Visioneers drivers contain a trojan horse?

On Jan 24, 6:07 pm, "David H. Lipman" <DLipman~nosp...@Verizon.Net>
wrote:
> From: "Eric" <eric.gofo....DeleteThis@gmail.com>
>
> | Hello,
> |
> | I was getting ready to set up my Visioneer 7100 on an old machine. I
> | downloaded the drivers from Visioneer's web site and my Avast
> | antivirus is squawking about there being a Trojan Horse. I then dug
> | around and found the CDROM that came with the scanner, Avast says that
> | the same Trojan, BMCentral, is on the disk as well!
> |
> | I don't have another antivirus software to scan it with, but it
> | certainly looks like it's the real deal. Here are the entries from
> | the virus scan logs:
> |
> | 1/24/2008 1:33:27 PM 344 Sign of "Win32:Bmcentral-B [Trj]" has been
> | found in "I:\Documents\visioneer\Scansoft\Drivers\7100.exe\%WIN%
> | \TWAIN_32\vizscan\7XXX\BMUInst.EXE\%SYS%\BMUpdate.exe" file.
> | 1/24/2008 1:35:38 PM 344 Sign of "Win32:Bmcentral [Trj]" has been
> | found in "I:\Documents\visioneer\Scansoft\Drivers\7100.exe\%WIN%
> | \TWAIN_32\vizscan\7XXX\BMUInst.EXE" file.
> |
> | I did find out a little bit about this trojan at Symmantec's website:
> |
> |http://www.symantec.com/security_response/writeup.jsp?docid=2006-0509...
> |
> | The file names they give don't match BMUInst.EXE, could this be a
> | false alarm?
> |
> | -Eric
>
> It is most likely a False Positive declaration.
>
> Please submit samples to Virus Total --http://www.virustotal.com/flash/index_en.html
> The submission will then be tested against many different AV vendor's scanners.
> That will give you an idea what it is and who recognizes it. In addition, unless told
> otherwise, Virus Total will provide the sample to all participating vendors.
>
> You can also submit a suspect, one at a time, via the following email URL...
> mailto:s...@virustotal.com?subject=SCAN
>
> When you get the report, please post back the exact results.
>
> --
> Davehttp://www.claymania.com/removal-trojan-adware.html
> Multi-AV -http://www.pctipp.ch/downloads/dl/35905.asp

I renamed the file from .exe to .xxx and sent it as an email.
Apparently Avast is the only AV software that sees it as a trojan,
false positive I think:

Complete scanning result of "7100.xxx", processed in VirusTotal at
01/25/2008 02:35:37 (CET).

[ file data ]
* name: 7100.xxx
* size: 9234289
* md5.: ece002b40a5537ff33ea9b5c2251f410
* sha1: 0b59330c058b1c5f7ad7d163ddba6847ca2ce459
* peid..: -

[ scan result ]
AhnLab-V3 2008.1.25.10/20080124 found nothing
AntiVir 7.6.0.48/20080124 found nothing
Authentium 4.93.8/20080124 found nothing
Avast 4.7.1098.0/20080125 found [Win32:Bmcentral-B]
AVG 7.5.0.516/20080124 found nothing
BitDefender 7.2/20080125 found nothing
CAT-QuickHeal 9.00/20080124 found nothing
ClamAV 0.91.2/20080124 found nothing
DrWeb 4.44.0.09170/20080124 found nothing
eSafe 7.0.15.0/20080116 found nothing
eTrust-Vet 31.3.5483/20080124 found nothing
Ewido 4.0/20080124 found nothing
F-Prot 4.4.2.54/20080124 found nothing
F-Secure 6.70.13260.0/20080124 found nothing
FileAdvisor 1/20080125 found nothing
Fortinet 3.14.0.0/20080124 found nothing
Ikarus T3.1.1.20/20080125 found nothing
Kaspersky 7.0.0.125/20080125 found nothing
McAfee 5215/20080124 found nothing
Microsoft 1.3109/20080125 found nothing
NOD32v2 2821/20080125 found nothing
Norman 5.80.02/20080124 found nothing
Panda 9.0.0.4/20080124 found nothing
Prevx1 V2/20080125 found nothing
Rising 20.28.31.00/20080124 found nothing
Sophos 4.25.0/20080125 found nothing
Sunbelt 2.2.907.0/20080125 found nothing
Symantec 10/20080125 found nothing
TheHacker 6.2.9.196/20080123 found nothing
VBA32 3.12.2.5/20080121 found nothing
VirusBuster 4.3.26:9/20080124 found nothing

__________________________________________________
VirusTotal is a free service offered by Hispasec Sistemas. There are
no guarantees about the availability and continuity of this service.
Do not reply to this message. It has been generated by an automatic
address that will not handle any reply. Although the detection rate
afforded by the use of multiple antivirus engines is far superior to
that offered by just one product, these results DO NOT guarantee the
harmlessness of a file. Currently, there is not any solution that
offers a 100% effectiveness rate for detecting viruses and malware.
 >> Stay informed about: Visioneers drivers contain a trojan horse? 

