quote:
Originally posted by Email conversationwith ESET
This is one example of the dropped malware file:
http://www.virustotal.com/analisis/79bf7f8085018d...d57936d-1280301607
Only the vendor can solve it, it is not a false positive.
Regards,
Daniel Novomeský
Virus Researcher
ESET spol. s r.o.
> >--[<REMOVED>@<REMOVED>.com]---------------------
> > Hello,
> >
> > This sounds strange to me.
> >
> > I am a happy user of Messenger Plus!, I have it installed on several of
> > my systems and see no sign anywhere of the "Circle development" adware
> > or the Win32/TrojanDownloader.Swizzor you mention. Neither do friends
> > who have this software too and use other anti virus products without
> > getting a warning.
> >
> > I temporary disabled NOD32 and installed the executable. I did a scan of
> > the entire system after installation but found nothing (except for the
> > installer itself), neither do i see any advertising appear.
> > On what indication/symptoms exactly do you base this threat
> > classification? For example, which files/registry keys or communication
> > with which hostnames/IPs to look for?
> >
> > You also mention "it" being identified as Win32/TrojanDownloader.Swizzor
> > and being classified as malware by almost all vendors. How/where would i
> > find this file so I can see this for myself? Because the file i sent you
> > is certainly not classified as malware by any vendor i know. Perhaps you
> > are referring to a file which is downloaded during execution, I would
> > like to see more details on it.
> >
> >
> > I'm not convinced yet about this not being a false positive.
> >
> >
> > Greetings,
> > Johan
> >
> >
> >
> >
> > samples@eset.sk wrote:
>> > >
>> > > Dear Johan Brune,
>> > >
>> > > Thank you for your submission.
>> > > I have run the attached executable and it resulted in installing the bad "Circle development" adware. It is identified as Win32/TrojanDownloader.Swizzor trojan. Almost all vendors classify it as malware. Swizzor malware caused lot of problems worldwide.
>> > > The statement about no relation with the CiD is not in a harmony with the truth.
>> > > Intentional spreading of malware is considered as criminal act in many countries and it is not wise to overlook it.
>> > >
>> > > Regards,
>> > >
>> > > Daniel Novomeský
>> > > Virus Researcher
>> > > ESET spol. s r.o.
>> > >
>>> > >> --[<REMOVED>@<REMOVED>.com]---------------------
>> > >
>>> > >> The attached file is *password protected*, password is: infected
>>> > >> The *extension of the file inside the .zip has been changed from .exe to
>>> > >> .bak* to bypass GMail's restrictions on attachement file types. Despite
>>> > >> password protecting the .zip GMail will see there was a .exe inside and
>>> > >> refuse to send it.
>>> > >> My customer number: EAV-01534435
>>> > >>
>>> > >> The file attached is a *false positive*.
>>> > >>
>>> > >> The official location to download this file is
>>> > >> http://www.msgpluslive.net/download/
>>> > >> (http://mirror3.msgpluslive.net/MsgPlusLive-485.exe).
>>> > >>
>>> > >> The file is the installer of the latest version (4.85.386 - 19/07/2010)
>>> > >> of a software called Messenger Plus! Live (http://www.msgpluslive.net/).
>>> > >> Older versions of Messenger Plus! did indeed bundle with an (optional)
>>> > >> adware sponsor package developed by Circle Development Ltd. However,
>>> > >> none of the recent versions of Messenger Plus! released over the past
>>> > >> months contain or download the CiD adware. The makers of Messenger Plus!
>>> > >> stopped using the CiD package completely and have no affiliation with
>>> > >> Circle Development Ltd.
>>> > >>
>>> > >> Messenger Plus! is created my Yuna Software Ltd.
>>> > >> http://www.yunasoftware.com/. Instead of the CiD adware Messenger Plus!
>>> > >> is bundled with either:
>>> > >>
>>> > >> * A community toolbar for the user's browser developed by Conduit
>>> > >> Ltd. (http://www.conduit.com/).
>>> > >> * Or the Ask.com search assistent which makes Ask.com the default
>>> > >> searchengine in the user's browser.
>>> > >>
>>> > >> One of these two options is presented to the user during installation of
>>> > >> the Messenger Plus! software. Which of the two is presented to the user
>>> > >> depends on some factors like geographical location. In both cases the
>>> > >> installation of the sponsor package is optional and it is made clear to
>>> > >> the user what it does. Both Conduit and Ask are respected companies
>>> > >> which are not in the business of distributing adware, neither are they
>>> > >> in any way affiliated with Circle Development Ltd. which the CiDHelp
>>> > >> label refers to.
>>> > >>
>>> > >> None of the other antivirus companies I know detect this as a threat,
>>> > >> including the other recent versions which don't include CiDHelp either.
>>> > >> MsgPlusLive-485.exe :
>>> > >> http://www.virustotal.com/analisis/6231b9e65f4ea7...d78f4ee-1280051958
>>> > >> MsgPlusLive-484.exe:
>>> > >> http://www.virustotal.com/analisis/0792c2a0ac92a4...213b359-1280052125
>>> > >> MsgPlusLive-483.exe:
>>> > >> http://www.virustotal.com/analisis/c19739b132a269...4c42664-1280052289
>>> > >> MsgPlusLive-482.exe:
>>> > >> http://www.virustotal.com/analisis/9e22e81f66d4d0...372a78f-1280052360
>>> > >> MsgPlusLive-481.exe:
>>> > >> http://www.virustotal.com/analisis/ac93e570fed539...d9f5caf-1280052449
>>> > >>
>>> > >> Also see the thread about this in the Messenger Plus! support forum with
>>> > >> more information: http://shoutbox.menthix.net/showthread.php?tid=95106
>>> > >>
>>> > >>
>>> > >> I hope this issue can be solved quickly. Please contact me if more
>>> > >> details are needed.
>>> > >>
>>> > >> Greetings,
>>> > >> Johan Bruné
Frustrating as I can't find the file they refer to anywhere. Perhaps it is the old CiD uninstaller, but I sumbitted v3.85 which doesn't use that. Eset claims they see Win32/TrojanDownloader.Swizzor in v3.85. I'd like to see it with my own eyes but it doesn't look like they're going to help people with that
.
/ 
