Question about a Backdoor/Delf.emx detection by Jiangmin
in [Viruses]
|
Prev: khq virus
Next: Ultrasurf by Ultrareach.net -> malware?
From: Virus Guy on 10 Dec 2009 23:37 Virustotal is reporting that this file is potentially malicious: http://gpass1.com/download/GPass.exe Specifically, only 1 AV program is reporting it as a threat: Jiangmin -> Backdoor/Delf.emx Is this a correct detection, or a false positive?
From: David H. Lipman on 11 Dec 2009 06:31 From: "Virus Guy" <Virus(a)Guy.com> | Virustotal is reporting that this file is potentially malicious: | h**p://gpass1.com/download/GPass.exe | Specifically, only 1 AV program is reporting it as a threat: | Jiangmin -> Backdoor/Delf.emx | Is this a correct detection, or a false positive? You must think it is becuase you posted that URL unobfuscated. It probably may be a FP. -- Dave http://www.claymania.com/removal-trojan-adware.html Multi-AV - http://www.pctipp.ch/downloads/dl/35905.asp
From: Ant on 11 Dec 2009 12:02 "Virus Guy" wrote: > Jiangmin -> Backdoor/Delf.emx > Is this a correct detection, or a false positive? http://gpass1.com/gpass/about "GPass is a product of the World's Gate, Inc. The World's Gate, Inc. is a private IT company offering Internet solutions for information freedom in China and other regions under suppressive regimes". Interesting that an entity called "Jiangmin", whoever they are but sounding Chinese, detected it. Perhaps they don't want you penetrating the Great Firewall of China or perhaps they're trying to warn you of something else... It's packed with PECompact 2, has a simple to bypass anti-unpacking trick, but once unpacked is obviously a Borland Delphi executable (hence 'Delf') with network capabilities that appears to do what it says on the tin; some of which is: "Encrypted socks tunnels and backup tunnels using Skype and Tor". I haven't looked at in detail (the unpacked exe is 3 meg) but there is no obvious sign it's malware. The question is, do you trust the gpass1 website? If it came from there and that site is not a front of the Chinese govt (it's hosted in the US) then I'd say it's probably a false positive.
From: Virus Guy on 12 Dec 2009 09:07 Ant wrote: > > Jiangmin -> Backdoor/Delf.emx > > Is this a correct detection, or a false positive? > If it came from there and that site is not a front of the > Chinese govt (it's hosted in the US) then I'd say it's probably > a false positive. F-Secure is now reporting it as: Suspicious:W32/Riskware!Online
|
Pages: 1 Prev: khq virus Next: Ultrasurf by Ultrareach.net -> malware? |