Is this a Virus? How to Determine if the File is Dangerous or Not
Author: Raymond3 Sep
I review and post a lot of useful software and small tools that is able to help our computing life easier. The links that I post together with the article are guaranteed taken directly from the official website. Unless the link is no longer available, then I’ll upload the original non-tampered file to RapidShare to act as a download mirror.
There will be times when a legitimate software or tool being flagged as a threat, dangerous or suspicious file such as a virus or trojan. This is called False Positive. A false positive, also known as a false detection or false alarm, occurs when an antivirus program detects a known virus string in an uninfected file. The file, while not infected with an actual virus, does contain a string of characters that matches a string from an actual virus. It’s just a coincidence…
I get pretty upset when I receive emails or comments saying that I upload a virus or trojan to infect my readers. No way I would do that. I’ve taken years to build this website’s reputation and I am not going to tarnish it by infecting my loyal readers with virus. Think about it, I get NOTHING by doing this. Well I don’t blame these people because they are probably basic computer users that listens to whatever their antivirus says. If you ask me which is my favorite antivirus, I’d say Kaspersky but still HI (Human Intelligence) is the best way to avoid being infected by virus. So today I am going to teach you how to determine if a file is truly a virus.
I think I am going to start off by teaching you some basics on how NOT to get infected by virus in the first place. First things first, I’d advice you to go to Control Panel > Folder Options to configure some important settings. Go to View tab and:
1. Select Show hidden file and folders
2. UNCHECK Hide extensions for known file types
3. UNCHECK Hide protected operating system files
The first and third point is to be able to see any hidden files or folders because a lot of virus has the hidden attribute. The second point is important because a lot of virus comes in two extensions to fool users. An example is mypassword.txt.exe. If you’ve hidden the extensions for known file types, the file name would only appear as mypassword.txt while it is actually an executable (exe) file and not a text (txt) file. So always take note of the complete file name and extension.
Next, avoiding being infected by autorun.inf virus. A lot of really powerful virus spreads through USB flash drives via autorun. Let’s say I have a USB flash drive that is infected by an autorun virus. When I plug in to my computer, double click My Computer and once I double click on the USB flash drive letter, Windows automatically process the autorun.inf file and runs the virus that is in the flash drive to infect my computer. Saw how dangerous and easy it was to get infected by autorun virus? To counter this, you can disable Autorun for Windows.
Now we’ll continue to the more interesting part which is how to determine if the file is virus. The file can either be downloaded from a website, copied from external USB flash drive or even from email attachment.
If you have an antivirus installed, scan the file with your antivirus program first. If nothings comes up and you’re still feeling paranoid about it, you can upload the suspicious file to VirusTotal and have it scanned with 36 types of antivirus. Obviously if all 36 antivirus detects it as a threat, then it is definitely a dangerous file. If you get mixed and unsure results with 10 antivirus saying that RemoveWGA.exe is virus while 26 others did not detect anything like the table below, then you’ll have to analyse the file with ThreatExpert.
| File RemoveWGA.exe received on 08.30.2008 06:39:17 (CET) | |||
| Antivirus | Version | Last Update | Result |
| AhnLab-V3 | 2008.8.29.0 | 2008.08.29 | Win-Trojan/Muldrop.49664 |
| AntiVir | 7.8.1.23 | 2008.08.29 | - |
| Authentium | 5.1.0.4 | 2008.08.29 | - |
| Avast | 4.8.1195.0 | 2008.08.29 | - |
| AVG | 8.0.0.161 | 2008.08.29 | Downloader.Generic7.ADMP |
| BitDefender | 7.2 | 2008.08.30 | - |
| CAT-QuickHeal | 9.50 | 2008.08.29 | - |
| ClamAV | 0.93.1 | 2008.08.30 | PUA.Tool.RemoveWGA |
| DrWeb | 4.44.0.09170 | 2008.08.29 | Tool.RemoveWGA |
| eSafe | 7.0.17.0 | 2008.08.28 | Win32.Small |
| eTrust-Vet | 31.6.6057 | 2008.08.29 | Win32/Prigamb.A |
| Ewido | 4.0 | 2008.08.29 | - |
| F-Prot | 4.4.4.56 | 2008.08.29 | - |
| F-Secure | 7.60.13501.0 | 2008.08.30 | - |
| Fortinet | 3.14.0.0 | 2008.08.29 | - |
| GData | 19 | 2008.08.30 | - |
| Ikarus | T3.1.1.34.0 | 2008.08.30 | - |
| K7AntiVirus | 7.10.432 | 2008.08.29 | - |
| Kaspersky | 7.0.0.125 | 2008.08.30 | - |
