Is WinPcap really a trojan?

  • Thread starter Thread starter ian
  • Start date Start date
I

ian

AVG Free version 7.5.484 [virus database 269.12.0/961] tells me that
WinPcap_beta_3_1.exe and wpcap.dll contain "Trojan Horse
BackDoor.Generic8.DHX". Are these false positives?

AVG 7.5.476 [269.11.19/953] does not report a trojan in the same files.

--
Ian
 
On Mon, 20 Aug 2007 11:49:45 GMT, ian <ian@nospam.net> wrote:

>AVG Free version 7.5.484 [virus database 269.12.0/961] tells me that
>WinPcap_beta_3_1.exe and wpcap.dll contain "Trojan Horse
>BackDoor.Generic8.DHX". Are these false positives?

Could be. Where did you got the file from?

>AVG 7.5.476 [269.11.19/953] does not report a trojan in the same files.

Try checking it against http://www.virustotal.com/
 
ian wrote:
> In message <kj2jc3lpg7a0hgj0o7s4kktepollhj1s9f@4ax.com>, Straight Talk
> <b__nice@hotmail.com> writes
>>
>> Try checking it against http://www.virustotal.com/
>
> Is this site for real? I've never come across it before.
>

Virus Total is a well-known site that has been used by techs for years.
Yes, it is for real and yes, sending the file to Virus Total for
identification is a good idea.


Malke
--
Elephant Boy Computers
www.elephantboycomputers.com
"Don't Panic!"
MS-MVP Windows - Shell/User
 
"ian" <ian@nospam.net> wrote in message news:J5SNMIBN$XyGFwgD@nospam.net...
> AVG Free version 7.5.484 [virus database 269.12.0/961] tells me that
> WinPcap_beta_3_1.exe and wpcap.dll contain "Trojan Horse
> BackDoor.Generic8.DHX". Are these false positives?
>
> AVG 7.5.476 [269.11.19/953] does not report a trojan in the same files.
>
> --
> Ian

They may very well be false positives. However, to be sure, upload both
files to Jotti and/or Virus Total for analysis.

Jotti: http://virusscan.jotti.org/

Virus Total: http://www.virustotal.com/en/indexf.html
 
In article <J5SNMIBN$XyGFwgD@nospam.net>, ian <ian@nospam.net> wrote:
>AVG Free version 7.5.484 [virus database 269.12.0/961] tells me that
>WinPcap_beta_3_1.exe and wpcap.dll contain "Trojan Horse
>BackDoor.Generic8.DHX". Are these false positives?
>
>AVG 7.5.476 [269.11.19/953] does not report a trojan in the same files.

Have you installed Ethereal or Wireshark? They use a network
monitoring library called WinPcap.
--
Best Wishes,
Steve Winograd, MS-MVP (Windows Networking)

Please post any reply as a follow-up message in the news group
for everyone to see. I'm sorry, but I don't answer questions
addressed directly to me in E-mail or news groups.

Microsoft Most Valuable Professional Program
http://mvp.support.microsoft.com
 
Unfortunately the name alone isn't sufficent, you'd have to check the file's
size, CRC or date against a valid one. This is because spyware often uses an
executable with the same name as an existing system-file, but in a different
folder. Purpose is so that the process-name in Task Manager looks innocuous.
 
Malke <notreally@invalid.invalid> wrote in news:#RXFxNz4HHA.3684
@TK2MSFTNGP02.phx.gbl:

> ian wrote:
>> In message <kj2jc3lpg7a0hgj0o7s4kktepollhj1s9f@4ax.com>, Straight Talk
>> <b__nice@hotmail.com> writes
>>>
>>> Try checking it against http://www.virustotal.com/
>>
>> Is this site for real? I've never come across it before.
>>
>
> Virus Total is a well-known site that has been used by techs for years.
> Yes, it is for real and yes, sending the file to Virus Total for
> identification is a good idea.

100% agreed.


--
Dustin Cook
Author of BugHunter - MalWare Removal Tool - v2.2c
email: bughunter.dustin@gmail.com.removethis
web..: http://bughunter.it-mate.co.uk
Pad..: http://bughunter.it-mate.co.uk/pad.xml
 
Malke <notreally@invalid.invalid> wrote in news:#RXFxNz4HHA.3684
@TK2MSFTNGP02.phx.gbl:

> ian wrote:
>> In message <kj2jc3lpg7a0hgj0o7s4kktepollhj1s9f@4ax.com>, Straight Talk
>> <b__nice@hotmail.com> writes
>>>
>>> Try checking it against http://www.virustotal.com/
>>
>> Is this site for real? I've never come across it before.
>>
>
> Virus Total is a well-known site that has been used by techs for years.
> Yes, it is for real and yes, sending the file to Virus Total for
> identification is a good idea.
>
>
> Malke

Of course, it could be this:

http://www.winpcap.org/

The user might not want to kill it if they use various programs that make
use of it. Wireless packet sniffing utils and such.

This is a completely offtopic section of my post, so you can quit reading
now if you don't want to read someone beg/ask for samples. :)

Okay,

BugHunter is in need of fresh samples. Suspected malware is welcome at my
email address. Please zip encrypt with a password and rename it to .dat,
I'd be very happy with any samples any of you are willing to send me.

I can promise the samples will not be shared with anyone outside the
antimalware community.

Thanks for the shameless begging. :)


--
Dustin Cook
Author of BugHunter - MalWare Removal Tool - v2.2c
email: bughunter.dustin@gmail.com.removethis
web..: http://bughunter.it-mate.co.uk
Pad..: http://bughunter.it-mate.co.uk/pad.xml
 
"Dustin Cook" <spamfilterineffect.see.sig@nowhere.com> wrote in message
news:Xns9994DBD2E5723HHI2948AJD832@69.28.186.121...

> Of course, it could be this:
>
> http://www.winpcap.org/
>
> The user might not want to kill it if they use various programs that make
> use of it. Wireless packet sniffing utils and such.

Of course, if the user didn't install it and doesn't know why its there then
(assuming it's the Winpcap driver and not something worse pretending to be
it) this file in itself might be the least of their worries.
 
"Robert Moir" <usenet@REMOVE2EMAILrobertmoir.com> wrote in
news:ub4hEdP6HHA.5160@TK2MSFTNGP05.phx.gbl:

> "Dustin Cook" <spamfilterineffect.see.sig@nowhere.com> wrote in
> message news:Xns9994DBD2E5723HHI2948AJD832@69.28.186.121...
>
>> Of course, it could be this:
>>
>> http://www.winpcap.org/
>>
>> The user might not want to kill it if they use various programs that
>> make use of it. Wireless packet sniffing utils and such.
>
> Of course, if the user didn't install it and doesn't know why its
> there then (assuming it's the Winpcap driver and not something worse
> pretending to be it) this file in itself might be the least of their
> worries.
>
>
>

Agreed. :)


--
####################################################
Dustin Cook
Author of BugHunter - MalWare Removal Tool - v2.2c
Email: bughunter.dustin@gmail.com
Web..: http://bughunter.it-mate.co.uk
Pad..: http://bughunter.it-mate.co.uk/pad.xml
####################################################
 
Back
Top