FP? Marco Pontello's TrID - File Identifier: Ewido reports "Backdoor.Agent.aec ok"

While I was perusing an old thread, I found this post by savagcl

I went to that site, typed a file extension (OCX) in the search box, and was presented with information about the OCX file extension. In the "Identifying Characters" section of that information, I clicked "What's this?" and got a small popup information window that mentions the information for the file extension was "provided by Marco Pontello from his TrID database ".

I Googled marco pontello TrID database which led me to Marco Pontello's Home Page.

After downloading the TrID v2.00, 25KB ZIP file (for Win32) from Marco Pontello's Home Page, I scanned that trid_w32.zip file with Norton AV (latest definitions). The scan came up clean.

Then I scanned the zip file with Ewido (also latest definitions) and got an alert:

Then I scanned with Trojan Hunter (latest defs) and no trojan files were found.

I also tried extracting the contents of the zip file and scanning the trid.exe file directly with Norton AV and Trojan Hunter. Still clean according to them.

Is this likely a false positive by Ewido or is it a file I should avoid running?

EDIT: McAfee's SiteAdvisor classifies Marco Pontello's site as green.

 

I scanned trid.exe tonight with a-squared Free v2.0 (with current definitions) and that also reported clean.

It's looking more like a false-positive by Ewido.


EDIT: BTW, I have trid.exe extracted from the zip folder and located in my program files\utilitiies folder to eliminate the possibility of a scanner having trouble with looking inside a ZIP file. (I have not executed the file however.)

I scanned my system with Spybot Search & Destroy (8/18/2006 definitions) and no risks related to trid.exe were found. Along with the usual negligible risks (MRUs), Spybot S&D flagged my Windows Firewall as off (intentional) and my C:\debuglog.txt (which I expect is a false positive but it's interesting nonetheless.)

I scanned my system with Ad-Aware Pro (using definitions file: SE1R119 15.08.2006) and that also came up clean apart from the usual negligibles.

I sent a report to Ewido's technical support. I will post any explanation I may get from Ewido.

 

Hi mailman

You could also have Jotti scan it.
But you will need the file path to upload it.

Jotti File Submission:

• Please go to Jotti's malware scan
  
• Copy and paste the following file path into the "File to upload & scan "box on the top of the page:
  
  • what ever the file path is
• Click on the submit button
  
  Geri

 

Thanks, Geri!

That's a very handy page! I bookmarked it in two different places so I'll have a better chance of finding it again when the need arises. (Gotta organize these bookmarks!)

Here are Jotti's results:

File: trid.exe
Status: INFECTED/MALWARE
MD5 f501d1071eae6e58ccae53991bc533d4
Packers detected: PE_PATCH.UPX, UPX

Scanner results

• AntiVir Found nothing
• ArcaVir Found nothing
• Avast Found nothing
• AVG Antivirus Found BackDoor.Agent.BZB
• BitDefender Found nothing
• ClamAV Found nothing
• Dr.Web Found nothing
• F-Prot Antivirus Found nothing
• Fortinet Found nothing
• Kaspersky Anti-Virus Found nothing
• NOD32 Found nothing
• Norman Virus Control Found nothing
• UNA Found nothing
• VirusBuster Found nothing
• VBA32 Found nothing

Since the Ewido web page offers AVG Antivirus and Ewido as a bundled package, I suspect the same people (Grisoft) are involved with the development of both products.

However, I wonder if some of the other AV products used in the test have difficulty with UPX.

So far, it still looks like a false-positive. I'm still waiting on a response from Ewido premium support.


I'm also going to submit (to Jotti's malware scan) the ZIP file (which contains readme files) and the definitions ZIP file that's supposed to be used along with the utility into a WinZip ZIP package so they have all parts to work with and to distribute among the AV researchers if they wish.

The readme_e.txt (English readme file) states:

Thanks again, Geri! MUCH appreciated.

 

Hi mailman,

The Grisoft/Ewido connection is very recent - two or three months. Prior to that, Ewido was independent and the version you're using was in development long before the merger.

Regards - Charles

 

Thanks, Charles.

Perhaps the (potential FP) flagging of trid.exe as "malware" is due simply to the sharing of the definitions between the two products once Ewido came under GriSoft's management.

Then again, perhaps the trid.exe really is a baddie that few Anti-malware products currently detect and it's coincidental that the only two we (Thanks again, Geri.) found so far that did detect it just happen to be entirely different products from the same (recently merged) parent company. Time will tell, I guess. (Still waiting to hear from Ewido support and I just now received an automatic update from Ewido that still flags the file.)