| McAfee | 5373 | 2008.08.29 | - |
| Microsoft | 1.3807 | 2008.08.25 | - |
| NOD32v2 | 3401 | 2008.08.30 | - |
| Norman | 5.80.02 | 2008.08.29 | - |
| Panda | 9.0.0.4 | 2008.08.29 | - |
| PCTools | 4.4.2.0 | 2008.08.29 | - |
| Prevx1 | V2 | 2008.08.30 | Suspicious |
| Rising | 20.59.42.00 | 2008.08.30 | - |
| Sophos | 4.33.0 | 2008.08.29 | RemoveWGA |
| Sunbelt | 3.1.1592.1 | 2008.08.29 | RiskTool.Win32.ProcessPatcher.Sml!cobra (v) |
| Symantec | 10 | 2008.08.30 | - |
| TheHacker | 6.3.0.6.068 | 2008.08.30 | - |
| TrendMicro | 8.700.0.1004 | 2008.08.29 | - |
| VBA32 | 3.12.8.4 | 2008.08.29 | - |
| ViRobot | 2008.8.29.1355 | 2008.08.29 | Spyware.Small.Dr.13824.A |
| VirusBuster | 4.5.11.0 | 2008.08.29 | - |
| Webwasher-Gateway | 6.6.2 | 2008.08.29 | - |
ThreatExpert is an advanced automated threat analysis system designed to analyze and report the behavior of computer viruses, worms, trojans, adware, spyware, and other security-related risks in a fully automated mode. In only a few minutes ThreatExpert can process a sample and generate a highly detailed threat report with the level of technical detail that matches or exceeds antivirus industry standards such as those normally found in online virus encyclopedias.
Just visit ThreatExpert, browse the file that you want to submit for analysis, enter your email address, agree to the terms and conditions and click the Submit button. In a few minutes, you’ll receive an email notifying you that the analysis is complete with the link to see the report.
ThreatExpert Report on RemoveWGA: Link
ThreatExpert Report on Bifrost Trojan: Link
The report for Bifrost trojan shows that the exe file creates files in Windows\System32 folder. It also created new registry values that commands Windows to auto run the file whenever Windows is booted up. Finally, the file creates an outbound traffic to hacker.ipaddress.com via port 2000.
If you are unable determine the file is dangerous or not after scanning it with 36 types of antivirus and analyzing it with ThreatExpert but you still want to run the file, then I’d suggest you to run it in a virtual environment (Sandboxie or SafeSpace)
Now you know how to determine if a file flagged by your antivirus program as threat is really dangerous or not. Don’t get me wrong, you still need to have an antivirus program because it protects your computer in real-time. There are times when we are tired and won’t be so cautious.
Technorati Tags: virus, threatexpert, virustotal, analyse, malicious
: Copying this article to your website is strictly NOT allowed. However, if you like this article, you can use the HTML code below to directly link to this article.
Related Articles
Faster and Easily Upload Suspicious Files to ThreatExpert for Analyzing One Click to Protect Your Computer Against USB Virus How To Easily Analyze and Get Detailed Report of Suspicious Files Virus.org Offers Malware Scanning Service With Several AntiVirus Engines Upgrade your Windows User Account Control with Smart UAC Replacement How To Identify Good or Bad StartUp Programs Ask Raymond: What is the BEST AntiVirus?
Top incoming search terms for this post
Downloader.Generic7.ADMP - removewga virus - generic7.ADMP - removewga trojan - removewga.exe virus - remove wga virus - admp.exe - Remove WGA Trojan - trojan.removewga - RemoveWGA.exe trojan - how to determine autorun virus - wga virus removal - generic7.aeym - how to determine virus - need a clean wgafix.exe file - trojan removeWGA - ThreatExpert - win32/prigamb,a - RemoveWGA.exe virus? - infostealer.gampass removal - delete wga virus - remove wga A trojan? - www.sunbeltsandbox.com - wga remove trojan - "removewga.exe" virus - how to determine if a exe file is a virus - how do I get rid of the wga virus? - wga-fix trojan - dangerous file run virtual - is RemoveWGA a trojan - how to determine exe viruses - how to detrermine the virus file - remove genuine advantage virus - False alarm i got a autorun threat from avast - RemoveWGA.exe Trojaner - removewga - is removeWGA.exe safe? - dangerus.cc - virus wga - Trojan.RemovWGA mac - genuine advantage virus how to remove - how to determine that a certain file contain virus - removewga virus sophos - remove wga.exe é virus - RemoveWGA.exe es un virus?? - Използване на RemoveWGA - false detection infostealer gampass - autorun.inf threatexpert - get rid of the wga virus - how to determine suspicious files on autorun.inf -
Categories
Recent Comments
- Mohamed: thanx raymond
- kapil: its me ray
- drunk: http://img10.imageshack.us/img10/6992/clipboard01od.png steam username (kingmax_pc) sorry
- drunk: http://img10.imageshack.us/img10/6992/clipboard01od.png - Cheers
- norman: Thanks for this opportunity Ray.
