Goddammit - It's Kaspersky again...

Kaspersky does again believe to find the virus 'Trojan-PSW.Win32.WOW.bai' in the latest MobMapUpdater.exe :( And it's again the only scanner engine that finds it (the other ones, like the G-Data scanner or F-Secure, use the Kaspersky engine, so they suffer from the same false alarms).

Seems that history is repeating, just with the new version of the MobMapUpdater. I've already sent the new version to Kaspersky for manual analysis.

Seems that I have to do this for every single update of the MobMapUpdater now, just so Kaspersky can assure themselves that I don't put viruses into my software...

[update] There we got it - at least they do respond quite fast:

Hello,

MobMapUpdater.exe

We are sorry, it is false alarm. It will be fixed as soon as possible. Thank you for your help.

Please quote all when answering.

--
Best regards, Andrey Ladikov
Virus analyst, Kaspersky Lab.
e-mail: newvirus@kaspersky.com
http://www.kaspersky.com/


I just hope they'll update their definitions soon, it makes me mad to know that potentially thousands of users might get upset by this false alarm again.

[update 2] Okay, the web-based scanner from Kaspersky does not detect the "virus" anymore, so it seems that they've updated their definition files. But now AntiVir thinks that there's a virus...man, I'm starting to really hate this anti-virus shit...

[update 3] The request to AntiVir for a manual check and a fix is out, I hope they're as quick as Kaspersky with checking and responding.

[update 4] AntiVir unfortunately hasn't answered yet, but Fortinet has sent this:

Dear Rene Schneider,

Detection to your submission "MobMapUpdater.exe" will be removed in our next AV update.

Best Regards,
AV Lab - Bernard


So well, one less on my list :)

[update 5] AntiVir seems to need quite some time to respond to my inquiry, the file I uploaded is still being marked as "in progress" in their tracking system. That's especially bad because many users use the free AntiVir Personal Classic Edition, so I get quite some amount of mails regarding this whole subject.

But at least Fortinet and all Kaspersky-based virus scanners have rolled out their new definitions which do not classify my updater as malware anymore. There's still a scanner from a company called "Quick Heal" which raises false alarm, but they've been contacted already yesterday, so that will hopefully be fixed soon, too. And then there's the Webwasher Gateway, which doesn't seem to have an own virus lab, but uses several anti-virus detection engines from other companies, so I suspect this scanner uses either the Quick Heal engine or the AntiVir engine, which means this problem will be solved as soon as those scanners get updated definition files. And then there's Prevx, for which I haven't found an address to send stuff for manual verification yet.
This entry was posted by Slarti on Friday, May 23. 2008 at 11:32. You can leave a response, or trackback from your own blog.

Trackbacks

Trackback specific URI for this entry

    No Trackbacks

Comments

Display comments as (Linear | Threaded)

  1. Bhim says:
    #1 2008-05-23 11:54 (Reply)

    Good, you already found out. I just wanted to inform you that it happened again (G-Data Kaspersky engine here) and that I already send the file to them for analysis. Thumbs up fpr your fast reaction. :-)

  2. Pomela says:
    #2 2008-05-23 15:21 (Reply)

    F-Secure findet ihn auch http://www.f-secure.com/v-descs/wow.shtml

    sry, ich schätze Mobmap sehr, habe es immo aber deinstalliert.

  3. petitsuisse says:
    #3 2008-05-23 16:30 (Reply)

    Antivir meldet auch einen Trojaner

  4. Kindara says:
    #4 2008-05-23 16:50 (Reply)

    Naja Slarti, vielleicht zumindest vorher vor nem Release mal durch http://www.virustotal.com/ schicken. Aber was hilft das, wenn wie beim letzten Mal Kaspersky nachträglich der Meinung ist, das das auf einmal verseucht ist...