BTW, in case someone hasn't noticed, there is a slight difference in the "malware" name assigned:

Ewido v4.0.0.172: "Backdoor.Agent.aec ok "
AVG Antivirus (via Jotti): "BackDoor.Agent.BZB "

Perhaps they just haven't got around to to agreeing on the same name or matching database descriptions for consumers, which I tend to think a single organization would do.

 

Hi mailman,

I fully agree with that, in fact it was part of the agreement between the two when the merger was announced.

From here on out, I fully expect at least some joint development.

Regards - Charles

 

trid.exe appears to be a false-positive.

Here's the "ewido networks support" reply:

Date: Fri, 25 Aug 2006

Ewido's support message also included my original message.

There was no attachment to the message as the message indicates. That statement may have been added by my ISP's mail server (or Ewido's). The message headers appear legitimate though (as far as I can tell) and the trouble ticket # in the message's subject field matches the automated message I received shortly after submitting the trid.file and explanation, although my Firefox browser displayed some strange information immediately after submission. I didn't copy the contents though.

I just scanned trid.exe with Ewido 4.0 and it now reports CLEAN. Apparently, Ewido has updated their signature definitions to remove the false-positive signature.


However, Jotti still has AVG Antivirus as the only product they use that reports trid.exe as "infected" with BackDoor.Agent.BZB. I will send a reply to Ewido support indicating that AVG Antivirus at Jotti's malware scan still reports the file as "infected" with "BackDoor.Agent.BZB ". I'm guessing AVG just hasn't got around to updating their signatures yet (or at least Jotti hasn't updated their AVG Antivirus signatures if any are available).

I'll periodically check with Jotti's site to see if/when it changes.


BTW, I also scanned the trid.exe file with Kaspersky's File Scanner. No infection was found. I scanned my entire system with BitDefender's Online Scanner and trid.exe did not show up in the scan results.

 

On a side note...

There were a few other files BitDefender's Online Scanner alerted me on though (that all my other scans have missed):

The first three items I expect are not a problem. The mail attachment is one I placed there on purpose when I reported the message awhile ago (to spoof ^AT^ paypal.com).

I think the WildTangent one came via my mouse software. I haven't investigated that one yet. I think I uninstalled Logitech's "Resource Center" software and/or killed WildTangent a long time ago. If I recall correctly, WildTangent showed up in an Ad-Aware or Spybot S&D scan shortly after I installed my Logitech mouse software (from CD, if I recall correctly).


I'm currently investigating a possible rootkit infection (according to GMER's rootkit detector) that might be related to WildTangent though I haven't seen any connection so far, except possibly the "CC" part. (My memory's a little fuzzy on that at this point.) I posted a message in TeMerc's "Gromozon Rootkit: The Mutha Of All Rootkits" thread about that possible rootkit infection. I'll combine information in Google searches and see what I come up with.

If I can't come to any conclusions on my own, I'll contact GMER log experts somewhere (perhaps at GMER, since that's the application that reports a possible rootkit infection).

If anybody has ideas or knowledge about how I should proceed with my investigation, please feel free to suggest. For now, I'm digging around with Google. I will probably get around to running a couple other rootkit scanners.


I have already used the RootkitRevealer v1.7 and Blacklight (beta) scanners. Neither of those indicated anything except the following for Rootkit Revealer:

• HKLM\SYSTEM\ControlSet002\Control\Motorola\PST\USBDriverVersionNumber 3/16/2006 12:13 AM 3 bytes Data mismatch between Windows API and raw hive data.
• HKLM\SYSTEM\ControlSet003\Control\Motorola\PST\USBDriverVersionNumber 3/16/2006 12:13 AM 3 bytes Data mismatch between Windows API and raw hive data.

I think the 3/16/2006 date in these particular entries might match the date I installed Motorola driver, firmware, and/or software update(s) for my cell phone. I don't recall exactly which updates I installed but I did perform the installation(s) around/at that date/time.

Here is a thread I started a year ago that's related to this Rootkit Revealer output.

===========

EDIT: Here's a link to some decent information about Wild Tangent and blastrb2.exe : http://www.wilderssecurity.com/showthread.php?p=818762 (in case anyone searching the web or these forums stumbles upon this).

Doesn't look like I have Wild Tangent installed anywhere on my machine. I think it's just sitting there waiting to be installed (which will be never).