Closed Bug 520777 Opened 15 years ago Closed 15 years ago

AVG false positive for Thunderbird 2.0.0.23 . Thunderbird Setup 2.0.0.23.exe

Categories

(Plugins Graveyard :: AVG AV, defect)

x86
Windows XP
defect
Not set
critical

Tracking

(Not tracked)

RESOLVED WORKSFORME

People

(Reporter: holmziep, Unassigned)

References

()

Details

User-Agent:       Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.9.1.3) Gecko/20090824 Firefox/3.5.3
Build Identifier: 2.0.0.23

TROJAN HORSE THREAT IN YOUR DOWNLOAD???

I don't know of any other way to get this information to you, so I used this method.  I just signed up and downloaded OpenOffice, and decided to take you up on your offer and downloaded Thunderbird, at the link on the bottom of the page.  Whilst downloading to a file,AVG Stopped the process with the "Threat Detected!" message.    

A Trojan Horse Downloader.Banload.APIO reported by AVG Resident Shield Alert while downloading Thunderbird that link on the bottom of your "https://registration2.services.openoffice.org/RegistrationWeb/OpenOffice.org/default/en_US/thankyou.jsp" page.

The threat AVG detected was loaded in "My Documents\Downloads\Thunderbird Setup 2.0.0.23.exe       I was saving this file to my downloads folder for later installation

I am afraid to continue.

Reproducible: Always




I am sending this Trojan Horse Downloader.Banload.APIO to my Quarantine Vault.  Have to shut off here now and look for a job (eh?) but you may contact me at holmziep@netscape.net    I will be back on later thisafternoon.

If this is not the place to report such a problem, could you kindly forward my message to the proper people?  Thanks.

I very much support the effort you all have done, and while I am not quite sure what's going on here, I would be glad to offer any additional information or help (who, me?) ya all could need.  When I get a job, I will support the cause.  This is a great thing, OpenOffice.  

regards, holmziep
Where were do downloading this file ? From OpenOffice ? That's not Mozilla.

I checked the file in the URL-field (from /www.mozillamessaging.com), but it doesn't contain any virus, trojan or malware.
Please give more information on where you got this from.
I have the same problem. and I downloaded it from the mozilla website. AVG will not open it... the threat is "Trojan horse downloader.Banload.APIO   detected on open."I have Toshiba laptop, win xp, sp3, free avg av and pc tools fw. can you post instructions on how to work around this if it is not a real threat or what to do if it is real? afraid to continue also.
Can yo give the exact link make sure you have the latest definition files for AVG, and then also contact them to let them know they have a false positive.
http://getsatisfaction.com/mozilla_messaging/topics/avg_reports_virus_in_thunderbird_2_0_0_23 . Am seeing this alot at the moment (google the trojan name). Setting NEW
Status: UNCONFIRMED → NEW
Ever confirmed: true
Summary: TROJAN HORSE THREAT DETECTED in your Thunderbird Download. URGENT SECURITY RISK → AVG false positive for Thunderbird 2.0.0.23 . Thunderbird Setup 2.0.0.23.exe
AVG latest version doesn't flag it other programs do though:
"AVG says Windows TB 2.0.0.23 Setup.exe EN-US is OK but eSafe, F-Prot, The Hacker and K7AntiVirus flag it as suspicious?

full report:
http://www.virustotal.com/analisis/8a02dcccc99def6088ddd0176b6347fca48a9f3468fe581a33c0002abf2ffc30-1254847482
will work with AV vendors to get this fixed
Assignee: nobody → cbook
Status: NEW → ASSIGNED
Thanks :tomcat , please close this ticket when eSafe, F-Prot, The
Hacker and K7AntiVirus  are updated

i just did the following:
1. updated my AVG to the latest VPS file 10/06/2009 File version: 091006-0
2. downloaded en-us Thunderbird Setup 2.0.0.23.exe to my documents
3. ran AVG on it
4. no virus found

so my guess is original poster had a AVG false positive and eSafe, F-Prot, The
Hacker and K7AntiVirus are false positives because they are using old AVG definitions

But of course we'll wait for the definitive "ALL CLEAR" from Tomcat after he works with the AV vendors.
contacted esafe,thehacker and k7 - normally we should get a response in the next few hours. 

