I am trying to figure out if a certain file has a virus included with it. I am using Virustotal.com to test the file out.
The results from Virustotal is 17.50%. (7 virus programs found a virus... out of 40 programs that actually tested the file)
Virustotal.com wrote:
File Cinema_Craft_Encoder_SP2.exe received on 2009.11.08 20:26:08 (UTC)
Current status: finished
Result: 7/40 (17.50%)
Additional information
File size: 4895328 bytes
MD5 : 1f06745bfa68bc6d997718e920f4cd49
SHA1 : fce24a6b14d0426be4a6d2badfeebc90bfc0afb3
SHA256: f219f1f1d6fd733fbb1d79e46f237014d10ea2d676ef550fd627b105d7adf234
PEInfo: PE Structure information
( base data )
entrypointaddress.: 0x323F
timedatestamp.....: 0x49A05A0F (Sat Feb 21 20:46:23 2009)
machinetype.......: 0x14C (Intel I386)
( 5 sections )
name viradd virsiz rawdsiz ntrpy md5
.text 0x1000 0x5BA2 0x5C00 6.51 2cec663f64ef38694dc96bb9f9cb766d
.rdata 0x7000 0x1190 0x1200 5.18 db16645055619c0cc73276ff5c3adb75
.data 0x9000 0x3997D8 0x400 4.71 b9d0aa986d9e766521436f5ad38cd7c5
.ndata 0x3A3000 0x8000 0x0 0.00 d41d8cd98f00b204e9800998ecf8427e
.rsrc 0x3AB000 0x3110 0x3200 5.42 5e07cf22050fe377822ed5595a5ce236
( 8 imports )
> advapi32.dll: RegQueryValueExA, RegSetValueExA, RegEnumKeyA, RegEnumValueA, RegOpenKeyExA, RegDeleteKeyA, RegDeleteValueA, RegCloseKey, RegCreateKeyExA
> comctl32.dll: ImageList_AddMasked, ImageList_Destroy, -, ImageList_Create
> gdi32.dll: SetBkColor, GetDeviceCaps, DeleteObject, CreateBrushIndirect, CreateFontIndirectA, SetBkMode, SetTextColor, SelectObject
> kernel32.dll: CompareFileTime, SearchPathA, GetShortPathNameA, GetFullPathNameA, MoveFileA, SetCurrentDirectoryA, GetFileAttributesA, GetLastError, CreateDirectoryA, SetFileAttributesA, Sleep, GetTickCount, CreateFileA, GetFileSize, GetModuleFileNameA, GetCurrentProcess, CopyFileA, ExitProcess, SetFileTime, GetTempPathA, GetCommandLineA, SetErrorMode, LoadLibraryA, lstrcpynA, GetDiskFreeSpaceA, GlobalUnlock, GlobalLock, CreateThread, CreateProcessA, RemoveDirectoryA, GetTempFileNameA, lstrlenA, lstrcatA, GetSystemDirectoryA, GetVersion, CloseHandle, lstrcmpiA, lstrcmpA, ExpandEnvironmentStringsA, GlobalFree, GlobalAlloc, WaitForSingleObject, GetExitCodeProcess, GetModuleHandleA, LoadLibraryExA, GetProcAddress, FreeLibrary, MultiByteToWideChar, WritePrivateProfileStringA, GetPrivateProfileStringA, WriteFile, ReadFile, MulDiv, SetFilePointer, FindClose, FindNextFileA, FindFirstFileA, DeleteFileA, GetWindowsDirectoryA
> ole32.dll: CoTaskMemFree, OleInitialize, OleUninitialize, CoCreateInstance
> shell32.dll: SHGetPathFromIDListA, SHBrowseForFolderA, SHGetFileInfoA, ShellExecuteA, SHFileOperationA, SHGetSpecialFolderLocation
> user32.dll: EndDialog, ScreenToClient, GetWindowRect, EnableMenuItem, GetSystemMenu, SetClassLongA, IsWindowEnabled, SetWindowPos, GetSysColor, GetWindowLongA, SetCursor, LoadCursorA, CheckDlgButton, GetMessagePos, LoadBitmapA, CallWindowProcA, IsWindowVisible, CloseClipboard, SetClipboardData, EmptyClipboard, RegisterClassA, TrackPopupMenu, AppendMenuA, CreatePopupMenu, GetSystemMetrics, SetDlgItemTextA, GetDlgItemTextA, MessageBoxIndirectA, CharPrevA, DispatchMessageA, PeekMessageA, DestroyWindow, CreateDialogParamA, SetTimer, SetWindowTextA, PostQuitMessage, SetForegroundWindow, wsprintfA, SendMessageTimeoutA, FindWindowExA, SystemParametersInfoA, CreateWindowExA, GetClassInfoA, DialogBoxParamA, CharNextA, OpenClipboard, ExitWindowsEx, IsWindow, GetDlgItem, SetWindowLongA, LoadImageA, GetDC, EnableWindow, InvalidateRect, SendMessageA, DefWindowProcA, BeginPaint, GetClientRect, FillRect, DrawTextA, EndPaint, ShowWindow
