KRenameSetup

strydr · 01. Oct 2010, 11:47 PM

The other day I downloaded KRenameSetup and when
I tried to install it my Malwarebytes Anti-Malware pops up and says the file
has a trojan in it called TrojanDropper.PGen. I was wondering whether or not
anyone else is having a similar problem.

Ritho · 02. Oct 2010, 08:30 AM

It may well be infected. I downloaded the file from the developers site and ran it through VirusTotal. Below is the link to the results.

http://www.virustotal.com/file-scan/...b18-1284291557

It could still be a false positive that is occurring because of some code that has similarities to existing malware, but when you have this many detections I would be very careful.

Ritho · 02. Oct 2010, 08:50 AM

Here are the results from Norman Sandbox, I don't see anything suspicious going on in the install. I am waiting for results from other online malware analyzers

Quote:

KRenameSetup.exe : Not detected by Sandbox (Signature: NO_VIRUS)

[ DetectionInfo ]
* Filename: C:\analyzer\scan\KRenameSetup.exe_\noname.nsis.
* Sandbox name: NO_MALWARE
* Signature name: NO_VIRUS.
* Compressed: NO.
* TLS hooks: NO.
* Executable type: N/A.
* Executable file structure: OK.
* Filetype: PE_I386.

[ General information ]
* File length: 1015957 bytes.
* MD5 hash: 98eacb23f9ab7fb1cf3c2e3a143d7fc9.
* SHA1 hash: 9f0f4c8fa4d779be58e0c8cfa0908d5125f45dce.

[ Changes to filesystem ]
* Creates directory C:\WINDOWS\TEMP\.
* Creates file C:\WINDOWS\TEMP\nsb3624.tmp.
* Deletes file C:\WINDOWS\TEMP\nsb3624.tmp.
* Creates file C:\WINDOWS\TEMP\nsv4817.tmp.
* Deletes file C:\WINDOWS\TEMP\nsv4817.tmp.
* Creates directory C:\WINDOWS.
* Creates directory C:\WINDOWS\TEMP.
* Creates directory C:\WINDOWS\TEMP\nsv4817.tmp.
* Creates file C:\WINDOWS\TEMP\nsv4817.tmp\LangDLL.dll.
* Deletes file C:\WINDOWS\TEMP\nsv4817.tmp\LANGDLL.DLL.
* Creates file C:\WINDOWS\wininit.ini.
* Deletes directory C:\WINDOWS\TEMP\nsv4817.tmp\.

[ Changes to registry ]
* Accesses Registry key "HKLM\Software\Microsoft\Windows\CurrentVersion\Ap p Paths\KRename.exe".
* Accesses Registry key "HKLM\Software\Microsoft\Windows\CurrentVersio n".
* Accesses Registry key "HKLM\Software\Microsoft\Windows\CurrentVersion\Un install\Ken Rename".

[ Process/window information ]
* Creates a window with caption and classname #32770.
* Creates dialog control (static) with id 1030 and caption .
* Creates dialog control (static) with id -1 and caption .
* Creates dialog control (static) with id 76 and caption Please wait while Setup is loading....
* Creates a window with caption Dialog and classname #32770.
* Creates dialog control (combobox) with id 1002 and caption .
* Creates dialog control (button) with id 1 and caption OK.
* Creates dialog control (button) with id 2 and caption Cancel.
* Creates dialog control (static) with id 1007 and caption .
* Creates dialog control (static) with id 1008 and caption .
* Pressing button with id 1.

[ Signature Scanning ]
* C:\WINDOWS\TEMP\nsv4817.tmp\LANGDLL.DLL (5632 bytes) : no signature detection.
* C:\WINDOWS\wininit.ini (55 bytes) : no signature detection.

Ritho · 02. Oct 2010, 09:13 AM

Here are Joebox results. They were too big to post, or to attach so they are available to download from drop.io Joebox shows everything that a program does, and takes a long time to read through. I skimmed down to the most important sections, and did not see any major virus activity, but I am no expert in reading these things either.

results.html http://drop.io/bvkprle

strydr · 02. Oct 2010, 05:15 PM

Quote:

Originally Posted by Ritho

Here are Joebox results. They were too big to post, or to attach so they are available to download from drop.io Joebox shows everything that a program does, and takes a long time to read through. I skimmed down to the most important sections, and did not see any major virus activity, but I am no expert in reading these things either.

results.html http://drop.io/bvkprle

Thanks Ritho for your help in looking through that file for me. My feelings are it is probably a FP but why take chances as you say. I'll just have to check out other renaming software.

Ritho · 02. Oct 2010, 05:21 PM

Your welcome. It wouldn't hurt to contact the developer and let him know your findings.

bodis · 07. Oct 2010, 06:25 AM

I have reviewed the software and will look into this myself.

bodis

bodis · 07. Oct 2010, 06:30 AM

This is interesting, Softpedia has KenRename as well but the zipped version and it returns only 2/41 from virus total.

http://www.virustotal.com/file-scan/...2e8-1277305696

Edit: I have just noticed that developers page has turned Orange in WOT ratings, I will be removing Ken Rename from my reviews today.

01. Oct 2010, 11:47 PM	#1 (permalink)
strydr Member Join Date: Oct 2010 Posts: 2	KRenameSetup The other day I downloaded KRenameSetup and when I tried to install it my Malwarebytes Anti-Malware pops up and says the file has a trojan in it called TrojanDropper.PGen. I was wondering whether or not anyone else is having a similar problem.

02. Oct 2010, 08:30 AM	#2 (permalink)
Ritho Foundation Editor Join Date: Apr 2008 Location: Planet Earth Posts: 1,391	It may well be infected. I downloaded the file from the developers site and ran it through VirusTotal. Below is the link to the results. http://www.virustotal.com/file-scan/...b18-1284291557 It could still be a false positive that is occurring because of some code that has similarities to existing malware, but when you have this many detections I would be very careful. __________________ The smallest good deed is better than the greatest intention.

02. Oct 2010, 09:13 AM	#4 (permalink)
Ritho Foundation Editor Join Date: Apr 2008 Location: Planet Earth Posts: 1,391	Here are Joebox results. They were too big to post, or to attach so they are available to download from drop.io Joebox shows everything that a program does, and takes a long time to read through. I skimmed down to the most important sections, and did not see any major virus activity, but I am no expert in reading these things either. results.html http://drop.io/bvkprle __________________ The smallest good deed is better than the greatest intention.

02. Oct 2010, 05:21 PM	#6 (permalink)
Ritho Foundation Editor Join Date: Apr 2008 Location: Planet Earth Posts: 1,391	Your welcome. It wouldn't hurt to contact the developer and let him know your findings. __________________ The smallest good deed is better than the greatest intention.

Thread Tools
Show Printable Version Email this Page
Display Modes
Linear Mode Switch to Hybrid Mode Switch to Threaded Mode

07. Oct 2010, 06:25 AM	#7 (permalink)
bodis Senior Member Join Date: Jul 2010 Location: UK Posts: 173	I have reviewed the software and will look into this myself. bodis

07. Oct 2010, 06:30 AM	#8 (permalink)
bodis Senior Member Join Date: Jul 2010 Location: UK Posts: 173	This is interesting, Softpedia has KenRename as well but the zipped version and it returns only 2/41 from virus total. http://www.virustotal.com/file-scan/...2e8-1277305696 Edit: I have just noticed that developers page has turned Orange in WOT ratings, I will be removing Ken Rename from my reviews today.