Raymond.CC Blog

I review and post a lot of useful software and small tools that is able to help our computing life easier. The links that I post together with the article are guaranteed taken directly from the official website. Unless the link is no longer available, then I’ll upload the original non-tampered file to RapidShare to act as a download mirror.

There will be times when a legitimate software or tool being flagged as a threat, dangerous or suspicious file such as a virus or trojan. This is called False Positive. A false positive, also known as a false detection or false alarm, occurs when an antivirus program detects a known virus string in an uninfected file. The file, while not infected with an actual virus, does contain a string of characters that matches a string from an actual virus. It’s just a coincidence…

I get pretty upset when I receive emails or comments saying that I upload a virus or trojan to infect my readers. No way I would do that. I’ve taken years to build this website’s reputation and I am not going to tarnish it by infecting my loyal readers with virus. Think about it, I get NOTHING by doing this. Well I don’t blame these people because they are probably basic computer users that listens to whatever their antivirus says. If you ask me which is my favorite antivirus, I’d say Kaspersky but still HI (Human Intelligence) is the best way to avoid being infected by virus. So today I am going to teach you how to determine if a file is truly a virus.


I think I am going to start off by teaching you some basics on how NOT to get infected by virus in the first place. First things first, I’d advice you to go to Control Panel > Folder Options to configure some important settings. Go to View tab and:

1. Select Show hidden file and folders
2. UNCHECK Hide extensions for known file types
3. UNCHECK Hide protected operating system files

The first and third point is to be able to see any hidden files or folders because a lot of virus has the hidden attribute. The second point is important because a lot of virus comes in two extensions to fool users. An example is mypassword.txt.exe. If you’ve hidden the extensions for known file types, the file name would only appear as mypassword.txt while it is actually an executable (exe) file and not a text (txt) file. So always take note of the complete file name and extension.

Next, avoiding being infected by autorun.inf virus. A lot of really powerful virus spreads through USB flash drives via autorun. Let’s say I have a USB flash drive that is infected by an autorun virus. When I plug in to my computer, double click My Computer and once I double click on the USB flash drive letter, Windows automatically process the autorun.inf file and runs the virus that is in the flash drive to infect my computer. Saw how dangerous and easy it was to get infected by autorun virus? To counter this, you can disable Autorun for Windows.

Now we’ll continue to the more interesting part which is how to determine if the file is virus. The file can either be downloaded from a website, copied from external USB flash drive or even from email attachment.

If you have an antivirus installed, scan the file with your antivirus program first. If nothings comes up and you’re still feeling paranoid about it, you can upload the suspicious file to VirusTotal and have it scanned with 36 types of antivirus. Obviously if all 36 antivirus detects it as a threat, then it is definitely a dangerous file. If you get mixed and unsure results with 10 antivirus saying that RemoveWGA.exe is virus while 26 others did not detect anything like the table below, then you’ll have to analyse the file with ThreatExpert.

ThreatExpert is an advanced automated threat analysis system designed to analyze and report the behavior of computer viruses, worms, trojans, adware, spyware, and other security-related risks in a fully automated mode. In only a few minutes ThreatExpert can process a sample and generate a highly detailed threat report with the level of technical detail that matches or exceeds antivirus industry standards such as those normally found in online virus encyclopedias.

Just visit ThreatExpert, browse the file that you want to submit for analysis, enter your email address, agree to the terms and conditions and click the Submit button. In a few minutes, you’ll receive an email notifying you that the analysis is complete with the link to see the report.

ThreatExpert Report on RemoveWGA: Link
ThreatExpert Report on Bifrost Trojan: Link

The report for Bifrost trojan shows that the exe file creates files in Windows\System32 folder. It also created new registry values that commands Windows to auto run the file whenever Windows is booted up. Finally, the file creates an outbound traffic to hacker.ipaddress.com via port 2000.

If you are unable determine the file is dangerous or not after scanning it with 36 types of antivirus and analyzing it with ThreatExpert but you still want to run the file, then I’d suggest you to run it in a virtual environment (Sandboxie or SafeSpace)

Now you know how to determine if a file flagged by your antivirus program as threat is really dangerous or not. Don’t get me wrong, you still need to have an antivirus program because it protects your computer in real-time. There are times when we are tired and won’t be so cautious.