MBAM suddenly finding mp3Tag as Trojan.FakeMS.ED

[ParrotSlave]

MBAM is now reporting mp3Tag as a virus, Trojan.FakeMS.ED. The attached program files, one of the installer, the other of the exe in program files, are zipped with the password being "mbam" (in lower case):

 

virustotal scan of the exe in C:\ProgramFiles(x86)\mp3Tag--https://www.virustotal.com/en/file/76a99a8a007271ad04ece9294f072075a55472b6b1690734a036f4c0c2d1deb7/analysis/

Rescanning of the exe in program files today gives MBAM as the only one reporting it as a positive: 

https://www.virustotal.com/en/file/76a99a8a007271ad04ece9294f072075a55472b6b1690734a036f4c0c2d1deb7/analysis/1414446816/

 

Scanning of the installer (which I may have renamed, I don't remember), Mp3tag_v2.65.exe, gives no positives in virustotal's old scan, from 10 hours ago: https://www.virustotal.com/en/file/d52a6e3a37b35188215f1307f1b6a8545256dd45b8bc4b3ae2fc57b54dde0adb/analysis/

Rescanning the installer by virustotal gives MBAM as the only one reporting a positive:

https://www.virustotal.com/en/file/d52a6e3a37b35188215f1307f1b6a8545256dd45b8bc4b3ae2fc57b54dde0adb/analysis/1414449014/

 

The files are digitally signed by Florian Heidenreich on Oct 18, 2014, at 5:03:42 AM for the exe and at 5:03:52 AM for the installer exe. Neither file shows any modification according to Windows. So, either the file has magically changed without Windows knowing about it, or MBAM did something in its definitions to add it as a risk. I am assuming that the program is not doing anything it shouldn't do, i.e., that it hasn't been malicious all this time with MBAM being the first one to discover it. 

 

What is exceedingly peculiar is that I cannot find the original MBAM log reporting it as a positive when it was in ProgramFiles(x86). MBAM kept bugging me via systray for at least 30 minutes, but I was busy gathering information to report a false positive to Sophos, since its virus removal tool had suddenly decided that ipresetall.exe was a trojan,*** so I was ignoring MBAM for a while. Before restoring the file from quarantine, I went to an external drive to find the original installer, and put that in my downloads folder, which is the only place that I could find MBAM reporting either the installer or the program file, despite MBAM having been bugging me for at least half an hour about the exe in program files. I then scanned the installer file and, upon finding that virustotal thought it was safe, went ahead and restored the item from MBAM's quarantine.

 

After it quarantines the file, MBAM cannot then find it itself: there are a couple of dozen entries like this in the protection log:

Detection, 10/27/2014 4:16:02 PM, SYSTEM, HAL9000B, Protection, Malware Protection, File, Trojan.FakeMS.ED, c:\program files (x86)\mp3tag\mp3tag.exe, Quarantine Failed, 2, The system cannot find the file specified.  , [cde61efba9d33ef8cad1d00856ab4ab6]

 

[***You might take a look at ipresetall, since a number of vendors are starting to report it as a postive. Virustotal reports that 12 of 54 find it a threat, whereas Norton was the only one for a long time to think that it was evil. I finally got Norton to whitelist it a couple of months ago. If more vendors are finding it to be evil, you might very well also in the near future, unless you already have it whitelisted. See https://www.virustotal.com/en/file/485e79900bd33ae201f685834a7999d588e6909d7031b73dc344e8b783cbf871/analysis/; the file is available via a link on  http://www.eightforums.com/network-sharing/18945-error-when-resetting-tcp-ip-stack.html.]

[David H. Lipman]

 

MBAM is now reporting mp3Tag as a virus, Trojan.FakeMS.ED. The attached program files, one of the installer, the other of the exe in program files, are zipped with the password being "mbam" (in lower case):

 

File(s) not attached.

 

 

• Take the files and put them in a ZIP or RAR archive file.
• Create a new post.
• Choose "More Reply Options" on the bottom Right of the Web Form
• Now choose "Attach Files" on the bottom Left of the Web Form.
• Browse and find your ZIP or RAR file.
• Choose "Add Reply" and there's your post with your attachment(s)

 

 

 

BTW:  Trojan.FakeMS.ED isn't a virus designation.  It is a trojan as the names of the malware indicates

[Zootopia3000]

I'm getting the same with Mp3Tag version 2.53 as of today. Will attach.

[David H. Lipman]

Zootopia3000:
 
This is ParrotSlave's thread.  If you have an issue, please start your own thread.

Please reference: Please read before reporting a false positive
 
Post #2

If you are not a member of Staff or Experts group please do not reply to other users posts in either the File or Web Blocking forums.

 
Thank you for understanding.

[sUBs]

Thank you for reporting this. It shall be fixed shortly.

[win7root]

is this fixed?

[David H. Lipman]

win7root:
 
This is ParrotSlave's thread.  If you have an issue, please start your own topic/thread.

Please reference: Please read before reporting a false positive
 
Post #2

If you are not a member of Staff or Experts group please do not reply to other users posts in either the File or Web Blocking forums.

Thank you for understanding.

[shadowwar]

This has been fixed since that same day.

[SciFiSi]

I am certain mp3Tag if not a virus itself goes out and get's them in from somewhere. Within minutes of using this software I was experiencing problems accessing my NAS drive which was only on my laptop - all other systems on my network were fine. I used MBAM to scan which found 8 viri when the system only shortly before installing mp3Tag was fine.

Even after removing the viri and rebooting the re-use of mp3Tag again caused OS instability (not being able to double click on My Computer).

I may not be registered as an expert on the MBAM site here but I have my own computer company and do this for a living. Make your own decision, however I recommend that you remove this program from your system and never use it again.

Edited August 27, 2018 by SciFiSi

[AdvancedSetup]

@SciFiSi

Thank you for your reply, but please notice this topic is 4 years old now. I will go ahead and close this topic but also please note that replies to the FP forum is reserved for Experts and Staff. You're welcome to reply in most other forums though if you like. Please just make sure it's a recent topic.

Thank you