  5. Zack says:
    #5 2008-05-23 20:37 (Reply)

    Well it's not only kaspersky...
    AntiVir (aka Avira) is showing false positive too so I uploaded to virusscan to see if anyone else say:

    Scan taken on 23 May 2008 18:33:06 (GMT)
    A-Squared Found nothing
    AntiVir Found TR/PSW.Wow.bai
    ArcaVir Found nothing
    Avast Found nothing
    AVG Antivirus Found nothing
    BitDefender Found nothing
    ClamAV Found nothing
    CPsecure Found nothing
    Dr.Web Found nothing
    F-Prot Antivirus Found nothing
    F-Secure Anti-Virus Found nothing
    Fortinet Found W32/WOW.BAI!tr.pws
    Ikarus Found nothing
    Kaspersky Anti-Virus Found nothing
    NOD32 Found nothing
    Norman Virus Control Found nothing
    Panda Antivirus Found nothing
    Sophos Antivirus Found nothing
    VirusBuster Found nothing
    VBA32 Found nothing

    And noticed that Fortinet is also showing false positive

  6. Slarti says:
    #5.1 2008-05-23 20:59 (Reply)

    Yep, all those who are showing false positives have been contacted to manually check the program and modify their definition files, including rather unknown companies like Fortinet.

    I'm currently waiting for their responses...

  7. Zack says:
    #6 2008-05-24 04:33 (Reply)

    Srry to bother again XD
    but I found more uknow AV's with false positives (used Virus Total)

    Antivírus Versão Última Atualização Resultado
    AhnLab-V3 2008.5.22.1 2008.05.23 -
    AntiVir 7.8.0.19 2008.05.23 TR/PSW.Wow.bai
    Authentium 5.1.0.4 2008.05.23 -
    Avast 4.8.1195.0 2008.05.23 -
    AVG 7.5.0.516 2008.05.23 -
    BitDefender 7.2 2008.05.24 -
    CAT-QuickHeal 9.50 2008.05.23 TrojanPSW.WOW.bai
    ClamAV 0.92.1 2008.05.24 -
    DrWeb 4.44.0.09170 2008.05.23 -
    eSafe 7.0.15.0 2008.05.22 -
    eTrust-Vet 31.4.5817 2008.05.23 -
    Ewido 4.0 2008.05.23 -
    F-Prot 4.4.4.56 2008.05.23 -
    F-Secure 6.70.13260.0 2008.05.23 -
    Fortinet 3.14.0.0 2008.05.24 -
    GData 2.0.7306.1023 2008.05.23 -
    Ikarus T3.1.1.26.0 2008.05.24 -
    Kaspersky 7.0.0.125 2008.05.24 -
    McAfee 5302 2008.05.23 -
    Microsoft None 2008.05.24 -
    NOD32v2 3128 2008.05.23 -
    Norman 5.80.02 2008.05.23 -
    Panda 9.0.0.4 2008.05.23 -
    Prevx1 V2 2008.05.24 Malicious Software
    Rising 20.45.42.00 2008.05.23 -
    Sophos 4.29.0 2008.05.24 -
    Sunbelt 3.0.1123.1 2008.05.17 -
    Symantec 10 2008.05.24 -
    TheHacker 6.2.92.318 2008.05.23 -
    VBA32 3.12.6.6 2008.05.23 -
    VirusBuster 4.3.26:9 2008.05.23 -
    Webwasher-Gateway 6.6.2 2008.05.24 Trojan.PSW.Wow.bai

    CAT-QuickHeal
    Prevx1
    Webwasher-Gateway

    Yes I didn't know the existe xD but I think it would be good to let u know

  8. BaronChaos says:
    #7 2008-05-24 13:30 (Reply)

    Maybe you could ask Kaspersky, Avira or someone else what's triggering the heuristics.

    It's very likely that they don't give you a hint, but you could have luck and work around it.

  9. Mars says:
    #7.1 2008-05-25 09:05 (Reply)

    I dunno if it does that because I'm updating manually. But sending data in dependence of WoW start/end could be like a keylogger or so so that the heuristic think it's a virus.

  10. Zack says:
    #8 2008-05-25 01:19 (Reply)

    Well Avira call it a Trojan (they heuristic is one that gives too many false positives but it's a good Av)
    Maybe it's because the way automatic mode works, but I can be wrong

    That's why I like Eset Nod32 (the best heuristic u can found out there)I've never seen a false positive from them
    Well I couldn't find anything about Prevx( only they site http://www.prevx.com/)

    Well good luck in those crazy Av ;)

  11. askjosh says:
    #9 2008-05-25 19:26 (Reply)

    So far I have not had a single false positive with my anti-virus. I use Avast Anti-Virus and it works great :-)

    On a side note can we get a new tab in mobmap called Comments. In this tab we would be able to see a list of all the comments that were created as well as what quests those comments were for.

