WPA_Kill.exe false positive in Avast?

Discussion in 'Computer Security' started by Al Smith, Jul 4, 2006.

  1. Al Smith

    Al Smith Guest

    I've had the file "WPA_Kill.exe" (version 1.6.2) on my computer
    for a couple of years. It never triggered an antivirus alert.
    Recently, it tripped my Avast antivirus, which identified it as
    the "Win32:Small-XC" trojan. I think this must be a false positive.

    I submitted this file to the on-line scanner at Kaspersky Labs,
    and it came up clean.

    What do you think? Trojan? How likely is it that it would go
    undetected for two years and dozens of antivirus and malware
    scans, and now suddenly be identified by Avast as a trojan?
     
    Al Smith, Jul 4, 2006
    #1
    1. Advertising

  2. Al Smith

    Kerodo Guest

    In article <kmhqg.116145$S61.86028@edtnps90>,
    says...
    > I've had the file "WPA_Kill.exe" (version 1.6.2) on my computer
    > for a couple of years. It never triggered an antivirus alert.
    > Recently, it tripped my Avast antivirus, which identified it as
    > the "Win32:Small-XC" trojan. I think this must be a false positive.
    >
    > I submitted this file to the on-line scanner at Kaspersky Labs,
    > and it came up clean.
    >
    > What do you think? Trojan? How likely is it that it would go
    > undetected for two years and dozens of antivirus and malware
    > scans, and now suddenly be identified by Avast as a trojan?
    >


    I'd try a couple of reputable online scanners and then maybe submit the
    file to the Avast people and tell them you think it's an FP... see what
    they say.

    --
    Kerodo
     
    Kerodo, Jul 4, 2006
    #2
    1. Advertising

  3. Al Smith

    Al Smith Guest

    >>I've had the file "WPA_Kill.exe" (version 1.6.2) on my computer
    >>> for a couple of years. It never triggered an antivirus alert.
    >>> Recently, it tripped my Avast antivirus, which identified it as
    >>> the "Win32:Small-XC" trojan. I think this must be a false positive.
    >>>
    >>> I submitted this file to the on-line scanner at Kaspersky Labs,
    >>> and it came up clean.
    >>>
    >>> What do you think? Trojan? How likely is it that it would go
    >>> undetected for two years and dozens of antivirus and malware
    >>> scans, and now suddenly be identified by Avast as a trojan?
    >>>

    >
    >
    > I'd try a couple of reputable online scanners and then maybe submit the
    > file to the Avast people and tell them you think it's an FP... see what
    > they say.


    Yes, I'm thinking I should probably send it in to Avast to get
    their response.
     
    Al Smith, Jul 4, 2006
    #3
  4. Al Smith

    Vanguard Guest

    "Al Smith" <> wrote in message
    news:kmhqg.116145$S61.86028@edtnps90...
    > I've had the file "WPA_Kill.exe" (version 1.6.2) on my computer for
    > a couple of years. It never triggered an antivirus alert. Recently,
    > it tripped my Avast antivirus, which identified it as the
    > "Win32:Small-XC" trojan. I think this must be a false positive.
    >
    > I submitted this file to the on-line scanner at Kaspersky Labs, and
    > it came up clean.
    >
    > What do you think? Trojan? How likely is it that it would go
    > undetected for two years and dozens of antivirus and malware scans,
    > and now suddenly be identified by Avast as a trojan?



    Upload it to http://www.virustotal.com/en/indexf.html and have them
    run several anti-virus scanners against it.
     
    Vanguard, Jul 4, 2006
    #4
  5. Al Smith

    Al Smith Guest

    >> I've had the file "WPA_Kill.exe" (version 1.6.2) on my computer for a couple of years. It never triggered an antivirus alert. Recently, it tripped my Avast antivirus, which identified it as the "Win32:Small-XC" trojan. I think this must be a false positive.
    >>
    >> I submitted this file to the on-line scanner at Kaspersky Labs, and it came up clean.
    >>
    >> What do you think? Trojan? How likely is it that it would go undetected for two years and dozens of antivirus and malware scans, and now suddenly be identified by Avast as a trojan?

    >
    >
    >
    > Upload it to http://www.virustotal.com/en/indexf.html and have them run several anti-virus scanners against it.


    I sent it in to Avast. This site you link to seems to require some
    sort of plugin. I don't run stuff when I browse (no Active-X, no
    Java, no JavaScript, no cookies, and so on), so it's probably not
    my sort of site.
     
    Al Smith, Jul 4, 2006
    #5
  6. From: "Al Smith" <>


    |
    | Yes, I'm thinking I should probably send it in to Avast to get
    | their response.


    Please submit a sample of "WPA_Kill.exe" to Virus Total --
    http://www.virustotal.com/flash/index_en.html
    The submission will then be tested against many different AV vendor's scanners.
    That will give you an idea what it is and who recognizes it. In addition, unless told
    otherwise, Virus Total will provide the sample to all participating vendors.

