Gizmo's Freeware Forum

Gizmo's Freeware Forum (https://www.techsupportalert.com/freeware-forum/)
-   Freeware Installation & Usage (https://www.techsupportalert.com/freeware-forum/freeware-installation-and-usage/)
-   -   KRenameSetup (https://www.techsupportalert.com/freeware-forum/freeware-installation-and-usage/5337-krenamesetup.html)

strydr 01. Oct 2010 11:47 PM

KRenameSetup
 
The other day I downloaded KRenameSetup and when
I tried to install it my Malwarebytes Anti-Malware pops up and says the file
has a trojan in it called TrojanDropper.PGen. I was wondering whether or not
anyone else is having a similar problem.:confused:

Ritho 02. Oct 2010 08:30 AM

It may well be infected. I downloaded the file from the developers site and ran it through VirusTotal. Below is the link to the results.

http://www.virustotal.com/file-scan/...b18-1284291557

It could still be a false positive that is occurring because of some code that has similarities to existing malware, but when you have this many detections I would be very careful.

Ritho 02. Oct 2010 08:50 AM

Here are the results from Norman Sandbox, I don't see anything suspicious going on in the install. I am waiting for results from other online malware analyzers

Quote:

KRenameSetup.exe : Not detected by Sandbox (Signature: NO_VIRUS)


[ DetectionInfo ]
* Filename: C:\analyzer\scan\KRenameSetup.exe_\noname.nsis.
* Sandbox name: NO_MALWARE
* Signature name: NO_VIRUS.
* Compressed: NO.
* TLS hooks: NO.
* Executable type: N/A.
* Executable file structure: OK.
* Filetype: PE_I386.

[ General information ]
* File length: 1015957 bytes.
* MD5 hash: 98eacb23f9ab7fb1cf3c2e3a143d7fc9.
* SHA1 hash: 9f0f4c8fa4d779be58e0c8cfa0908d5125f45dce.

[ Changes to filesystem ]
* Creates directory C:\WINDOWS\TEMP\.
* Creates file C:\WINDOWS\TEMP\nsb3624.tmp.
* Deletes file C:\WINDOWS\TEMP\nsb3624.tmp.
* Creates file C:\WINDOWS\TEMP\nsv4817.tmp.
* Deletes file C:\WINDOWS\TEMP\nsv4817.tmp.
* Creates directory C:\WINDOWS.
* Creates directory C:\WINDOWS\TEMP.
* Creates directory C:\WINDOWS\TEMP\nsv4817.tmp.
* Creates file C:\WINDOWS\TEMP\nsv4817.tmp\LangDLL.dll.
* Deletes file C:\WINDOWS\TEMP\nsv4817.tmp\LANGDLL.DLL.
* Creates file C:\WINDOWS\wininit.ini.
* Deletes directory C:\WINDOWS\TEMP\nsv4817.tmp\.

[ Changes to registry ]
* Accesses Registry key "HKLM\Software\Microsoft\Windows\CurrentVersion\Ap p Paths\KRename.exe".
* Accesses Registry key "HKLM\Software\Microsoft\Windows\CurrentVersio n".
* Accesses Registry key "HKLM\Software\Microsoft\Windows\CurrentVersion\Un install\Ken Rename".

[ Process/window information ]
* Creates a window with caption and classname #32770.
* Creates dialog control (static) with id 1030 and caption .
* Creates dialog control (static) with id -1 and caption .
* Creates dialog control (static) with id 76 and caption Please wait while Setup is loading....
* Creates a window with caption Dialog and classname #32770.
* Creates dialog control (combobox) with id 1002 and caption .
* Creates dialog control (button) with id 1 and caption OK.
* Creates dialog control (button) with id 2 and caption Cancel.
* Creates dialog control (static) with id 1007 and caption .
* Creates dialog control (static) with id 1008 and caption .
* Pressing button with id 1.

[ Signature Scanning ]
* C:\WINDOWS\TEMP\nsv4817.tmp\LANGDLL.DLL (5632 bytes) : no signature detection.
* C:\WINDOWS\wininit.ini (55 bytes) : no signature detection.

Ritho 02. Oct 2010 09:13 AM

Here are Joebox results. They were too big to post, or to attach so they are available to download from drop.io Joebox shows everything that a program does, and takes a long time to read through. I skimmed down to the most important sections, and did not see any major virus activity, but I am no expert in reading these things either.

results.html http://drop.io/bvkprle

strydr 02. Oct 2010 05:15 PM

Quote:

Originally Posted by Ritho (Post 37240)
Here are Joebox results. They were too big to post, or to attach so they are available to download from drop.io Joebox shows everything that a program does, and takes a long time to read through. I skimmed down to the most important sections, and did not see any major virus activity, but I am no expert in reading these things either.

results.html http://drop.io/bvkprle

Thanks Ritho for your help in looking through that file for me. My feelings are it is probably a FP but why take chances as you say. I'll just have to check out other renaming software.

Ritho 02. Oct 2010 05:21 PM

Your welcome. It wouldn't hurt to contact the developer and let him know your findings.

bodis 07. Oct 2010 06:25 AM

I have reviewed the software and will look into this myself.

bodis

bodis 07. Oct 2010 06:30 AM

This is interesting, Softpedia has KenRename as well but the zipped version and it returns only 2/41 from virus total.

http://www.virustotal.com/file-scan/...2e8-1277305696

Edit: I have just noticed that developers page has turned Orange in WOT ratings, I will be removing Ken Rename from my reviews today.


All times are GMT +1. The time now is 09:25 AM.

Powered by vBulletin® Version 3.8.7
Copyright ©2000 - 2019, vBulletin Solutions, Inc.