    The function of this would mostly be for curiosity. Also it would be cool if you could have it record the Character Name and Server name of the person giving the comment so that they can be given proper credit.

    Thanks again and keep up the good work.

  12. Slarti says:
    #9.1 2008-05-25 19:30 (Reply)

    The idea with a list of all ever-posted comments isn't so bad, I might include something like that someday.

    But however, the character and server names are already included with new comments by default, though the author has the option to post a comment anonymously. So if you see a comment without an author name, the author has explicitly stated that he doesn't want his name to be published.

  13. Patti says:
    #10 2008-05-25 21:10 (Reply)

    kaspersky to send a false message ;)

  14. kaepteniglo says:
    #11 2008-05-25 23:30 (Reply)

    i also use kaspersky, and i never get a virus-alert or trojan-alert in mobmapupdater.

    don't know why but i never got an alert from kaspersky.

  15. Zack says:
    #11.1 2008-05-26 00:48 (Reply)

    You're going to hate me but it is without updates or bad config XD

  16. Ringkeeper says:
    #12 2008-05-26 09:15 (Reply)

    since last update of tody, antivir don´t show the message anymore.
    (Antivir Prof ).

  17. morte says:
    #13 2008-05-30 15:28 (Reply)

    Sieht als b das Problem beseitigt ist

    Antivirus Version Last Update Result
    AhnLab-V3 2008.5.30.1 2008.05.30 -
    AntiVir 7.8.0.24 2008.05.30 -
    Authentium 5.1.0.4 2008.05.29 -
    Avast 4.8.1195.0 2008.05.30 -
    AVG 7.5.0.516 2008.05.30 -
    BitDefender 7.2 2008.05.30 -
    CAT-QuickHeal 9.50 2008.05.29 -
    ClamAV 0.92.1 2008.05.30 -
    DrWeb 4.44.0.09170 2008.05.30 -
    eSafe 7.0.15.0 2008.05.29 -
    eTrust-Vet 31.4.5835 2008.05.30 -
    Ewido 4.0 2008.05.30 -
    F-Prot 4.4.4.56 2008.05.29 -
    F-Secure 6.70.13260.0 2008.05.30 -
    Fortinet 3.14.0.0 2008.05.30 -
    GData 2.0.7306.1023 2008.05.30 -
    Ikarus T3.1.1.26.0 2008.05.30 -
    Kaspersky 7.0.0.125 2008.05.30 -
    McAfee 5306 2008.05.29 -
    Microsoft 1.3520 2008.05.30 -
    NOD32v2 3147 2008.05.30 -
    Norman 5.80.02 2008.05.29 -
    Panda 9.0.0.4 2008.05.29 -
    Prevx1 V2 2008.05.30 -
    Rising 20.46.42.00 2008.05.30 -
    Sophos 4.29.0 2008.05.30 -
    Sunbelt 3.0.1139.1 2008.05.29 -
    Symantec 10 2008.05.30 -
    TheHacker 6.2.92.325 2008.05.30 -
    VBA32 3.12.6.6 2008.05.30 -
    VirusBuster 4.3.26:9 2008.05.29 -
    Webwasher-Gateway 6.6.2 2008.05.30 -

  18. Vince says:
    #14 2008-06-12 21:53 (Reply)

    Nun hat mir im Moment Avira von H+B EDV die Torjaner-Meldung um die Ohren gehauen!


Add Comment


Enclosing asterisks marks text as bold (*word*), underscore are made via _word_.

To prevent automated Bots from commentspamming, please enter the string you see in the image below in the appropriate input box. Your comment will only be submitted if the strings match. Please ensure that your browser supports and accepts cookies, or your comment cannot be verified correctly.
CAPTCHA 1CAPTCHA 2CAPTCHA 3CAPTCHA 4CAPTCHA 5