    You can also submit a suspect, one at a time, via the following email URL...
    mailto:?subject=SCAN

    When you get the report, please post back the exact results.

    If it isn't recogized by the other vendors.

    Use the following URL and submit the file to AVAST.

    mailto:?subject=False%20Positive


    --
    Dave
    http://www.claymania.com/removal-trojan-adware.html
    http://www.ik-cs.com/got-a-virus.htm
     
    David H. Lipman, Jul 4, 2006
    #6
  7. From: "Al Smith" <>

    ..
    |
    | I sent it in to Avast. This site you link to seems to require some
    | sort of plugin. I don't run stuff when I browse (no Active-X, no
    | Java, no JavaScript, no cookies, and so on), so it's probably not
    | my sort of site.

    It is a *very* respectable site and in my previous reply, I provided an email URL that can
    be used to submit the sample for vendor analysis.

    --
    Dave
    http://www.claymania.com/removal-trojan-adware.html
    http://www.ik-cs.com/got-a-virus.htm
     
    David H. Lipman, Jul 4, 2006
    #7
  8. Al Smith

    Al Smith Guest

    > Yes, I'm thinking I should probably send it in to Avast to get
    > | their response.
    >
    >
    > Please submit a sample of "WPA_Kill.exe" to Virus Total --
    > http://www.virustotal.com/flash/index_en.html
    > The submission will then be tested against many different AV vendor's scanners.
    > That will give you an idea what it is and who recognizes it. In addition, unless told
    > otherwise, Virus Total will provide the sample to all participating vendors.
    >
    > You can also submit a suspect, one at a time, via the following email URL...
    > mailto:?subject=SCAN
    >
    > When you get the report, please post back the exact results.
    >
    > If it isn't recogized by the other vendors.
    >
    > Use the following URL and submit the file to AVAST.
    >
    > mailto:?subject=False%20Positive


    Avast hasn't responded yet. I just sent the file off to the mail
    address you provided for Virus Total.
     
    Al Smith, Jul 4, 2006
    #8
  9. Al Smith

    Al Smith Guest

    > I sent it in to Avast. This site you link to seems to require some
    > | sort of plugin. I don't run stuff when I browse (no Active-X, no
    > | Java, no JavaScript, no cookies, and so on), so it's probably not
    > | my sort of site.
    >
    > It is a *very* respectable site and in my previous reply, I provided an email URL that can
    > be used to submit the sample for vendor analysis.


    Yes, I just ran across the mail address and used it. Thanks. It's
    just that I don't turn on JavaScript and so on unless I'm really
    forced to do so. If a Web site doesn't work without them, I
    generally ignore the site.
     
    Al Smith, Jul 4, 2006
    #9
  10. Al Smith

    Al Smith Guest

    Well, that was quick. Here are the results for the scan by Virus
    Total. It looks to me as if Avast is the only one that flags the
    file as an actual out-and-out trojan. Although BitDefender is a
    bit ambiguous in calling it "Trojan. Tool. Wpakill.B." Not sure
    what that means, exactly. It is indeed WPA_Kill. That is indeed a
    tool. Whether it's a trojan in the nasty, active sense, I can't
    quite figure. The other scans seem to say no. Again, I'm not sure
    about Fortinet. It identifies the file by its name, then puts "tr"
    after the name. What does that mean? Am I right in thinking that
    the overall drift is that this isn't a trojan, but that some
    scanners think it is a questionable file because of what it does?

    ...............

    Virus Total
    _______________________________________________

    Scan results
    File: WPA_Kill.exe
    Date: 07/04/2006 19:44:18 (CET)
    ----
    AntiVir 6.35.0.20/20060704 found nothing
    Authentium 4.93.8/20060703 found nothing
    Avast 4.7.844.0/20060703 found [Win32:Small-XC]
    AVG 386/20060704 found nothing
    BitDefender 7.2/20060704 found [Trojan.Tool.Wpakill.B]
    CAT-QuickHeal 8.00/20060704 found nothing
    ClamAV devel-20060426/20060704 found nothing
    DrWeb 4.33/20060704 found nothing
    eTrust-InoculateIT 23.72.59/20060704 found nothing
    eTrust-Vet 12.6.2285/20060704 found nothing
    Ewido 3.5/20060704 found nothing
    Fortinet 2.77.0.0/20060703 found [WPAKill!tr]
    F-Prot 3.16f/20060703 found nothing
    F-Prot4 4.2.1.29/20060703 found nothing
    Ikarus 0.2.65.0/20060704 found nothing
    Kaspersky 4.0.2.24/20060704 found nothing
    McAfee 4799/20060704 found [Tool-WPAKill]
    Microsoft 1.1481/20060701 found nothing
    NOD32v2 1.1643/20060704 found nothing
    Norman 5.90.23/20060704 found nothing
    Panda 9.0.0.4/20060704 found nothing
    Sophos 4.07.0/20060704 found nothing
    Symantec 8.0/20060704 found nothing
    TheHacker 5.9.8.168/20060703 found nothing
    UNA 1.83/20060704 found nothing
    VBA32 3.11.0/20060704 found nothing
    VirusBuster 4.3.7:9/20060704 found nothing
     
