WPA_Kill.exe false positive in Avast?

I've had the file "WPA_Kill.exe" (version 1.6.2) on my computer
for a couple of years. It never triggered an antivirus alert.
Recently, it tripped my Avast antivirus, which identified it as
the "Win32:Small-XC" trojan. I think this must be a false positive.

I submitted this file to the on-line scanner at Kaspersky Labs,
and it came up clean.

What do you think? Trojan? How likely is it that it would go
undetected for two years and dozens of antivirus and malware
scans, and now suddenly be identified by Avast as a trojan?

 

I'd try a couple of reputable online scanners and then maybe submit the
file to the Avast people and tell them you think it's an FP... see what
they say.

 

I've had the file "WPA_Kill.exe" (version 1.6.2) on my computer

Yes, I'm thinking I should probably send it in to Avast to get
their response.

 

Upload it to http://www.virustotal.com/en/indexf.html and have them
run several anti-virus scanners against it.

 

I've had the file "WPA_Kill.exe" (version 1.6.2) on my computer for a couple of years. It never triggered an antivirus alert. Recently, it tripped my Avast antivirus, which identified it as the "Win32:Small-XC" trojan. I think this must be a false positive.

I sent it in to Avast. This site you link to seems to require some
sort of plugin. I don't run stuff when I browse (no Active-X, no
Java, no JavaScript, no cookies, and so on), so it's probably not
my sort of site.

 

From: "Al Smith" <>


|
| Yes, I'm thinking I should probably send it in to Avast to get
| their response.


Please submit a sample of "WPA_Kill.exe" to Virus Total --
http://www.virustotal.com/flash/index_en.html
The submission will then be tested against many different AV vendor's scanners.
That will give you an idea what it is and who recognizes it. In addition, unless told
otherwise, Virus Total will provide the sample to all participating vendors.

You can also submit a suspect, one at a time, via the following email URL...
mailto:?subject=SCAN

When you get the report, please post back the exact results.

If it isn't recogized by the other vendors.

Use the following URL and submit the file to AVAST.

mailto:?subject=False%20Positive

 

From: "Al Smith" <>

..
|
| I sent it in to Avast. This site you link to seems to require some
| sort of plugin. I don't run stuff when I browse (no Active-X, no
| Java, no JavaScript, no cookies, and so on), so it's probably not
| my sort of site.

It is a *very* respectable site and in my previous reply, I provided an email URL that can
be used to submit the sample for vendor analysis.

 

Yes, I'm thinking I should probably send it in to Avast to get

Avast hasn't responded yet. I just sent the file off to the mail
address you provided for Virus Total.

 

I sent it in to Avast. This site you link to seems to require some

Yes, I just ran across the mail address and used it. Thanks. It's
just that I don't turn on JavaScript and so on unless I'm really
forced to do so. If a Web site doesn't work without them, I
generally ignore the site.

 

Well, that was quick. Here are the results for the scan by Virus
Total. It looks to me as if Avast is the only one that flags the
file as an actual out-and-out trojan. Although BitDefender is a
bit ambiguous in calling it "Trojan. Tool. Wpakill.B." Not sure
what that means, exactly. It is indeed WPA_Kill. That is indeed a
tool. Whether it's a trojan in the nasty, active sense, I can't
quite figure. The other scans seem to say no. Again, I'm not sure
about Fortinet. It identifies the file by its name, then puts "tr"
after the name. What does that mean? Am I right in thinking that
the overall drift is that this isn't a trojan, but that some
scanners think it is a questionable file because of what it does?

...............

Virus Total
_______________________________________________

Scan results
File: WPA_Kill.exe
Date: 07/04/2006 19:44:18 (CET)
----
AntiVir 6.35.0.20/20060704 found nothing
Authentium 4.93.8/20060703 found nothing
Avast 4.7.844.0/20060703 found [Win32:Small-XC]
AVG 386/20060704 found nothing
BitDefender 7.2/20060704 found [Trojan.Tool.Wpakill.B]
CAT-QuickHeal 8.00/20060704 found nothing
ClamAV devel-20060426/20060704 found nothing
DrWeb 4.33/20060704 found nothing
eTrust-InoculateIT 23.72.59/20060704 found nothing
eTrust-Vet 12.6.2285/20060704 found nothing
Ewido 3.5/20060704 found nothing
Fortinet 2.77.0.0/20060703 found [WPAKill!tr]
F-Prot 3.16f/20060703 found nothing
F-Prot4 4.2.1.29/20060703 found nothing
Ikarus 0.2.65.0/20060704 found nothing
Kaspersky 4.0.2.24/20060704 found nothing
McAfee 4799/20060704 found [Tool-WPAKill]
Microsoft 1.1481/20060701 found nothing
NOD32v2 1.1643/20060704 found nothing
Norman 5.90.23/20060704 found nothing
Panda 9.0.0.4/20060704 found nothing
Sophos 4.07.0/20060704 found nothing
Symantec 8.0/20060704 found nothing
TheHacker 5.9.8.168/20060703 found nothing
UNA 1.83/20060704 found nothing
VBA32 3.11.0/20060704 found nothing
VirusBuster 4.3.7:9/20060704 found nothing

 

From: "Al Smith" <>

| Well, that was quick. Here are the results for the scan by Virus
| Total. It looks to me as if Avast is the only one that flags the
| file as an actual out-and-out trojan. Although BitDefender is a
| bit ambiguous in calling it "Trojan. Tool. Wpakill.B." Not sure
| what that means, exactly. It is indeed WPA_Kill. That is indeed a
| tool. Whether it's a trojan in the nasty, active sense, I can't
| quite figure. The other scans seem to say no. Again, I'm not sure
| about Fortinet. It identifies the file by its name, then puts "tr"
| after the name. What does that mean? Am I right in thinking that
| the overall drift is that this isn't a trojan, but that some
| scanners think it is a questionable file because of what it does?
|
| ..............
|
| Virus Total
| _______________________________________________
|
| Scan results
| File: WPA_Kill.exe
| Date: 07/04/2006 19:44:18 (CET)
| ----

| Avast 4.7.844.0/20060703 found [Win32:Small-XC]
| BitDefender 7.2/20060704 found [Trojan.Tool.Wpakill.B]
| Fortinet 2.77.0.0/20060703 found [WPAKill!tr]
| McAfee 4799/20060704 found [Tool-WPAKill]

< snip

Tool-WPAKill -- http://vil.nai.com/vil/content/v_136760.htm

McAfee is mixed on this. On one hand it calls this a Trojan but defines it as a "Tool" and
a "Potentially unwanted program" so what I can discern from this is that the utility is NOT
in itelf malicious but can be used in a malicious fashion.

Based upon this, I would not call this a False Positive.

If it is a tool you like to use, legitimately, I suggest storing it in a password protected
ZIP file and disabling Avast prior to extracting it for use.

 

Or, if Avast can handle exclusions, tell it to exclude this file from
any future scans.

 

If it is a tool you like to use, legitimately, I suggest storing it in a password protected

That's a reasonable option. Another I thought of is simply copying
the file to a floppy and in that way getting it off my hard drive.
I don't want to delete it because, as I discovered this week while
poking around for it, WPA_Kill is becoming harder to find on the
Internet. I might have trouble locating it the next time I need it.

 

Here's a printed to PDF file I created with my results from using the Virus Total service to upload and scan my copy of WPA_KILL.EXE:

What do you think?


Thanks

- soltero