Also F-Prot seems to be a error from Virustotal, another scan site report nothing. Also the error message from virustotal was Scanning error..

Will give a status update when i get feedback from the AV Vendors.
I had a mid-air with tomcat, reprinting my additional comments again:

Hi folks:  Wow. Talk about response!  
Yes, I have since realized I'm talkin' Mozilla not OpenOffice. Duh. 

Since, I pressed the UPDATE button on AVG, yup, there was a new definition
update which was uploaded, but is that what your talkin about, Roland Tanglao?

And Another 'since'... I have downloaded ('SAVED')another instance of
Thunderbird 2.0.0.23 from the same link mentioned above, and as soon as it is
finished,Voila! AVG flagged it again.  Now I have two 'Downloader.Banload.APIO
files in quarantine. 

What's obvious to some may not be so to me, I'm a bit slow.  I enjoy this
challenge, and will stick with it.  Be back in a while. Input welcome. Who's
tomcat? oh. guess I got the idea. good.  

Cheers, 

holmziep
Tomcat: did we miss your comments because of this mid-air collision? please repeat?!?
(In reply to comment #11)
> Tomcat: did we miss your comments because of this mid-air collision? please
> repeat?!?

Hey Peter, first thanks for reporting this bug !

We are fine with the comment, mine is now comment #9. I will get in contact with AVG to check with them also the installer, should be fixed soon, will update this bug when i know more.

(In reply to comment #10)
> 
> Who's
> tomcat? oh. guess I got the idea. good.  

Well, good question, here 
http://blog.mozilla.com/tomcat/2009/01/15/7-things/ is something :) but yeah i work for Mozilla and was asked to help :)
We have been seeing lots of this on Sumo with firefox also, see Bug 520895
Setting Critical too
Severity: normal → critical
AVG confirmed this as false positive:

"Unfortunately, the current virus database version may detect the
mentioned virus on some legitimate applications. We can confirm that
it is a false alarm. We would like to inform you that the false
positive will be removed in the next Definitions update. Please update
your AVG and if a new Definitions update was downloaded, check whether
the file is still detected.

If you need to restore deleted files from AVG Virus Vault you can do
it this way:
- Open AVG user interface.
- Choose "Virus Vault" option from the "History" menu.
- Locate the file that was incorrectly removed and select it (one
click).
- Click on the "Restore" button.

We are sorry for the inconvenience.
"

will leave this bug open till we get confirmation from users and also feedback from thehacker (i think they might use the same AV engine as AVG)
also feedback from thehacker AV:

"The file is considering as a false positive so that our last update corrects that detail.
Yours sincerely,
Victor Arroyo Cauti.
Hacksoft"
Peter: can you confirm this issue is now fixed (no longer reporting thunderbird installer as virus) ?
"Mozilla fan" has confirmed (thanks!) that the issue is fixed over in Get Satisfaction:
http://getsatisfaction.com/mozilla_messaging/topics/avg_reports_virus_in_thunderbird_2_0_0_23?utm_medium=widget&utm_source=widget_mozilla_messaging

QUOTE
AVG (Ver 8.5.420 dbase: 270.14.4/2417) -- Old version with problem.
AVG (Ver 8.5.421 dbase: 270.14.8/2423) -- New version no problem.
Tested the latest version (see above).
No virus reported with Thunderbird 2.0.0.23 downloaded file. 

END QUOTE
Hi Tomcat and all.

Gee, wow...Delayed response on my part sorry., (I actually had two job interviews, but not my bag, darn).  I will try a fresh download armed with confidence, but not until after careful re-read of your comments above. Then I will get back to you all.  Thank you all for your kind attention.  

Regards
holmziep
got no reports for AVG again, so closing this as fixed/works for me for now
Status: ASSIGNED → RESOLVED
Closed: 15 years ago
Resolution: --- → WORKSFORME
We're now tracking such bugs. This doesn't mean it's something we can fix, merely something we hope to be able to point vendors to so they can investigate. This is an automated message.
Component: Installer → AVG AV
Product: Thunderbird → Plugins
QA Contact: installer → avg-antivirus
Assignee: cbook → nobody
Product: Plugins → Plugins Graveyard
You need to log in before you can comment on or make changes to this bug.