On Jan 24, 6:07 pm, "David H. Lipman" <DLipman~nosp...@Verizon.Net>
wrote:
> From: "Eric" <eric.gofo... DeleteThis @gmail.com>
>
> | Hello,
> |
> | I was getting ready to set up my Visioneer 7100 on an old machine. I
> | downloaded the drivers from Visioneer's web site and my Avast
> | antivirus is squawking about there being a Trojan Horse. I then dug
> | around and found the CDROM that came with the scanner, Avast says that
> | the same Trojan, BMCentral, is on the disk as well!
> |
> | I don't have another antivirus software to scan it with, but it
> | certainly looks like it's the real deal. Here are the entries from
> | the virus scan logs:
> |
> | 1/24/2008 1:33:27 PM 344 Sign of "Win32:Bmcentral-B [Trj]" has been
> | found in "I:\Documents\visioneer\Scansoft\Drivers\7100.exe\%WIN%
> | \TWAIN_32\vizscan\7XXX\BMUInst.EXE\%SYS%\BMUpdate.exe" file.
> | 1/24/2008 1:35:38 PM 344 Sign of "Win32:Bmcentral [Trj]" has been
> | found in "I:\Documents\visioneer\Scansoft\Drivers\7100.exe\%WIN%
> | \TWAIN_32\vizscan\7XXX\BMUInst.EXE" file.
> |
> | I did find out a little bit about this trojan at Symmantec's website:
> |
> |http://www.symantec.com/security_response/writeup.jsp?docid=2006-0509...
> |
> | The file names they give don't match BMUInst.EXE, could this be a
> | false alarm?
> |
> | -Eric
>
> It is most likely a False Positive declaration.
>
> Please submit samples to Virus Total --http://www.virustotal.com/flash/index_en.html
> The submission will then be tested against many different AV vendor's scanners.
> That will give you an idea what it is and who recognizes it. In addition, unless told
> otherwise, Virus Total will provide the sample to all participating vendors.
>
> You can also submit a suspect, one at a time, via the following email URL...
> mailto:s...@virustotal.com?subject=SCAN
>
> When you get the report, please post back the exact results.
>
> --
> Davehttp://www.claymania.com/removal-trojan-adware.html
> Multi-AV -http://www.pctipp.ch/downloads/dl/35905.asp

Hopefully this won't be a duplicate post. I've waited at least 5
minutes and my original follow up hasn't appeared. Apparently only
Avast thinks it's a trojan, so methinks it's a false positive:

Complete scanning result of "7100.xxx", processed in VirusTotal at
01/25/2008 02:35:37 (CET).

[ file data ]
* name: 7100.xxx
* size: 9234289
* md5.: ece002b40a5537ff33ea9b5c2251f410
* sha1: 0b59330c058b1c5f7ad7d163ddba6847ca2ce459
* peid..: -

[ scan result ]
AhnLab-V3 2008.1.25.10/20080124 found nothing
AntiVir 7.6.0.48/20080124 found nothing
Authentium 4.93.8/20080124 found nothing
Avast 4.7.1098.0/20080125 found [Win32:Bmcentral-B]
AVG 7.5.0.516/20080124 found nothing
BitDefender 7.2/20080125 found nothing
CAT-QuickHeal 9.00/20080124 found nothing
ClamAV 0.91.2/20080124 found nothing
DrWeb 4.44.0.09170/20080124 found nothing
eSafe 7.0.15.0/20080116 found nothing
eTrust-Vet 31.3.5483/20080124 found nothing
Ewido 4.0/20080124 found nothing
F-Prot 4.4.2.54/20080124 found nothing
F-Secure 6.70.13260.0/20080124 found nothing
FileAdvisor 1/20080125 found nothing
Fortinet 3.14.0.0/20080124 found nothing
Ikarus T3.1.1.20/20080125 found nothing
Kaspersky 7.0.0.125/20080125 found nothing
McAfee 5215/20080124 found nothing
Microsoft 1.3109/20080125 found nothing
NOD32v2 2821/20080125 found nothing
Norman 5.80.02/20080124 found nothing
Panda 9.0.0.4/20080124 found nothing
Prevx1 V2/20080125 found nothing
Rising 20.28.31.00/20080124 found nothing
Sophos 4.25.0/20080125 found nothing
Sunbelt 2.2.907.0/20080125 found nothing
Symantec 10/20080125 found nothing
TheHacker 6.2.9.196/20080123 found nothing
VBA32 3.12.2.5/20080121 found nothing
VirusBuster 4.3.26:9/20080124 found nothing

