From: Lars Uffmann on
Hey everyone!

Struck with nostalgia, I wanted to download all the messagemates at
http://www.screenmates.com/archives.htm
recently, and I discovered some new ones (and not all of the old ones :(
- I decided to download all of them, and came upon a virus warning on
the "DeathWish Dog":
http://www.screenmates.com/download/DeathwishDog.exe

My McAfee Virusscan reports this as the Trojan Generic.dx!sux -
according to their website
http://vil.nai.com/vil/content/v_267459.htm
this signature has only been added to Virusscan on 26. of May 2010.

Since the Screenmates are far older, and I am downloading from the
official site, I am wondering whether:
a) the site has been hacked and someone replaced the original with a
modified file (I found the same virus warning on a different source, so
this is unlikely)
b) this has always been a trojan (unlikely?)
c) McAfee reports false positives with this signature, or is sensitive
to something the program does which does not necessarily do any harm

Has anyone had any false positives with that signature reported in the
recent past?

Best Regards,

Lars
From: FromTheRafters on
"Lars Uffmann" <aral(a)nurfuerspam.de> wrote in message
news:8bap23Fd65U1(a)mid.dfncis.de...
> Hey everyone!
>
> Struck with nostalgia, I wanted to download all the messagemates at
> http://www.screenmates.com/archives.htm
> recently, and I discovered some new ones (and not all of the old ones
> :( - I decided to download all of them, and came upon a virus warning
> on the "DeathWish Dog":
> http://www.screenmates.com/download/DeathwishDog.exe
>
> My McAfee Virusscan reports this as the Trojan Generic.dx!sux -
> according to their website
> http://vil.nai.com/vil/content/v_267459.htm
> this signature has only been added to Virusscan on 26. of May 2010.
>
> Since the Screenmates are far older, and I am downloading from the
> official site, I am wondering whether:
> a) the site has been hacked and someone replaced the original with a
> modified file (I found the same virus warning on a different source,
> so this is unlikely)

I agree - unlikely.

> b) this has always been a trojan (unlikely?)

Again, I agree. Although, 'trojans' are tough to nail down being
subjectively defined.

> c) McAfee reports false positives with this signature, or is sensitive
> to something the program does which does not necessarily do any harm

It appears to be a generic detection as opposed to a signature based
identification.

> Has anyone had any false positives with that signature reported in the

Not me, but false positives from 'generic' and/or 'heuristc' modules are
more likely than one might think.


From: VanguardLH on
Lars Uffmann wrote:

> came upon a virus warning
> http://www.screenmates.com/download/DeathwishDog.exe
>
> My McAfee Virusscan reports this as the Trojan Generic.dx!sux -
> according to their website
> http://vil.nai.com/vil/content/v_267459.htm
> this signature has only been added to Virusscan on 26. of May 2010.

EVERY anti-virus program suffers from false positives. It's up to you
to do further investigation when alerted that a file is suspect.

Submit the file(s) to virustotal.com to see if other AV programs also
report the malware.
From: Ant on
"Lars Uffmann" wrote:

> - I decided to download all of them, and came upon a virus warning on
> the "DeathWish Dog":
> http://www.screenmates.com/download/DeathwishDog.exe
>
> My McAfee Virusscan reports this as the Trojan Generic.dx!sux -

[...]

> c) McAfee reports false positives with this signature, or is sensitive
> to something the program does which does not necessarily do any harm

It's a false positive. Maybe McAfee is picking up on its ability to
run at startup and contact the screenmates site but that only happens
if you tell it to. All screenmates do this, so I don't know what's
causing this one to be flagged.

I examined the file structure and there's nothing unusual about it.
I'm convinced its clean after monitoring in a debugger, which shows
normal code and normal behaviour. An "mmates.ini" file is created in
the windows directory.


From: David H. Lipman on
From: "Lars Uffmann" <aral(a)nurfuerspam.de>

| Hey everyone!

| Struck with nostalgia, I wanted to download all the messagemates at
| h**p://www.screenmates.com/archives.htm
| recently, and I discovered some new ones (and not all of the old ones :(
| - I decided to download all of them, and came upon a virus warning on
| the "DeathWish Dog":
| h**p://www.screenmates.com/download/DeathwishDog.exe

| My McAfee Virusscan reports this as the Trojan Generic.dx!sux -
| according to their website
| http://vil.nai.com/vil/content/v_267459.htm
| this signature has only been added to Virusscan on 26. of May 2010.

| Since the Screenmates are far older, and I am downloading from the
| official site, I am wondering whether:
| a) the site has been hacked and someone replaced the original with a
| modified file (I found the same virus warning on a different source, so
| this is unlikely)
| b) this has always been a trojan (unlikely?)
| c) McAfee reports false positives with this signature, or is sensitive
| to something the program does which does not necessarily do any harm

| Has anyone had any false positives with that signature reported in the
| recent past?

Ant analyzed the file and he indicates it is clean so I won't go into the file itself.
However... Whenever you are suspicious of a file or it may be malicious *always*
obfuscate the URL so it is NOT clickable such as I have done in my reply in case the URL
is malicious.

http://www.virustotal.com/analisis/64f4ef7f014b8b0df311ece66978d0550b2b33c3e5b6c58e36e4c271829510df-1280353283

I like AntiVir's declaration on this one.
AntiVir 8.2.4.26 2010.07.28 JOKE/Deathwish

Defining it is the class of Jokes and not malware.


--
Dave
http://www.claymania.com/removal-trojan-adware.html
Multi-AV - http://www.pctipp.ch/downloads/dl/35905.asp