Trojan Warning, Core Keygen Warning Options

[twip]

I got this 'Trojan Downloader.win32.Exchanger.bbb' Warning about the 'Core' keygen from KIS.

Is it a false positive?


Thanx

twip

[jalaffa]

Most likely if it was posted on this board. BUT there are cases were bad people attach malware to the real keygens and post those on obscure sites with no quality control.

http://blocklistpro.com/latest/when-a-keygen-is-more-than-a-keygen.html

The keygen described there is NOT the real CORE keygen as posted on this board here

[twip]

Thanx jaffala for the reply.

It was on this board. Members area.

Suspect: Play With Pictures.

twip

[nonspin]

i would bet quite some money on it being a trojan, because of three reasons:

1. Core never released a keygen for any Kaspersky produt.

2. The detection string for the Trojan-Downloader.Win32.Exchanger.a (and b)
is obvioulsy a program which is capable of accessing a remote computer to download further files.
Now, for that happen it needs to utilize specific functions of standard DLLs.
Them funtions are specified in the Import Table of a program.

For example WININET.InternetOpenA or WININET.InternetReadFile.
If none of those imports are present it's not a "Trojan-Downloader".
Since keygens dont usually need these functions plus the fact that they are
present it looks - let's say - very very suspicious.

3. What better way to infect a computer by knowing it currently has no defence running.


If you still have access to that keygen, post a link so i can analyse it - please.

nonspin

[twip]

Sorry for the delay in replying.

1. It was KIS that gave the warning. It was not the app with the suspect core keygen.

2. The app with the 'suspect' is 'Play With Pictures' + core keygen. If you want to look at it, its in the dl area of this board.

Good luck. Be very careful!

twip