Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Possible false positive but cannot confirm this


  • Please log in to reply
3 replies to this topic

#1 akjunke

akjunke

  • Members
  • 10 posts
  • OFFLINE
  •  
  • Local time:03:11 PM

Posted 18 June 2009 - 07:58 PM

Hello,

I've had a a virus detection in a3-free and AVG, and I'm slightly concerned about it. I'd appreciate some advice from someone a bit more adept with computers than myself :thumbsup:

The virus is detected in A3 as "Exploit.Win32.MS04!k" and is on six files in the temp folder, eg: C:\Users\A---\Appdata|Local\Temp\~PI1187.tmp. All the files have a similar name, starting with "~PI". In AVG, I just get a message that the same six files "May be infected by unknown virus Exploit.JPEG". There's no other information than that in AVG.

Malwarebytes, Ad-aware and Avira Antivir all show the files as clean. I did a jotti.org scan and about half the scanners show the files as infected.

After googling I found that the MS04 virus sometimes shows on images that have been resized by the user. Also, the "PI" extension seems to be some kind of high-quality or encrypted image format. In my case, I'm assuming these are temp files left/created after I resized or edited some images (though I've never knowingly used or downloaded files in the format).

I've scanned all the .jpg images on the PC and my portable HD, and AVG/A3 shows them as clean. I've also submitted the files for analysis to ikarus and grisoft, but this can take days or weeks. I'm using Vista 32-bit on a Dell laptop.

I don't have any recurring virus issues at this point, the files have been sucessfully quarantined and I rescanned my PC - it's showing as clean now across the board. I don't seem to need any technical help at this point - however, it would be great if someone could confirm this as a false positive, or if this is a real virus issue. I'm concerned that it will reoccur until I identify the source of the virus, or at least find out what risky action I took to get it on my PC.

Thanks for your help.

BC AdBot (Login to Remove)

 


#2 Zllio

Zllio

  • Members
  • 1,107 posts
  • OFFLINE
  •  
  • Local time:11:11 AM

Posted 22 June 2009 - 09:57 AM

Hi akjunke,

I can see your frustration. The messages on the internet are mixed. However, what seems to be consistent is that the information following the MS04 in the name Exploit.Win32.MS04 gives more information about what this is. In one case, I believe it is Exploit.Win32.MS04 011 this refers to a file called explor.exe which is definitely malware. Your particular filename, ending with !k doesn't appear anywhere in the internet except in this thread we're in now.

There is another thread about this that I can refer you to: http://www.bleepingcomputer.com/forums/t/159591/avg-8-detects-exploitjpeg-only-in-the-resized-file/

Also, how are your resizing your photos?

I'm sorry this is not more substantial. I hope the files you submitted to ikarus and grisoft will return some kind of result that can clarify this and that you can post those results back here.

Sorry for the long wait.
Thanks for bringing this up.
Zllio

#3 akjunke

akjunke
  • Topic Starter

  • Members
  • 10 posts
  • OFFLINE
  •  
  • Local time:03:11 PM

Posted 29 June 2009 - 05:37 PM

Thanks for the reply. I have some additional information on this:

The !K filename ending appears sometimes on a3-free detections, and I think it's specific to that scanner. I suspect it may indicate a heuristic detection, but I'm only speculating on that. I've seen this filename ending on a number of false positives before too. Neither company has responded to the files submitted, and going on my previous experience I suspect they never will.

I don't use any specific software to resize photos, only the pre-installed Microsoft Paint and sometimes Windows Photo Gallery to crop photos. Thats what makes this quite confusing, as other people seem to have the detections using non-microsoft programs. Hope this helps.

Thanks again.

#4 Zllio

Zllio

  • Members
  • 1,107 posts
  • OFFLINE
  •  
  • Local time:11:11 AM

Posted 30 June 2009 - 12:07 AM

Hi akjunke,

I've seen this treated more often as a virus than not, but only when it has the right ending which I found as 011 and I think another was 028. If this has only come up once and you don't need those pictures, I would simply keep them quarentined or in a zip file, or if you can part with them delete them. As for the more general question as to whether or not they are false positives, one has to ask oneself what is different about those files from any others you have. You ran them through Jotti. Do you still have the results of that scan? I'd like to see what names of viruses are given to them.

Thanks.
Zllio




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users