> version.dll: GetFileVersionInfoSizeA, GetFileVersionInfoA, VerQueryValueA
( 0 exports )
TrID : File type identification
Win32 Executable MS Visual C++ (generic) (65.2%)
Win32 Executable Generic (14.7%)
Win32 Dynamic Link Library (generic) (13.1%)
Generic Win/DOS Executable (3.4%)
DOS Executable Generic (3.4%)
ssdeep: 98304:nFXVabzdCzM6SEWU/0gi+4NZpUqBJbCKCE+wNOIczw8:n7IJCzCEW+0537UqTmK/+DI+
Prevx Info: info.prevx.com/aboutprogramtext.asp?PX5=757F3DBE60DA0749B2CA4AA51145F20061E2AB8A
PEiD : -
packers (F-Prot): NSIS
RDS : NSRL Reference Data Set
Current status: finished
Result: 7/40 (17.50%)
Antivirus Version Last Update Result a-squared 4.5.0.41 2009.11.08 - AhnLab-V3 5.0.0.2 2009.11.06 - AntiVir 7.9.1.61 2009.11.08 - Antiy-AVL 2.0.3.7 2009.11.05 - Authentium 5.2.0.5 2009.11.08 - Avast 4.8.1351.0 2009.11.08 - AVG 8.5.0.423 2009.11.08 - BitDefender 7.2 2009.11.08 - CAT-QuickHeal 10.00 2009.11.07 - ClamAV 0.94.1 2009.11.08 - Comodo 2886 2009.11.08 - DrWeb 5.0.0.12182 2009.11.08 - eTrust-Vet 35.1.7108 2009.11.06 - F-Prot 4.5.1.85 2009.11.08 - F-Secure 9.0.15370.0 2009.11.04 - Fortinet 3.120.0.0 2009.11.08 - GData 19 2009.11.08 - Ikarus T3.1.1.74.0 2009.11.08 Trojan-Downloader.Win32.Mabjits Jiangmin 11.0.800 2009.11.08 TrojanDropper.Agent.aboi K7AntiVirus 7.10.891 2009.11.07 - Kaspersky 7.0.0.125 2009.11.08 - McAfee 5796 2009.11.08 - McAfee+Artemis 5796 2009.11.08 - McAfee-GW-Edition 6.8.5 2009.11.08 - Microsoft 1.5202 2009.11.08 TrojanDownloader:Win32/Mabjits.A NOD32 4585 2009.11.08 - Norman 6.03.02 2009.11.06 - nProtect 2009.1.8.0 2009.11.08 - Panda 10.0.2.2 2009.11.08 Trj/CI.A PCTools 7.0.3.5 2009.11.06 Backdoor.Graybird Prevx 3.0 2009.11.08 Medium Risk Malware Rising 21.54.62.00 2009.11.08 Packer.Win32.UnkPacker.b Sophos 4.47.0 2009.11.08 - Sunbelt 3.2.1858.2 2009.11.08 - Symantec 1.4.4.12 2009.11.08 - TheHacker 6.5.0.2.063 2009.11.06 - TrendMicro 9.0.0.1003 2009.11.08 - VBA32 3.12.10.11 2009.11.07 - ViRobot 2009.11.6.2025 2009.11.06 - VirusBuster 4.6.5.0 2009.11.08 -
Additional information
File size: 4895328 bytes
MD5 : 1f06745bfa68bc6d997718e920f4cd49
SHA1 : fce24a6b14d0426be4a6d2badfeebc90bfc0afb3
SHA256: f219f1f1d6fd733fbb1d79e46f237014d10ea2d676ef550fd627b105d7adf234
PEInfo: PE Structure information
( base data )
entrypointaddress.: 0x323F
timedatestamp.....: 0x49A05A0F (Sat Feb 21 20:46:23 2009)
machinetype.......: 0x14C (Intel I386)
( 5 sections )
name viradd virsiz rawdsiz ntrpy md5
.text 0x1000 0x5BA2 0x5C00 6.51 2cec663f64ef38694dc96bb9f9cb766d
.rdata 0x7000 0x1190 0x1200 5.18 db16645055619c0cc73276ff5c3adb75
.data 0x9000 0x3997D8 0x400 4.71 b9d0aa986d9e766521436f5ad38cd7c5
.ndata 0x3A3000 0x8000 0x0 0.00 d41d8cd98f00b204e9800998ecf8427e
.rsrc 0x3AB000 0x3110 0x3200 5.42 5e07cf22050fe377822ed5595a5ce236
( 8 imports )
> advapi32.dll: RegQueryValueExA, RegSetValueExA, RegEnumKeyA, RegEnumValueA, RegOpenKeyExA, RegDeleteKeyA, RegDeleteValueA, RegCloseKey, RegCreateKeyExA
> comctl32.dll: ImageList_AddMasked, ImageList_Destroy, -, ImageList_Create
