Virus false positive in go.weekly.2012-03-13.windows-386.msi ?

[gopherbot]

by outofbrain76:

Hi there,

I just installed go.weekly.2012-03-13.windows-386.msi on my system. 

Avira AntiVir reports a trojan TR/Crypt.XPACK.Gen in file
..\Go\pkg\tool\windows_386\api.exe 

I checked with other online scanners but no alerts there. 

Is this a false positive? Maybe you can check this too?

Thanks

[dsymonds]

Comment 1:

As far as I can tell, it's a false positive. There's lots of reports of that trojan (or
under different names) that indicate it's spurious. I don't want to write it off
automatically, though.

Labels changed: added priority-asap, expertneeded, go1-must, removed priority-triage.

Status changed to Accepted.

[adg]

Comment 2:

I re-built api.exe at tip on the same machine and ran it through virustotal.com, it
shows no warnings:
https://www.virustotal.com/file/5dc851119e3078ad492d88be7557350a9af2b1f9eb01bd6a99204c5b19c2771f/analysis/1332130391/
Here's the results for the one in go.weekly.2012-03-13.zip:
https://www.virustotal.com/file/9ce295fc656089465bc8118ab1a1a8c8026f4829edbfd44d6690b27cf9dbad8f/analysis/
I'll bet it's a false positive, but just to be on the safe side I am rebuilding the msi
and zip now.

Owner changed to @adg.

[adg]

Comment 3:

I just rebuilt the windows zip and re-scanned apie.exe. Now _two_ virus scanners report
a trojan:
https://www.virustotal.com/file/2ba35f139dbc478bf7998eeddfef578e42e67d881cf58ed97febc87f528f6737/analysis/1332132274/
AntiVir reports TR/Crypt.XPACK.Gen
ByteHero reports Trojan.Win32.Tdss.Gen

[adg]

Comment 4:

After re-scanning the original api.exe, the same two results are showing:
https://www.virustotal.com/file/9ce295fc656089465bc8118ab1a1a8c8026f4829edbfd44d6690b27cf9dbad8f/analysis/1332134248/
So we have consistent results. I guess the ByteHero scanner's signature dictionary was
changed between the first scan and this more recent scan.
I still think this is spurious. For two copies built on the same machine, but at
different revisions of the Go tree, why would one report infection and the other not?

[adg]

Comment 5:

This should be cleared up with the next weekly. I'm confident this isn't a real virus.

Labels changed: added priority-go1, removed priority-asap, expertneeded.

[gopherbot]

Comment 6 by outofbrain76:

Hi there. Avira confirmed it's a false positive. Detection will be removed in next
update. Haven't tested it on my machine yet.
http://analysis.avira.com/samples/details.php?uniqueid=Nsn2307FH0chph1OfbJO0CSdQA1Pt4vt&incidentid=1038387&
I think you can close this issue.

[gopherbot]

Comment 7 by outofbrain76:

Status report: After Avira updated their virus definition there are no more alerts.

[adg]

Comment 8:

Status changed to Retracted.

[gopherbot]

Comment 9 by iamzhanghuifen:

..\go\go.go1.windows-386\go\pkg\windows_386\yacc.exe  contains a virus？I use x86-32,
for both Intel and AMD 32-bit~

[minux]

Comment 10:

it's a false positive.