Jump to content


Photo

False Positive: 04-03-2011_Yazzn_Client_Hook.exe


  • Please log in to reply
2 replies to this topic

#1 etms51

etms51

    Advanced Member

  • Immunet Insiders
  • PipPipPip
  • 58 posts
  • LocationItaly Venice

Posted 06 April 2011 - 12:29 PM

Hallo today i've found two attachment is detect with threat, but the Avira team said me which this file a False positive, please check it.

1)Name file: u1007.exe
threat detection: Gen:Trojan.Heur.JP.8yWaaShZwIob
MD5 : d28aba48a0910c248bf16203b55e5d8c
SHA1 : 859fddd98512620c2b086ac73f240566cd3617ea
SHA256: 74032150e582a57a03f94079e8d1be30cec2e134030cf1ec9241fb481c671541
Virustotal: http://www.virustota...1541-1302061476


2)File name: 04-03-2011_yazzn_client_hook.exe
threat detection: Trojan.Generic.5320821
MD5 : 0aeba7bcecb3123cecf094b67eebe9c6
SHA1 : 974f2dbcfad52d85108b5b592d86f7b944fa276d
SHA256: 2a97dd7f4b1b07b077a2be98024ec08d7ce5dfd85ffa4b0dd193d3c9ff86a77d
please fix .it

#2 sweidre

sweidre

    Legendary Member

  • Immunet Insiders
  • PipPipPipPip
  • 1,138 posts
  • LocationIdre parish, Älvdalen municipality, Dalarna county, Sweden

Posted 06 April 2011 - 04:40 PM

Hallo today i've found two attachment is detect with threat, but the Avira team said me which this file a False positive, please check it.

1)Name file: u1007.exe
threat detection: Gen:Trojan.Heur.JP.8yWaaShZwIob
MD5 : d28aba48a0910c248bf16203b55e5d8c
SHA1 : 859fddd98512620c2b086ac73f240566cd3617ea
SHA256: 74032150e582a57a03f94079e8d1be30cec2e134030cf1ec9241fb481c671541
Virustotal: http://www.virustota...1541-1302061476


2)File name: 04-03-2011_yazzn_client_hook.exe
threat detection: Trojan.Generic.5320821
MD5 : 0aeba7bcecb3123cecf094b67eebe9c6
SHA1 : 974f2dbcfad52d85108b5b592d86f7b944fa276d
SHA256: 2a97dd7f4b1b07b077a2be98024ec08d7ce5dfd85ffa4b0dd193d3c9ff86a77d
please fix .it

Hi etms51,
If You are uncertain, if Your file is infected or not, You can have itanalyzed. If the file is regarded as clean, the file will not be subject to anyscan by Immunet.

1.) IF YOU NEED ANIMMEDIATE ANALYZIS WITH RESULT, FOR EXAMPLE DURING WEEKENDS & HOLIDAYS:

1a.) Download &install the freeware VirusTotal (VT) Uploader 2.0 from here:

http://virustotal-up...n.softonic.com/

Using this simple freeware You may upload the file to VT website, where42 different Antivirus & Antimalware products will immediately analyze thefile. After a few seconds You will from VT get a report, that lists if anyproducts regard Your file as infected or not. The products, that have foundYour file to be infected, will also give their names of the infection. Manyproducts call the infection differently by using their own vocabulary. If onlya few of the products report Your file to be infected, You may regard theinfection to be a "false postive". Note, that results from some ofthe products are more reliable than from others. (Some of the products areknown for reporting "false positives"!) Finally, it is up to Yourselfto treat the file as clean or infected!

1b.) If you regard thefile to be clean, it can be placed in a sort of "whitelist" in theImmunet software:

Product->Settings->Protection Exclusions-> Add New Exclusion.

You must here enter the path to the file, and the full path will beadded as a new line to the list of exclusions. Note, that to the right of theline is an (x)! If You change Your mind and want, that the path would bescanned by Immunet again, it can be deleted by clicking on the (x)- sign andthe path (line) will disappear from the list.

Remember to click on the "Apply" button, otherwise yoursettings will not be saved!

2.) IF YOU DON'T NEEDA PROMPT ANALYZIS, AND YOU CAN WAIT UNTIL WORKDAYS MON-FRI 9-15, YOU CANPREFERABLY HAVE YOUR FILE HANDLED BY THE IMMUNET STAFF:

2a.) Submit Yoursuspicious file (false postive) here:

http://www.immunet.c...tact/index.html

2b.)If the analysis by Immunet regards the file as a "false positive",this will be reported to the Immunet database (the Cloud), and all furtherscans by Immunet will treat the file as clean. Note, that the file does not have to be on theExclusion list any more now! If the Immunet analysis regards the file to beinfected, this will be reported to the Immunet database (the Cloud). A scan byImmunet will then place the file in Quarantine. Note, that if You personallystill regard the file as clean, you must add it to Your own exclusion list (seeitem 1b. above)

3.) REMEMBER

Note, that if You havein emergency case used alternative 1.) above, you should later anyhow followthe instructions as per alternative 2.) as well. This is important, so that thewhole Immunet communty gets proper online info from the common database (theCloud)!

Cheers,
sweidre

My computer details with softwares have been moved to My Personal Page -> About me : http://forum.immunet.com/index.php?app=core&module=usercp&tab=members&area=aboutme


#3 RobT

RobT

    Advanced Member

  • Administrators
  • 245 posts

Posted 06 April 2011 - 07:44 PM

Thanks etms51, I looked into your files and will poke them to FP's ("undetermined") shortly.

u1007.zip / u1007.exe (and it's latest version, u1008.exe) is a proxy tool for getting around firewalls. I can't tell if it's 100% legit or not - there website looks ok and most of the info I found on it was ok, but there was one post that said it's used to spy on any traffic you sent through it and also can be used to launch DOS attacks.

yazzn_client_hook.exe appears to be a hacktool for WarRock. See http://www.mpgh.me/f...esp-gps-2.html. Stop cheating you.




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users