WPA_Kill.exe false positive in Avast?

Discussion in 'Computer Security' started by Al Smith, Jul 4, 2006.

  1. Al Smith

    Al Smith Guest

    I've had the file "WPA_Kill.exe" (version 1.6.2) on my computer
    for a couple of years. It never triggered an antivirus alert.
    Recently, it tripped my Avast antivirus, which identified it as
    the "Win32:Small-XC" trojan. I think this must be a false positive.

    I submitted this file to the on-line scanner at Kaspersky Labs,
    and it came up clean.

    What do you think? Trojan? How likely is it that it would go
    undetected for two years and dozens of antivirus and malware
    scans, and now suddenly be identified by Avast as a trojan?
     
    Al Smith, Jul 4, 2006
    #1
    1. Advertisements

  2. Al Smith

    Kerodo Guest

    I'd try a couple of reputable online scanners and then maybe submit the
    file to the Avast people and tell them you think it's an FP... see what
    they say.
     
    Kerodo, Jul 4, 2006
    #2
    1. Advertisements

  3. Al Smith

    Al Smith Guest

    I've had the file "WPA_Kill.exe" (version 1.6.2) on my computer
    Yes, I'm thinking I should probably send it in to Avast to get
    their response.
     
    Al Smith, Jul 4, 2006
    #3
  4. Al Smith

    Vanguard Guest


    Upload it to http://www.virustotal.com/en/indexf.html and have them
    run several anti-virus scanners against it.
     
    Vanguard, Jul 4, 2006
    #4
  5. Al Smith

    Al Smith Guest

    I've had the file "WPA_Kill.exe" (version 1.6.2) on my computer for a couple of years. It never triggered an antivirus alert. Recently, it tripped my Avast antivirus, which identified it as the "Win32:Small-XC" trojan. I think this must be a false positive.
    I sent it in to Avast. This site you link to seems to require some
    sort of plugin. I don't run stuff when I browse (no Active-X, no
    Java, no JavaScript, no cookies, and so on), so it's probably not
    my sort of site.
     
    Al Smith, Jul 4, 2006
    #5
  6. From: "Al Smith" <>


    |
    | Yes, I'm thinking I should probably send it in to Avast to get
    | their response.


    Please submit a sample of "WPA_Kill.exe" to Virus Total --
    http://www.virustotal.com/flash/index_en.html
    The submission will then be tested against many different AV vendor's scanners.
    That will give you an idea what it is and who recognizes it. In addition, unless told
    otherwise, Virus Total will provide the sample to all participating vendors.

    You can also submit a suspect, one at a time, via the following email URL...
    mailto:?subject=SCAN

    When you get the report, please post back the exact results.

    If it isn't recogized by the other vendors.

    Use the following URL and submit the file to AVAST.

    mailto:?subject=False%20Positive
     
    David H. Lipman, Jul 4, 2006
    #6
  7. From: "Al Smith" <>

    ..
    |
    | I sent it in to Avast. This site you link to seems to require some
    | sort of plugin. I don't run stuff when I browse (no Active-X, no
    | Java, no JavaScript, no cookies, and so on), so it's probably not
    | my sort of site.

    It is a *very* respectable site and in my previous reply, I provided an email URL that can
    be used to submit the sample for vendor analysis.
     
    David H. Lipman, Jul 4, 2006
    #7
  8. Al Smith

    Al Smith Guest

    Yes, I'm thinking I should probably send it in to Avast to get
    Avast hasn't responded yet. I just sent the file off to the mail
    address you provided for Virus Total.
     
    Al Smith, Jul 4, 2006
    #8
  9. Al Smith

    Al Smith Guest

    I sent it in to Avast. This site you link to seems to require some
    Yes, I just ran across the mail address and used it. Thanks. It's
    just that I don't turn on JavaScript and so on unless I'm really
    forced to do so. If a Web site doesn't work without them, I
    generally ignore the site.
     
    Al Smith, Jul 4, 2006
    #9
  10. Al Smith

    Al Smith Guest

    Well, that was quick. Here are the results for the scan by Virus
    Total. It looks to me as if Avast is the only one that flags the
    file as an actual out-and-out trojan. Although BitDefender is a
    bit ambiguous in calling it "Trojan. Tool. Wpakill.B." Not sure
    what that means, exactly. It is indeed WPA_Kill. That is indeed a
    tool. Whether it's a trojan in the nasty, active sense, I can't
    quite figure. The other scans seem to say no. Again, I'm not sure
    about Fortinet. It identifies the file by its name, then puts "tr"
    after the name. What does that mean? Am I right in thinking that
    the overall drift is that this isn't a trojan, but that some
    scanners think it is a questionable file because of what it does?

    ...............

