Discussion:
[clamav-users] Are Win.Trojan.Shopperz and Win.Trojan.Uztuby-3 false positives?
(too old to reply)
Jean-D. Ackle
2016-02-16 20:25:42 UTC
Permalink
Hello,

So... it seems I've been a "victim" of last week's False Positives...
First I got so many files on a Windows partition "infected" by the
Bancos trojan (detected by clamscan running from Linux) I quickly
concluded that particular Windows setup was gone. I just noticed someone
on the list saying it was a FP...
So then, I used my OEM recovery disks to reinstall the system and I
"found out" the newly installed system with which I had NOT connected to
the Internet yet was already infected by... Win.Trojan.Ramnit...

I had already installed Windows 10 downloaded from Microsoft when I
learned about Ramnit's likelihood to be a FP. And... again without
connecting to the Internet, Windows 10, particularly in dnsapi.dll seems
already infected by Win.Trojan.Shopperz. After a little reading around
the Internet I'm getting to think this is yet another FP.

Being that the FPs handling system in ClamAV seems to be a bit
stalled... I would actually risk going ahead with disregarding it as
such but ... I want an on-access virus scanner on Windows. My ISP
happens to recently have made available a free subscription to Panda
Antivirus and I'd like to take on that offer. But the downloaded
installer is reported by ClamAV as infected.
I uploaded it to VirusTotal and this was the result:
https://www.virustotal.com/en/file/f183a4a6cd5afc5f134bd718dffa3e79d7a5aa6c501b7a792eaf37903f454f55/analysis/1455647361/
(only ClamAV reports it as infected and there is no conclusive answer
otherwise).

So, I'd appreciate some advice on whether I'd likely be OK with
proceeding to connect to the Internet with the already installed Windows
10 and said Panda Antivirus to be installed prior to connecting to the
Internet.
Also, if there is anything I might help with (as far as submitting files
is concerned (I'm hardly knowledgeable enough for anything else), please
let me know.

Regards,
JD
_______________________________________________
Help us build a comprehensive ClamAV guide:
https://github.com/vrtadmin/clamav-faq

http://www.clamav.net/contact.html#ml
Jean-D. Ackle
2016-02-17 19:00:20 UTC
Permalink
Sorry about the misdirection on my greeting. It should have been:
"Thank you for the answer, AL!"

That's what happens when I'm writing a single message on two different
computers and alternating between mail program and mail webpage...
Thank you for the answer, Joel
Although I wouldn't be surprised myself to learn an ISP included Adware in something they provided for free, Shopperz was not the one found on my free copy of Panda Antivirus Pro, it was Uztuby-3 (Shopperz was on dnsapi.dll).That being said, I had previously downloaded and executed the said Panda installer on my Windows system and indeed I noticed the logo of my ISP on Panda's window. I opted out of receiving third party offers and such when I first signed with this ISP but I guess otherwise that area on Panda's window might be used to show advertisements. And I believe this would classify it as Adware but what is actually reported by ClamAV is a Trojan.I'm not al all savy on these matters but wouldn't a Trojan pose a greater risk than the mere disply of (possibly unwanted) ads on one program?I did contact my ISP about this and their response (no verbal communication towards me whatsoever) was to remove the free license I had previously activated from my account management webpage. I can still access it and I redownloaded the file which remains unchanged.
Concerning the Shopperz detection, I got it on a Windows system file ( C:\Windows/System32/dnsapi.dll ) and the its full name is: Win.Trojan.Shopperz-381dnsapi.dll is a Windows system file without which Windows will not connect to the Internet (at least on my WiFi setup).ClamAV also detected Sopperz-381 on the same file, in a different location (cached?) on the same Windows system: Windows/WinSxS/amd64_microsoft-windows-dns-client-minwin_31bf3856ad364e35_10.0.10586.0_none_22114c18cd7ccd17/dnsapi.dllThe first time I ran ClamAV on these files (first scan = detection) was immediately after installing Windows 10 from a DVD burned with an ISO file downloaded from Microsoft's site. After my first login to that Windows system I rebooted to a Linux Live DVD (NO network connection was made until after booting Linux - which I performed in order to install ClamAV and run freshclam).VirusTotal thinks it's "probably harmless" but Antiy-AVL agrees with ClamAV that it contains a Trojan:https://www.virustotal.com/en/file/b51a82ed2d45855ea9018b6269931ca62f3dc430fd513c7e751fc2cb76014bab/analysis/1455724650/FYI at least since version 8 of Windows, there is this Microsoft Shop application that enables you to download free/bought software - I'm guessing there might me some code in dnsapi.dll facilitating that feature.
Hope that helps.
Without the exact name of the Shopperz infection, I can’t tell you whether it’s a recent definition or an old one. There are currently 351 such signatures.
The Uztuby-3 was added to the database on 30 Jan 2016 04-36 -0500 in daily:21324, so it’s been there for a couple of weeks.
It would not surprise me to learn that an ISP was providing something for free that included Adware. I’m sure that’s what Shopperz’s are.
-Al-
_______________________________________________
Help us build a comprehensive ClamAV guide:
https://github.com/vrtadmin/clamav-faq

http://www.clamav.net/contact.html#ml
Al Varnell
2016-02-17 19:30:54 UTC
Permalink
Then you need to report that as a False Positive by uploading dnsapi.dll to http://www.clamav.net/reports/fp. If you joint the clamav-virusdb list you will be notified when it’s been taken care of.

-Al-
--
Al Varnell
ClamXav User
Concerning the Shopperz detection, I got it on a Windows system file ( C:\Windows/System32/dnsapi.dll ) and the its full name is: Win.Trojan.Shopperz-381dnsapi.dll is a Windows system file without which Windows will not connect to the Internet (at least on my WiFi setup).ClamAV also detected Sopperz-381 on the same file, in a different location (cached?) on the same Windows system: Windows/WinSxS/amd64_microsoft-windows-dns-client-minwin_31bf3856ad364e35_10.0.10586.0_none_22114c18cd7ccd17/dnsapi.dllThe first time I ran ClamAV on these files (first scan = detection) was immediately after installing Windows 10 from a DVD burned with an ISO file downloaded from Microsoft's site. After my first login to that Windows system I rebooted to a Linux Live DVD (NO network connection was made until after booting Linux - which I performed in order to install ClamAV and run freshclam).VirusTotal thinks it's "probably harmless" but Antiy-AVL agrees with ClamAV that it contains a Trojan:https://www.virustotal.com/en/file/b51a82ed2d45855ea9018b6269931ca62f3dc430fd513c7e751fc2cb76014bab/analysis/1455724650/ FYI at least since version 8 of Windows, there is this Microsoft Shop application that enables you to download free/bought software - I'm guessing there might me some code in dnsapi.dll facilitating that feature.
JD Ackle
2016-02-18 03:05:18 UTC
Permalink
i was going to do the report as you suggested but someone else seems to
have beaten me to it. Clamscan on VirusTotal now reports it as clean as
does my local instance of clamscan and dnsapi.dll.

- JD -
Then you need to report that as a False Positive by uploading dnsapi.dll to http://www.clamav.net/reports/fp. If you joint the clamav-virusdb list you will be notified when it’s been taken care of.
-Al-
_______________________________________________
https://github.com/vrtadmin/clamav-faq
http://www.clamav.net/contact.html#ml
_______________________________________________
Help us build a comprehensive ClamAV guide:
https://github.com/vrtadmin/clamav-faq

http://www.clamav.net/contact.html#ml

Loading...