Argh … WinDirStat detected as trojan

STOPzilla, an antispyware is catching the most current WDS installation package as Zlob.YU. While one should never take this too light-hearted, the first reaction of the user who contacted me was of course rather in the direction of an accusation. Nothing wrong with that, if it would have turned out to be true. Not at last I am an AV researcher and developer. Although probably SF.net would be to blame if something like this happened, because all downloads run via them, this would be horrible for my reputation as well.

So, what now? First of all I want to reassure everyone, that the two download samples from different SF.net mirrors that I have taken are not infected, but still reported as Zlob.YU by STOPzilla. Since all mirrors are supposed to be in sync and I got the first report two days back, all mirrors should have the infected file version by now – if there ever was any threat. Instead the fact that only STOPzilla finds it, points to a false positive and I am going to contact the vendor about it.
Second, you need not trust me on that, instead I suggest to visit Jotti and VirusTotal, although these are also not 100% reliable in the end, the heuristics and signatures of different AV scanners are used to examine your file, which gives you a fairly good hint as to whether the file is infected or not.

// Oliver

This entry was posted in Feedback, Uncategorized. Bookmark the permalink.

13 Responses to Argh … WinDirStat detected as trojan

  1. Ukyo says:

    FYI:

    ClamAV also has a false positive on Windirstat setup.

    Engine version: 0.95.2
    windirstat1_1_2_setup.exe: Trojan.Agent-121230 FOUND

  2. David says:

    Today I upgraded to the latest ClamWin (uses ClamAV) and got apparently the same message as Ukyo:
    (apparently he’s scanning the raw setup file downloaded from SF; while I’m scanning after I’ve installed WinDirStat and deleted the setup file).

    C:\Program Files\WinDirStat\Uninstall.exe: Trojan.Agent-121230 FOUND

  3. Alex says:

    Few years later after this page was created, MalwareBytes still finds trojan in the latest windirstat. “Trust” need to be earned, so I’ll go with MalwareBytes results.

  4. Oliver says:

    Oh please! I don’t give a warm wet handshake whether you trust WDS, honestly. Since I work for an anti-malware company and I can tell if something gets compromised and behaves weird. And besides I don’t know where you downloaded the stuff, so it’s well possible it’s not clean.

    Trust needs not be earned. Trust is the default. And anti-malware companies, including the one I am working for, are REALLY FRICKIN’ BAD when it comes to spreading false positives. It is near impossible to get rid of a false positive once x many companies detect it. Especially if you have no contacts in the industry. And it’s not like every company does original research and therefore can from their own expertise tell whether it’s malicious or harmless. Some are simply taking files into detection when others detect them. Way to go …!

    WDS is FLOSS. Go ahead and build your own executable.

  5. Oliver says:

    @Alex: can you send me the MD5 or SHA1 hash of the file you get reported as infected?

  6. Phillip says:

    @Oliver:
    Malwarebytes 1.75.0.1300 detects windirstat.exe as Trojan.Agent using database version v2013.07.16.05. Symantec Endpoint Protection 12.1.3 had no complaints using July 16th signatures. This is Windirstat version 1.1.2.80 with MD5 of 24cd9a82fcfc658dd3ae7ba25c958ffb

    Virustotal showed 0/47 detections as of 7/17, and reported a SHA256 of cc3ee246f2710dc9ba9e2a88e3192b88f1db4caa2eefb8641642a33df04e585c

    https://www.virustotal.com/en/file/cc3ee246f2710dc9ba9e2a88e3192b88f1db4caa2eefb8641642a33df04e585c/analysis/1374072965/

  7. Oliver says:

    Thanks, that would be the genuine file, so it’s not malicious. However I am currently authoring a little blog entry about an actual trojan in disguise of WDS. Stay tuned. I’ll ask the folks at MalwareBytes again, too.

    Oh, but never rely on MD5 alone. Make sure to check the other hashes as well.

  8. Oliver says:

    On another note, a Swedish user had contacted me yesterday. He had the genuine file which is WDS the way it should be. But MalwareBytes brought my attention to a version of the program that has indeed been trojanized.

  9. Phillip says:

    I don’t believe earlier versions of malwarebytes detected this file as a trojan, but this was the first full malwarebytes scan I’ve run this year so unfortunately I can’t give you much to go on for narrowing the date window.

  10. Jim says:

    I also just got MalwareBytes detecting as trojan. It must have come in a definition update of the past few days.

    To confirm, this file is clean?

    MD5: 24CD9A82FCFC658DD3AE7BA25C958FFB
    SHA-1: 26E14A532E1E050EB20755A0B7A5FEA99DD80588

    What part of code could be causing this false positive?

  11. Oliver says:

    Hey Jim, the hashes you gave are of the clean file, yes. What part causes this, I don’t know. It would depend how it was detected in the first place, i.e. signature vs. heuristic etc. But it looks like a signature may have been used for the detection of the actual malicious file. I’m not working for MalwareBytes, but I can draw from my experience with our AV engine and what I learned before at another company.

    Please read this if you haven’t before.

    Also, the false positive was – to my knowledge – fixed yesterday. According to VirusTotal it is fixed as well. Have you updated your AV databases?

  12. Phillip says:

    I rescanned windirstat.exe with malwarebytes using database version v2013.07.18.03 is now showing up as clean. So it looks like they have already addressed the false positive.

  13. Oliver says:

    @Phillip: it’s what I was assured of by two independent sources at MalwareBytes. I don’t use the product, so I have to rely on VirusTotal for verification.

Leave a Reply

Your email address will not be published. Required fields are marked *