    Al Smith, Jul 4, 2006
    #10
  11. From: "Al Smith" <>

    | Well, that was quick. Here are the results for the scan by Virus
    | Total. It looks to me as if Avast is the only one that flags the
    | file as an actual out-and-out trojan. Although BitDefender is a
    | bit ambiguous in calling it "Trojan. Tool. Wpakill.B." Not sure
    | what that means, exactly. It is indeed WPA_Kill. That is indeed a
    | tool. Whether it's a trojan in the nasty, active sense, I can't
    | quite figure. The other scans seem to say no. Again, I'm not sure
    | about Fortinet. It identifies the file by its name, then puts "tr"
    | after the name. What does that mean? Am I right in thinking that
    | the overall drift is that this isn't a trojan, but that some
    | scanners think it is a questionable file because of what it does?
    |
    | ..............
    |
    | Virus Total
    | _______________________________________________
    |
    | Scan results
    | File: WPA_Kill.exe
    | Date: 07/04/2006 19:44:18 (CET)
    | ----

    | Avast 4.7.844.0/20060703 found [Win32:Small-XC]
    | BitDefender 7.2/20060704 found [Trojan.Tool.Wpakill.B]
    | Fortinet 2.77.0.0/20060703 found [WPAKill!tr]
    | McAfee 4799/20060704 found [Tool-WPAKill]

    < snip

    Tool-WPAKill -- http://vil.nai.com/vil/content/v_136760.htm

    McAfee is mixed on this. On one hand it calls this a Trojan but defines it as a "Tool" and
    a "Potentially unwanted program" so what I can discern from this is that the utility is NOT
    in itelf malicious but can be used in a malicious fashion.

    Based upon this, I would not call this a False Positive.

    If it is a tool you like to use, legitimately, I suggest storing it in a password protected
    ZIP file and disabling Avast prior to extracting it for use.

    --
    Dave
    http://www.claymania.com/removal-trojan-adware.html
    http://www.ik-cs.com/got-a-virus.htm
     
    David H. Lipman, Jul 4, 2006
    #11
  12. Al Smith

    Kerodo Guest

    In article <Zayqg.8093$0G2.6046@trnddc07>, DLipman~nospam~@Verizon.Net
    says...
    >
    > If it is a tool you like to use, legitimately, I suggest storing it in a password protected
    > ZIP file and disabling Avast prior to extracting it for use.
    >


    Or, if Avast can handle exclusions, tell it to exclude this file from
    any future scans.

    --
    Kerodo
     
    Kerodo, Jul 4, 2006
    #12
  13. Al Smith

    Al Smith Guest

    >>If it is a tool you like to use, legitimately, I suggest storing it in a password protected
    >>> ZIP file and disabling Avast prior to extracting it for use.
    >>>

    >
    >
    > Or, if Avast can handle exclusions, tell it to exclude this file from
    > any future scans.
    >
    > --


    That's a reasonable option. Another I thought of is simply copying
    the file to a floppy and in that way getting it off my hard drive.
    I don't want to delete it because, as I discovered this week while
    poking around for it, WPA_Kill is becoming harder to find on the
    Internet. I might have trouble locating it the next time I need it.
     
    Al Smith, Jul 4, 2006
    #13
  14. Al Smith

    ezbless

    Joined:
    May 31, 2008
    Messages:
    1
    Here's a printed to PDF file I created with my results from using the Virus Total service to upload and scan my copy of WPA_KILL.EXE:

    What do you think?


    Thanks

    - soltero
     
    ezbless, May 31, 2008
    #14
    1. Advertising

Want to reply to this thread or ask your own question?

It takes just 2 minutes to sign up (and it's free!). Just click the sign up button to choose a username and then you can ask your own questions on the forum.
Similar Threads
  1. Nick

    False positive, false intrusion, false alarm

    Nick, Apr 23, 2006, in forum: Computer Security
    Replies:
    3
    Views:
    4,024
    Moe Trin
    Apr 26, 2006
  2. ellis_jay

    Asquared false positive..fyi

    ellis_jay, Jun 14, 2006, in forum: Computer Support
    Replies:
    5
    Views:
    432
    ellis_jay
    Jun 14, 2006
  3. ellis_jay

    FIREDLL.dll---trojan-false positive...FYI

    ellis_jay, Jul 11, 2006, in forum: Computer Support
    Replies:
    0
    Views:
    677
    ellis_jay
    Jul 11, 2006
  4. Tester
    Replies:
    1
    Views:
    848
    ellis_jay
    Dec 8, 2006
  5. John

    BOClean False Positive

    John, Jun 14, 2007, in forum: Computer Information
    Replies:
    0
    Views:
    461
Loading...

Share This Page