借貸! 不詐騙! 不援交! 不打交! 不打劫! 不自殺! 請考慮綜援 (CSSA):
http://www.swd.gov.hk/tc/index/site_pubsvc/page_socsecu/sub_addressesa

[FromTheRafters]

Man-wai Chang wrote:
> On 23/10/11 10:11 AM, Virus Guy wrote:
>> The file in question is a keygen for Corel WinDVD Pro 2010. I've zipped
>> up just the keygen and made it available here:
>>
>> http://www.fileden.com/files/2008/7/19/2010382/keygen.zip
>
> If you really have to execute the program inside, use VirtualBox to
> install a jailed WinXP, then copy and run the program inside the virtual
> machine. No harm to your host OS guaranteed.
>

...but what if it's a network enumerating worm?

[Ant]

"David H. Lipman" wrote:

> From: "Virus Guy":
>> The file in question is a keygen for Corel WinDVD Pro 2010.

> Usually with Keygens they open a window with some form of keygen dialogue. This didn't
> create any such dialogue.

It did for me as follows.

Window title:
"Corel WinDVD Pro 2010 Keygen By [Kaizer SoZe / CORE]"

3 text box fields:
"Key Code" (generated)
"Installation Code" (entered by user)
"Activation Code" (generated)

2 buttons:
"Key Code" (generates code in key code field)
"Generate" (generates activation code after Installation code entered)

Clickable link:
"http://www.corel.com/"

> Is it malicious ?
> I didn't se any malicious activity from it.

I suppose some AVs are not liking the PECompact exe packer which is so
often used with malware. Once that's removed you have an ordinary
looking exe created with Borland Delphi which doesn't appear to have
any nasty surprises hidden within.

[Man-wai Chang]

> ...but what if it's a network enumerating worm?

I just read about a fake virtual machine that could capture keystrokes
from the host OS from PC World in a nearby public library.

As long as you are careful, it's fine.

--
@~@ You have the right to remain silent.

/ v \ Simplicity is Beauty!

/( _ )\ May the Force and farces be with you!
^ ^ (x86_64 Ubuntu 9.10) Linux 2.6.39.3

[FromTheRafters]

Man-wai Chang wrote:
>> ...but what if it's a network enumerating worm?
>
> I just read about a fake virtual machine that could capture keystrokes
> from the host OS from PC World in a nearby public library.
>
> As long as you are careful, it's fine.
>

My point was that just because an infestation isn't persistent doesn't
mean it can't do evil things within the current session. Malware steals
your clock cycles for its own use, a virtual machine is no different in
that respect.

[Man-wai Chang]

> My point was that just because an infestation isn't persistent doesn't
> mean it can't do evil things within the current session. Malware steals
> your clock cycles for its own use, a virtual machine is no different in
> that respect.

At least, the stuff inside a VM would not directly interact with the
host OS.

--

@~@ You have the right to remain silence.
/ v \ Simplicity is Beauty! May the Force and farces be with you!
/( _ )\ (Fedora 15 i686) Linux 3.0.4

^ ^ 09:49:01 up 11 days 13:55 0 users load average: 0.00 0.01 0.05

[FromTheRafters]

Man-wai Chang wrote:
>> My point was that just because an infestation isn't persistent doesn't
>> mean it can't do evil things within the current session. Malware steals
>> your clock cycles for its own use, a virtual machine is no different in
>> that respect.
>
> At least, the stuff inside a VM would not directly interact with the
> host OS.
>

Yeah, that's mostly true. :o)