ClamWin Free Antivirus Forum Index
ClamWin Free Antivirus
Support and Discussion Forums
Reply to topic
False positive on VS6sp510.cab
Hankel O'Fung


Joined: 03 May 2006
Posts: 4
Reply with quote
ClamAV gives a false positive for the abovementioned file. VS6sp510.cab is one of the cabinet files for Visual Studio 6 SP5 and is certainly not a virus. For certainty I have also scanned it using www.virustotal.com and ClamWin/ClamAV is the only scanner that reports an infection.

Since the file is over 4MB in size, I cannot report it using ClamWin's online form. Here's part of the scan report.

Trojan.Poebot-14 FOUND
-- summary --
Known viruses: 53242
Engine version: 0.88.2
Scanned directories: 0
Scanned files: 1
Infected files: 1
View user's profileSend private message
Monotype


Joined: 30 Apr 2006
Posts: 62
Reply with quote
Are you using the latest version of ClamWin and the latest definitions?
View user's profileSend private message
alch
Site Admin

Joined: 27 Nov 2005
Posts: 1751
Reply with quote
could you unpack the cab file and scan files individuall to see if there is one file that triggers the false positive?
View user's profileSend private message
Hankel O'Fung


Joined: 03 May 2006
Posts: 4
Reply with quote
I'm not sure if I can legally distribute the cabinet file, but it can be downloaded from the following URL:

http://www.mrcll.com/ftp/windows/updates/Microsoft/Visual%20Studio/Service%20Pack%205/VS6sp510.cab

I've checked that the .cab file there is identical to mine in binary.

The virus definition as well as the scan engine I'm using are the latest ones. As suggested by a poster, I've extracted the files inside the .cab archive and found that it was regtlib.exe that triggers the alarm. In an old thread in this forum,

http://forums.clamwin.com/viewtopic.php?t=292&sid=07dfa2d09214bd32592109edbe00a611

it was said that the problem arises because the regtlib.exe file is a broken executable. While I know little about broken executables, I did have scanned the file twice with the "Detect Broken Executables" turned on or turned off and both options give the same result (see the scan report below). So, is regtlib.exe really a broken executable or is it a problem of ClamWin/ClamAV? BTW, I haven't got this virus alert before when I was using some earlier (0.86 I think) version of ClamWin.

--------------------------------------
Scan started: Thu May 04 18:01:38 2006


C:\...[snip]...\VS6sp510\regtlib.exe: Trojan.Poebot-14 FOUND
-- summary --
Known viruses: 53249
Engine version: 0.88.2
Scanned directories: 14
Scanned files: 24
Infected files: 1

Data scanned: 8.68 MB
Time: 3.765 sec (0 m 3 s)
--------------------------------------
Completed
--------------------------------------
View user's profileSend private message
alch
Site Admin

Joined: 27 Nov 2005
Posts: 1751
Reply with quote
thanks for the additional info, I have notified clamav db team and it will hopefully get fixed soon.
View user's profileSend private message
Hankel O'Fung


Joined: 03 May 2006
Posts: 4
Reply with quote
Correction: I misunderstood the old thread I noted previously. Actually someone used ClamWin to scan his files. ClamWin reported that a number of them are broken executables AND ALSO that regtlib.exe was infected with Trojan.Poebot-14. So there are two different issues in his case. The discussion there, however, doesn't reveal whether the Trojan.Poebot-14 report is really a false positive or not (but both the original poster of that thread and I think so).

P.S. I've just used VIRUSTOTAL to scan the regtlib.exe file and again, only ClamAV reports an infection.
View user's profileSend private message
alch
Site Admin

Joined: 27 Nov 2005
Posts: 1751
Reply with quote
I've confirmed it is a false positive in regtlib.exe and notified clamav team, see my above post
View user's profileSend private message
Hankel O'Fung


Joined: 03 May 2006
Posts: 4
Reply with quote
Thanks a lot Very Happy
View user's profileSend private message
loloyd


Joined: 25 May 2006
Posts: 1
Reply with quote
Thank God, it's only a false positive.

This really scared me. I was feeling especially paranoid today as my kids just played with our home PC when I was at work. For one thing, OSA9.EXE surprisingly appeared to hang at bootup consistently now whereas it posed no problem before today. So I scanned my PC only to find this similar warning:
Quote:
C:\WINDOWS\REGTLIB.EXE: Trojan.Poebot-14 FOUND
-- summary --
Known viruses: 56670
Engine version: 0.88.2
Scanned directories: 640
Scanned files: 10891
Infected files: 1

By the way, I'm using ClamWin 0.88.2.3 and my DB version as of this writing is reported as main:38 daily:1483 Updated 25 May 2006.

I tried downloading what appears to be a reliably clean copy of REGTLIB.EXE from http://www.baysidestudios.com/Developer/A011202a.cfm and then compared that with my own C:\WINDOWS\REGTLIB.EXE and FileCompare said they're the same.

Incidentally, this Sophos warning also gave me the spooks: http://66.102.7.104/search?q=cache:JuledRe_QNIJ:www.sophos.com/virusinfo/analyses/trojqlowf.html+regtlib.exe&hl=en&ct=clnk&cd=2
Quote:
Troj/Qlow-F

This section is for technical experts who want to know more.

Troj/Qlow-F is a Trojan for the Windows platform that modifies internet security settings by changing security settings for the Internet Zone.

Troj/Qlow-F may arrive as a file called Regtlib.exe that when executed deletes the registry entries:

HKLM\ Software\Microsoft\Windows\CurrentVersion\Run
Norton updater

HKLM\Software\Microsoft\Windows\CurrentVersion\Run
REGTLIB

Troj/Qlow-F creates and executes the installer.exe file in the Temp folder and sets the following registry entry:

HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
REGTLIB
REGTLIB.exe

The Trojan creates and executes the mt-uninstaller.exe file in the current folder. Installer.exe is detected as a component of Troj/Agent-DN.

Mt-uninstaller.exe is a component of the Media tickets adware
View user's profileSend private message
False positive on VS6sp510.cab
You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum
All times are GMT  
Page 1 of 1  

  
  
 Reply to topic