- Raymond: Hi Raymond Thanks again for
- MTLGOD: Hi Raymond, I am Happy
- Ben: Hi Raymond, i was a
- klrk: steam account : klrkdekira i'll post
- Vatsal: me me i need it.....
Ads
Friends
Archives
Translate
 |  |  |  |  |  |  |
 |  |  |  |  |  |  |
 |  |  |  |  |  |  |
 |  |  |  |  |  |  |
 |  |  |  |  |  |  |
 |  |  |  |  |  |  |
Have computer technical problems? Get FREE help from Raymond.CC FORUM
20 Responses for "Is this a Virus? How to Determine if the File is Dangerous or Not"
Should the user still want the autorun feature, he/she should just
1. Right click on My Computer, then click Explore
2. On the smaller, left pane, click on the desired drive
This way, the the command(s) in autorun.inf won’t be executed
If the system has restriction regarding Folder option and regedit, but command prompt still can be accessed, just run it, then type
attrib -r -h -s :\autorun.inf
If there’s autorun.inf on the drive, it will show (unless the malware has already run, thus making autorun.inf hidden again)
Thanks you very much Raymond. I just wanted something like ThreatFire.
well, my friend..impressed by your blog… learnt lot of stuff!! but the point is most of your older blogs are out-dated like the yahoo invisible thing that isnt thr.. the link says error 404… would be gr8 if u could just check those things
hmmm….. very useful… keep on coming…
Yes! These are the same things I’ll do in case of suspicious files!
Anubis is also a good choice for checking exe files!
http://anubis.iseclab.org/
Great article it’s always a pleasure to read your articles.
Thanks Raymond for this helpful artical..!
(Shameless plug) What about using the Sunbelt Sandbox? http://www.sunbeltsandbox.com or cwsandbox.org
Thanks Raymond. Its really a nice one.
Hi
Raymond great information.
Because this is the mont of Ramzan can you provide our muslim friends who visit this blog with some useful software that might help them in this mont of ramzan.
softwres like
Auto Azan (call for prayer)
Sehar and Iftar timings
etc.,
this is just a request.
thanks in advance
Wow, ThreatExpert is really excellent, with that info, you can remove all the crap. Just bookmarked. I also use the Virus Total uploader, right-click and analyse.
I get all my downloads from newsgroups and I don\’t take risks. I see that you got the EMBRACE keygen. I downloded Sandboxie v3.28 from DVT and noton found Infostealer.Gampass then I got Sandboxie v3.30 from CORE and norton found other infection. however, EMBRACE version is clean, my question is, if i run CORE\’s version in Sandboxie my computer is safe from this infected file? Thanks Rayman
thanks ray.its so useful.
@aBg_rOnGak
autorun.inf files can be modified so that clicking “Explore” will launch viruses. And we can add our own text like “Scan” to context menu using autorun.inf
thanks ray, my pc is infected all the time and at the end of the day i randomly kill processes =P this should help..
ok so RemoveWGA was a virus/trojan? and if its a yes then why the AV’s didnt pick it up?
NO, RemoveWGA is NOT a virus. That’s what I am trying to explain above.
Prashanth
please read carefully….I typed Explore on My Computer, not on the drive itself….
And I would like to correct a mistake… the command line should be
attrib -r -h -s :\autorun.inf
<x. is the drive’s letter
It seems that my mistake were, i put the letter in the bracket (wht’s its name? — the ones beside letter M on the kboard)
theres also free commander. it can open flash disks without executing what is in it. you can also see hidden or system files. you can easily change attributes and wipe files that you suspect. http://www.freecommander.com
Leave a reply