QUOTE (rdsok @ May 31 2007, 09:58 PM)
If you suspect a file to be a false positive. Test the file at http://virusscan.jotti.org
I came across this post after scanning REATOGO-240.exe (MD5 32eb12354ed14c2d8c1ed9f1ed5d7227) at VirusTotal, something I always do with any new software that's small enough to be uploaded to VirusTotal. The results were alarming, 9/32 positives (http://www.virustotal.com/analisis/751d77724db844f93427fcddc3cca07d). Here are just the positives:
AntiVir 22.214.171.124 2008.06.23 SPR/Tool.PsKill.1101
ClamAV 0.93.1 2008.06.23 PUA.Tool.PSKill
Fortinet 126.96.36.199 2008.06.23 RAT/AntiZlob
Ikarus T188.8.131.52.0 2008.06.23 Trojan-Dropper.Win32.Autoit.h
Kaspersky 184.108.40.206 2008.06.23 not-a-virus:RiskTool.Win32.PsKill.1101
McAfee 5322 2008.06.20 potentially unwanted program RemAdm-PSKill
Panda 220.127.116.11 2008.06.22 Application/Pskill.A
Sophos 4.30.0 2008.06.23 NirSoft
(Hmmm. That's only 8, VirusTotal. Why add an extra one that's not there?!)
Anyway, I'd say that 8/32 is quite alarming to say the least. To be fair, I Googled each one in turn.
SPR/Tool.PsKill.1101 - a few meaningless hits
PUA.Tool.PSKill - a few meaningless hits
I decided to Google Tool.PsKill - many meaningless hits; the few relevant ones indicate the presence of pskill.exe which is sometimes used by malware to kill antivirus/anti-spyware software so it isn't detected; not an issue since most good anti-malware tools can't be killed with this; I submitted the two versions of pskill.exe installed on my PC in the SysinternalsSuite and PsTools (they have identical MD5 hashes) to VirusTotal (http://www.virustotal.com/analisis/fc94b5ca708445a353243964130585f1) and got two positives:
DrWeb 4.44.0.09170 2008.06.15 Tool.ProcessKill.12
Sophos 4.30.0 2008.06.15 PsKill
Obviously nothing to worry about.
RAT/AntiZlob - a few meaningless hits
Trojan-Dropper.Win32.Autoit.h - a few meaningless hits; AutoIt itself is an excellent Windows scripting tool that I use all the time to automate repetitive tasks and it would definitely be useful for this application.
not-a-virus:RiskTool.Win32.PsKill.1101 - a number of meaningless hits and it does say "not-a-virus" and there's pskill again, so . . .
potentially unwanted program RemAdm-PSKill - A fair number of hits; According to McAfee, "The program can terminate processes on local or remote WinNT or Win2K systems. This tool was built for use by administrators to do remote system administration." Again, a useful tool for the current application. And there's pskill a fourth time.
Application/Pskill.A - According to Panda, "Pskill.A is not a risk by itself, but the processes ended can belong to antivirus programs or firewalls. This leaves the affected computer vulnerable to the attack of viruses, worms or Trojans." Again pskill.
NirSoft - NirSoft (http://www.nirsoft.net) has an astounding collection of freeware system tools that are incredibly useful and would definitely be useful to Reatogo. (No doubt they'd also be useful to malicious programmers too but that's another story.)
So, in conclusion, although I was certainly alarmed when I first laid eyes on the VirusTotal results, if I consider the evidence, it looks circumstantial at best. It seems that Siegfried has put a lot of effort into this program and it looks like it would make setting up and adding custom plugins to BartPE much easier. I can't imagine why someone who has gone to so much effort to create such a useful tool and shared it with the huge afflicted Windows community would include anything malicious in it. Still, one can't be too careful. It is best to be sceptical with the unfamiliar and test it as much as possible. I would like to know what others think about this and what experiences they may have with the tool.
Another issue that concerns me - I originally downloaded REATOGO-240.exe with Orbit downloader (v2.7.1) from Firefox 2. When I saw the VirusTotal results, I decided to check the MD5 hash with Karen's Hasher, a very reliable freeware tool. Much to my chagrin, it was different from the one posted on the download page. So I downloaded it again twice with Orbit just to see what happened. Each download had a different hash! Then I downloaded it the usual way using the Firefox downloader. This time it had the correct hash and I resubmitted it to VirusTotal. It had already been scanned by someone else with the same results but I rescanned it just to be sure and got the same results. This really concerns me though about Orbit. I've been using it for years and thought it was reliable. Now I'm not sure. I will have to investigate but that is beyond the scope of this post. Just a 'heads up' to all users of the program.
I also decided to scan REATOGO-240.exe at Jotti's VirusScan (http://virusscan.jotti.org) and got same/different/additional/new results:
AntiVir - SPR/Tool.PsKill.1101 (same)
Clam - AVPUA.Tool.PSKill (same)
Kaspersky - not-a-virus:RiskTool.Win32.PsKill.1101 (same)
Panda - Application/Pskill.A (same)
Fortinet (VirusTotal) - RAT/AntiZlob
Fortinet - Found nothing (different)
Sophos (VirusTotal) - NirSoft
Sophos - Found nothing (different)
Ikarus (VirusTotal) - Trojan-Dropper.Win32.Autoit.h
Ikarus - Trojan-Dropper.Win32.Autoit.h, Trojan-PWS.Win32.Lmir, not-a-virus:RiskTool.Win32.PsKill.1101 (additional)
CPsecure - BackDoor.W32.Agobot.aiw (new)
Dr.Web - Program.PsKill.101 (new)
F-Secure Anti-Virus - not-a-virus:RiskTool.Win32.PsKill.1101 (6, 2, 611) (new)
I could find nothing about BackDoor.W32.Agobot.aiw. The results are similar and I would draw the same conclusions based on the additional results.