521680 - ZoneAlarm thinks firefox setup is trojan.

Status: RESOLVED INVALID

(Plugins Graveyard :: Checkpoint Zonealarm, defect)

Description

[Tanner Filip [:tanner]]

This is about the same as Bug 520895 but Zonealarm, not AVG This time. We saw this on sumo a couple times.

Comment 1

[Carsten Book [:Tomcat]]

taking !

Comment 2

[Tanner Filip [:tanner]]

Old bug, i've not seen any of this anymore.
Resolved Invaild, for now.

Comment 3

[Don]

I'm not so sure that this issue is resolved. I went to the website at http://www.virustotal.com and ran the scans on the copy of Firefox_Setup_3.0.14.exe that I have on my computer. Zone Alarms antivirus scan gave the same results even though I have the latest updates. The following is the text from the Virus Total webpage after the scan.



Virustotal is a service that analyzes suspicious files and facilitates the quick detection of viruses, worms, trojans, and all kinds of malware detected by antivirus engines.
 
File Firefox_Setup_3.0.14.exe received on 2009.12.24 07:10:08 (UTC)
Current status:     finished   

Result: 15/41 (36.59%)
 
 
Antivirus	Version	Last Update	Result	   
a-squared	4.5.0.43	2009.12.24	Trojan-Downloader.Win32.Banload!IK	   
AhnLab-V3	5.0.0.2	2009.12.23	Win-Trojan/Banload.4194304	   
AntiVir	7.9.1.122	2009.12.23	TR/Dldr.Banload.akdk	   
Antiy-AVL	2.0.3.7	2009.12.24	Trojan/Win32.Banload.gen	   
Authentium	5.2.0.5	2009.12.23	-	   
Avast	4.8.1351.0	2009.12.23	-	   
AVG	8.5.0.430	2009.12.23	-	   
BitDefender	7.2	2009.12.24	-	   
CAT-QuickHeal	10.00	2009.12.24	-	   
ClamAV	0.94.1	2009.12.24	-	   
Comodo	3349	2009.12.24	UnclassifiedMalware	   
DrWeb	5.0.1.12222	2009.12.24	-	   
eSafe	7.0.17.0	2009.12.23	-	   
eTrust-Vet	35.1.7195	2009.12.24	-	   
F-Prot	4.5.1.85	2009.12.23	File is damaged	   
F-Secure	9.0.15370.0	2009.12.24	-	   
Fortinet	4.0.14.0	2009.12.24	W32/Banload.AKDK!tr.dldr	   
GData	19	2009.12.24	-	   
Ikarus	T3.1.1.79.0	2009.12.24	Trojan-Downloader.Win32.Banload	   
Jiangmin	13.0.900	2009.12.23	-	   
K7AntiVirus	7.10.926	2009.12.22	Trojan-Downloader.Win32.Banload.ajnp	   
Kaspersky	7.0.0.125	2009.12.24	Trojan-Downloader.Win32.Banload.akdk	   
McAfee	5841	2009.12.23	-	   
McAfee+Artemis	5841	2009.12.23	-	   
McAfee-GW-Edition	6.8.5	2009.12.24	Trojan.Dldr.Banload.akdk	   
Microsoft	1.5302	2009.12.24	-	   
NOD32	4713	2009.12.23	-	   
Norman	6.04.03	2009.12.23	-	   
nProtect	2009.1.8.0	2009.12.24	Trojan-Downloader/W32.Banload.4194304	   
Panda	10.0.2.2	2009.12.15	Suspicious file	   
PCTools	7.0.3.5	2009.12.24	-	   
Prevx	3.0	2009.12.24	-	   
Rising	22.27.03.03	2009.12.24	-	   
Sophos	4.49.0	2009.12.24	-	   
Sunbelt	3.2.1858.2	2009.12.23	Trojan.Win32.Generic!BT	   
Symantec	1.4.4.12	2009.12.24	-	   
TheHacker	6.5.0.3.109	2009.12.23	Trojan/Downloader.Banload.ajig	   
TrendMicro	9.120.0.1004	2009.12.24	-	   
VBA32	3.12.12.0	2009.12.24	-	   
ViRobot	2009.12.24.2106	2009.12.24	-	   
VirusBuster	5.0.21.0	2009.12.23	-	 

 
Additional information	   
File size: 4194304 bytes	   
MD5...: 5647882997a1b08b5ef851f4285f8e04	   
SHA1..: 5c01199a84e0aea06e704e22a638b6cb7a8fffbb	   
SHA256: f6564389cd53d9dbb16e5da43805912affd796790f398c9e75b269adc6943cbd	   
ssdeep: 98304:YTIMqtl+ySfOzDdkT/lMMUfw5eCfBMA/7:pKXOR8tzSeegJz	   
PEiD..: -	   
PEInfo: PE Structure information

( base data )
entrypointaddress.: 0x21d00
timedatestamp.....: 0x44e24a66 (Tue Aug 15 22:27:50 2006)
machinetype.......: 0x14c (I386)

( 3 sections )
name viradd virsiz rawdsiz ntrpy md5
UPX0 0x1000 0x17000 0x0 0.00 d41d8cd98f00b204e9800998ecf8427e
UPX1 0x18000 0xa000 0xa000 7.88 263bd459e6190104d6afd5ac7e9f5be8
.rsrc 0x22000 0x7000 0x6e00 5.83 8e6c4e7d9b8c22485560922dab94c76a

( 6 imports ) 
> KERNEL32.DLL: LoadLibraryA, GetProcAddress, VirtualProtect, ExitProcess
> COMCTL32.dll: -
> MSVCRT.dll: exit
> OLEAUT32.dll: -
> SHELL32.dll: ShellExecuteExA
> USER32.dll: SetTimer

( 0 exports ) 	   
RDS...: NSRL Reference Data Set
-	   
pdfid.: -	   
sigcheck:
publisher....: Mozilla
copyright....: Mozilla
product......: Firefox
description..: Firefox
original name: 7zS.sfx.exe
internal name: 7zS.sfx
file version.: 4.42
comments.....: n/a
signers......: -
signing date.: -
verified.....: Unsigned	   
packers (Antiy-AVL): UPX 0.89.6 - 1.02 / 1.05 - 1.22	   
trid..: UPX compressed Win32 Executable (39.5%)
Win32 EXE Yoda's Crypter (34.3%)
Win32 Executable Generic (11.0%)
Win32 Dynamic Link Library (generic) (9.8%)
Generic Win/DOS Executable (2.5%)	   
packers (F-Prot): UPX, 7Z	 
ATTENTION: VirusTotal is a free service offered by Hispasec Sistemas. There are no guarantees about the availability and continuity of this service. Although the detection rate afforded by the use of multiple antivirus engines is far superior to that offered by just one product, these results DO NOT guarantee the harmlessness of a file. Currently, there is not any solution that offers a 100% effectiveness rate for detecting viruses and malware.

Comment 4

[Don]

Clearly many of the antivirus programs are still flagging the version of the Firefox setup program as infected. Note that I'm running Firefox 3.5.6 now and have run extensive antivirus and antispyware scans on my computer and it comes up clean.

Comment 5

[Tom Ellins [:TMZ]]

Reopening per comments #3 and #4

Comment 6

[Tanner Filip [:tanner]]

Not closing, but i've heard almost no reports for quite a while. Feel free to close, if there are no objections.

Comment 7

[Tanner Filip [:tanner]]

Haven't heard anything about this since comment 3 and 4.
->wfm

Comment 8

[timeless]

We're now tracking such bugs. This doesn't mean it's something we can fix, merely something we hope to be able to point vendors to so they can investigate. This is an automated message.