VideoRedo download - Virus/Trojan?

[terrypin]

I have VideoRedoPlus, version: 2. 5. 6. 512. My overnight scan by AntiVir (Free) has reported:
"VideoRedoPlus-2-1-1-413.exe contains...DR/Genome.kht dropper"

I've allowed it to send to quarantine.

Anyone else had anything similar, or can anyone tell me any more about this please? The file seems to be an older version, so I'm assuming it's been sitting in my downloads folder for ages. In which case I don't understand why AntiVir should report this only now.

--
Terry, East Grinstead, UK

[Baldrick]

I doubt it. Use www.virustotal.com and if most reports as it trojan I might be suspicious .

[terrypin]

Thanks. Have duly submitted it, after nervously restoring it from quarantine. This is the first time I've used that online tool.

VirusTotal's results are here:
http://www.virustotal.com/analisis/c54ea930b7cd8f7d3b1251378242ecdca800c704495e9fc4cff...fa7-1239602812
But this has 'Last Update' dates from April of 2009! But, that serious issue aside, it does show that 7 of 39 results (NOT including Avira!) detect the trojan.

What conclusions would you draw please?

--
Terry, East Grinstead, UK

[netmask56]

I would get in touch with VideRedo either directly of via their forum at
http://www.videoredo.net/msgBoard/index.php
as I'm sure they would be interested in the tests you have performed.
I'm a member and I'll mention it and see if anyone else has had this experience.
Did you buy the program from a local distributor or as a download from the main site http://www.videoredo.com/en/index.htm

[terrypin]

OK, thanks. I did report it simultaneously to VideoRedo Support. But their reply doesn't really move me forward:
"Perhaps it's a false positive. Check for an update to the virus database.
Since the file is rather old, are you certain you downloaded it from our website?"
(I'd already said I didn't know where/when I downloaded it.)

I have also submitted it to Antivir and the result was:
"The file 'VideoReDoPlus-2-1-1-413.exe' has been determined to be 'MALWARE'. Our analysts named the threat DR/Genome.kht. The term "DR/" denotes a program that is able to place a virus or a malware discretely on a system."

I also submitted it to 2 online services:

Jotti's malware scan gave these results:
http://virusscan.jotti.org/en-gb/scanresult/b5da81593cf9b0e3d126939e6187de07f83ed302
This appears to use bang up to date detection files and confirm that Avira is one of 7 (out of 20) that reports this file as having the trojan.

VirusTotal gave these results:
http://www.virustotal.com/analisis/c54ea930b7cd8f7d3b1251378242ecdca800c704495e9fc4cff...fa7-1239602812
This has 'Last Update' dates from April of 2009! But it shows that 7 of 39 results detect the trojan.
I was puzzled why Avira was not one of those 7. However, I recall seeing some message that "This has already been analysed". So maybe this tool strangely does not use the latest definitions to test? I'll check and see if I can force it to do so.

It's now back in quarantine. As it's an old version of VideoRedo, I never need to access it. But I'd still like to know
- Is it malware as reported or a 'false positive'?
- Where it came from? (Even when I restored it from quarantine, its Modified date/time was the most recent time of quarantining, not whatever it was originally. So I can't even see how old it is.)

--
Terry, East Grinstead, UK

[TJohns]

Look at the files properties page - there you can see it's CREATION date rather than it's MODIFIED date. That should be the date the file was originally built, or (worst case) the date the file was created on your machine when downloaded. Also, does it have version info internally recorded?

Trev

[terrypin]

Thanks Trev. I have since found a backup copy of this file on a drive I don't regularly scan. It shows that it's old (22nd Sep 2005). More important, the fact that it's been sitting in both places for a year or two tends to confirm the report as a false positive.

--
Terry, East Grinstead, UK

[Nelson37]

Personally, I would delete both files without any hesitation whatsoever.

Generally, a company would know if a particular AV prog was giving false positives with a particular version of their software.

Your own chosen antivirus identified it as bad. If you don't want to believe that, then you need to get another AV program. Unless you can find a specific report of the same AV program finding the same "false positive" in the same test file. Otherwise, you are just running on wishful thinking and that is not good enough.

Have you considered the possibility that the 7 of the 39 were the best of the bunch, and the other 32 just aren't very good scanners? 7 different progs would indicate that this is NOT a "false positive".

[terrypin]

It seems pretty clear to me that it's a false positive. Apart from the fact that the original has been sitting in my Downloads folder for months or years, I reckon I must have executed the file at some early stage to install or update the application.

But I'm still curious why only 7 out of 39 programs report it as malware. And
puzzled why Antivir got it right last September but now reports it as
malware. I've asked about that in the Antivir forum.

--
Terry, East Grinstead, UK

[terrypin]

Having had no further response in the Antivir forum since the malware report I described up-thread, I emailed Avira Labs and sent them the file.

I had a reply confirming that "This is a false positive."

They plan to "take out the pattern recognition in one of our next updates."

--
Terry, East Grinstead, UK

[qpskfec]

You took the right steps by not panicking and taking rash action deleting files. Some common sense searching and legwork gave you the correct result of a false positive.

False positives do happen. A few weeks ago right after I updated AVG, I got a virus warning on a file that I thought was highly unlikely to be infected. A quick search found others reporting the same issue. Several hours later a new AVG virus db was released. False positive confirmed by AVG.