__________________________________________________
VirusTotal is a free service offered by Hispasec Sistemas. There are
no guarantees about the availability and continuity of this service.
Do not reply to this message. It has been generated by an automatic
address that will not handle any reply. Although the detection rate
afforded by the use of multiple antivirus engines is far superior to
that offered by just one product, these results DO NOT guarantee the
harmlessness of a file. Currently, there is not any solution that
offers a 100% effectiveness rate for detecting viruses and malware.
 >> Stay informed about: Visioneers drivers contain a trojan horse? 

From: "Eric" <eric.goforth DeleteThis @gmail.com>

| Hello,
|
| I was getting ready to set up my Visioneer 7100 on an old machine. I
| downloaded the drivers from Visioneer's web site and my Avast
| antivirus is squawking about there being a Trojan Horse. I then dug
| around and found the CDROM that came with the scanner, Avast says that
| the same Trojan, BMCentral, is on the disk as well!
|
| I don't have another antivirus software to scan it with, but it
| certainly looks like it's the real deal. Here are the entries from
| the virus scan logs:
|
| 1/24/2008 1:33:27 PM 344 Sign of "Win32:Bmcentral-B [Trj]" has been
| found in "I:\Documents\visioneer\Scansoft\Drivers\7100.exe\%WIN%
| \TWAIN_32\vizscan\7XXX\BMUInst.EXE\%SYS%\BMUpdate.exe" file.
| 1/24/2008 1:35:38 PM 344 Sign of "Win32:Bmcentral [Trj]" has been
| found in "I:\Documents\visioneer\Scansoft\Drivers\7100.exe\%WIN%
| \TWAIN_32\vizscan\7XXX\BMUInst.EXE" file.
|
| I did find out a little bit about this trojan at Symmantec's website:
|
| http://www.symantec.com/security_response/writeup.jsp?docid=2006-05091...529-99&
|
| The file names they give don't match BMUInst.EXE, could this be a
| false alarm?
|
| -Eric

It is most likely a False Positive declaration.


Please submit samples to Virus Total --
http://www.virustotal.com/flash/index_en.html
The submission will then be tested against many different AV vendor's scanners.
That will give you an idea what it is and who recognizes it. In addition, unless told
otherwise, Virus Total will provide the sample to all participating vendors.

You can also submit a suspect, one at a time, via the following email URL...
mailto:scan@virustotal.com?subject=SCAN

When you get the report, please post back the exact results.

--
Dave
http://www.claymania.com/removal-trojan-adware.html
Multi-AV - http://www.pctipp.ch/downloads/dl/35905.asp
 >> Stay informed about: Visioneers drivers contain a trojan horse? 

From: "Eric" <eric.goforth DeleteThis @gmail.com>


|
| I've sent it in, we'll see if anything comes back. Hopefully it's not
| over any size restrictions, it's a 9 Meg file.

The size only confirms the idea of a FP declaration.

--
Dave
http://www.claymania.com/removal-trojan-adware.html
Multi-AV - http://www.pctipp.ch/downloads/dl/35905.asp
 >> Stay informed about: Visioneers drivers contain a trojan horse? 

From: "Eric" <eric.goforth.TakeThisOut@gmail.com>


|
| Hopefully this won't be a duplicate post. I've waited at least 5
| minutes and my original follow up hasn't appeared. Apparently only
| Avast thinks it's a trojan, so methinks it's a false positive:
|

< snip >

I'd say the result is a False Positive.

--
Dave
http://www.claymania.com/removal-trojan-adware.html
Multi-AV - http://www.pctipp.ch/downloads/dl/35905.asp
 >> Stay informed about: Visioneers drivers contain a trojan horse?