    Virus Total
    _______________________________________________

    Scan results
    File: WPA_Kill.exe
    Date: 07/04/2006 19:44:18 (CET)
    ----
    AntiVir 6.35.0.20/20060704 found nothing
    Authentium 4.93.8/20060703 found nothing
    Avast 4.7.844.0/20060703 found [Win32:Small-XC]
    AVG 386/20060704 found nothing
    BitDefender 7.2/20060704 found [Trojan.Tool.Wpakill.B]
    CAT-QuickHeal 8.00/20060704 found nothing
    ClamAV devel-20060426/20060704 found nothing
    DrWeb 4.33/20060704 found nothing
    eTrust-InoculateIT 23.72.59/20060704 found nothing
    eTrust-Vet 12.6.2285/20060704 found nothing
    Ewido 3.5/20060704 found nothing
    Fortinet 2.77.0.0/20060703 found [WPAKill!tr]
    F-Prot 3.16f/20060703 found nothing
    F-Prot4 4.2.1.29/20060703 found nothing
    Ikarus 0.2.65.0/20060704 found nothing
    Kaspersky 4.0.2.24/20060704 found nothing
    McAfee 4799/20060704 found [Tool-WPAKill]
    Microsoft 1.1481/20060701 found nothing
    NOD32v2 1.1643/20060704 found nothing
    Norman 5.90.23/20060704 found nothing
    Panda 9.0.0.4/20060704 found nothing
    Sophos 4.07.0/20060704 found nothing
    Symantec 8.0/20060704 found nothing
    TheHacker 5.9.8.168/20060703 found nothing
    UNA 1.83/20060704 found nothing
    VBA32 3.11.0/20060704 found nothing
    VirusBuster 4.3.7:9/20060704 found nothing
     
    Al Smith, Jul 4, 2006
    #10
  11. From: "Al Smith" <>

    | Well, that was quick. Here are the results for the scan by Virus
    | Total. It looks to me as if Avast is the only one that flags the
    | file as an actual out-and-out trojan. Although BitDefender is a
    | bit ambiguous in calling it "Trojan. Tool. Wpakill.B." Not sure
    | what that means, exactly. It is indeed WPA_Kill. That is indeed a
    | tool. Whether it's a trojan in the nasty, active sense, I can't
    | quite figure. The other scans seem to say no. Again, I'm not sure
    | about Fortinet. It identifies the file by its name, then puts "tr"
    | after the name. What does that mean? Am I right in thinking that
    | the overall drift is that this isn't a trojan, but that some
    | scanners think it is a questionable file because of what it does?
    |
    | ..............
    |
    | Virus Total
    | _______________________________________________
    |
    | Scan results
    | File: WPA_Kill.exe
    | Date: 07/04/2006 19:44:18 (CET)
    | ----

    | Avast 4.7.844.0/20060703 found [Win32:Small-XC]
    | BitDefender 7.2/20060704 found [Trojan.Tool.Wpakill.B]
    | Fortinet 2.77.0.0/20060703 found [WPAKill!tr]
    | McAfee 4799/20060704 found [Tool-WPAKill]

    < snip

    Tool-WPAKill -- http://vil.nai.com/vil/content/v_136760.htm

    McAfee is mixed on this. On one hand it calls this a Trojan but defines it as a "Tool" and
    a "Potentially unwanted program" so what I can discern from this is that the utility is NOT
    in itelf malicious but can be used in a malicious fashion.

    Based upon this, I would not call this a False Positive.

    If it is a tool you like to use, legitimately, I suggest storing it in a password protected
    ZIP file and disabling Avast prior to extracting it for use.
     
    David H. Lipman, Jul 4, 2006
    #11
  12. Al Smith

    Kerodo Guest

    Or, if Avast can handle exclusions, tell it to exclude this file from
    any future scans.
     
    Kerodo, Jul 4, 2006
    #12
  13. Al Smith

    Al Smith Guest

    If it is a tool you like to use, legitimately, I suggest storing it in a password protected
    That's a reasonable option. Another I thought of is simply copying
    the file to a floppy and in that way getting it off my hard drive.
    I don't want to delete it because, as I discovered this week while
    poking around for it, WPA_Kill is becoming harder to find on the
    Internet. I might have trouble locating it the next time I need it.
     
    Al Smith, Jul 4, 2006
    #13
  14. Al Smith

    ezbless

    Joined:
    May 31, 2008
    Messages:
    1
    Likes Received:
    0
    Here's a printed to PDF file I created with my results from using the Virus Total service to upload and scan my copy of WPA_KILL.EXE:

    What do you think?


    Thanks

    - soltero
     
    ezbless, May 31, 2008
    #14
    1. Advertisements

Ask a Question

Want to reply to this thread or ask your own question?

You'll need to choose a username for the site, which only take a couple of moments (here). After that, you can post your question and our members will help you out.