> gdi32.dll: SetBkColor, GetDeviceCaps, DeleteObject, CreateBrushIndirect, CreateFontIndirectA, SetBkMode, SetTextColor, SelectObject
> kernel32.dll: CompareFileTime, SearchPathA, GetShortPathNameA, GetFullPathNameA, MoveFileA, SetCurrentDirectoryA, GetFileAttributesA, GetLastError, CreateDirectoryA, SetFileAttributesA, Sleep, GetTickCount, CreateFileA, GetFileSize, GetModuleFileNameA, GetCurrentProcess, CopyFileA, ExitProcess, SetFileTime, GetTempPathA, GetCommandLineA, SetErrorMode, LoadLibraryA, lstrcpynA, GetDiskFreeSpaceA, GlobalUnlock, GlobalLock, CreateThread, CreateProcessA, RemoveDirectoryA, GetTempFileNameA, lstrlenA, lstrcatA, GetSystemDirectoryA, GetVersion, CloseHandle, lstrcmpiA, lstrcmpA, ExpandEnvironmentStringsA, GlobalFree, GlobalAlloc, WaitForSingleObject, GetExitCodeProcess, GetModuleHandleA, LoadLibraryExA, GetProcAddress, FreeLibrary, MultiByteToWideChar, WritePrivateProfileStringA, GetPrivateProfileStringA, WriteFile, ReadFile, MulDiv, SetFilePointer, FindClose, FindNextFileA, FindFirstFileA, DeleteFileA, GetWindowsDirectoryA
> ole32.dll: CoTaskMemFree, OleInitialize, OleUninitialize, CoCreateInstance
> shell32.dll: SHGetPathFromIDListA, SHBrowseForFolderA, SHGetFileInfoA, ShellExecuteA, SHFileOperationA, SHGetSpecialFolderLocation
> user32.dll: EndDialog, ScreenToClient, GetWindowRect, EnableMenuItem, GetSystemMenu, SetClassLongA, IsWindowEnabled, SetWindowPos, GetSysColor, GetWindowLongA, SetCursor, LoadCursorA, CheckDlgButton, GetMessagePos, LoadBitmapA, CallWindowProcA, IsWindowVisible, CloseClipboard, SetClipboardData, EmptyClipboard, RegisterClassA, TrackPopupMenu, AppendMenuA, CreatePopupMenu, GetSystemMetrics, SetDlgItemTextA, GetDlgItemTextA, MessageBoxIndirectA, CharPrevA, DispatchMessageA, PeekMessageA, DestroyWindow, CreateDialogParamA, SetTimer, SetWindowTextA, PostQuitMessage, SetForegroundWindow, wsprintfA, SendMessageTimeoutA, FindWindowExA, SystemParametersInfoA, CreateWindowExA, GetClassInfoA, DialogBoxParamA, CharNextA, OpenClipboard, ExitWindowsEx, IsWindow, GetDlgItem, SetWindowLongA, LoadImageA, GetDC, EnableWindow, InvalidateRect, SendMessageA, DefWindowProcA, BeginPaint, GetClientRect, FillRect, DrawTextA, EndPaint, ShowWindow
> version.dll: GetFileVersionInfoSizeA, GetFileVersionInfoA, VerQueryValueA
( 0 exports )
TrID : File type identification
Win32 Executable MS Visual C++ (generic) (65.2%)
Win32 Executable Generic (14.7%)
Win32 Dynamic Link Library (generic) (13.1%)
Generic Win/DOS Executable (3.4%)
DOS Executable Generic (3.4%)
ssdeep: 98304:nFXVabzdCzM6SEWU/0gi+4NZpUqBJbCKCE+wNOIczw8:n7IJCzCEW+0537UqTmK/+DI+
Prevx Info: info.prevx.com/aboutprogramtext.asp?PX5=757F3DBE60DA0749B2CA4AA51145F20061E2AB8A
PEiD : -
packers (F-Prot): NSIS
RDS : NSRL Reference Data Set
Sorry about the spacing on the chart above... I couldn't get it right with pre and /pre commands...
My question is this... Would you trust most of the well known virus scanners who say the file isn't a virus... or the not-so-well-known scanners? Maybe the not-so-well-known programs are seeing false positives...?
I was going to test out Sandboxie to see if anything came up, but I do not own a 32-bit OS anymore...
and the author of Sandboxie can't guarantee that running Sandboxie on a 64-bit OS will not let stuff slip into other parts of your PC... Any thoughts other than "do not use the file"?
Edited, Nov 8th 2009 8:02pm by PentUpAnger