Jump to content

Do I have a fake DjVu Reader?


Recommended Posts

When Malwarebyte anti-Malware scanned a particular folder, it picked up a file named "DjVuReader.exe" as a Threat (Trojan.Agent) in Category Malware. Googling the file name shows that there is a file, a Windows App, with the same name in Microsoft Store https://www.microsoft.com/en-us/store/apps/djvu-reader/9wzdncrdcsmz. I also uploaded the file to https://www.virustotal.com for scan and result suggests that only Malwarebyte marks it as Trojan Agent (all other 56 programs consider it safe). 

(a) Is DjVuReader.exe a false positive?

(b) Is the file in my folder disguised as DjVuReader.exe but an actual Trojan?

(c) It's strange that the regular whole computer Malwarebyte scan did NOT pick up this Trojan. It only picked up the file as a Trojan after I selected the folder and did a folder-specific scan. Should I do a folder-by-folder scan, instead of the whole computer scan?

Should I remove/quarantine the said file or not? Thank you.

Link to post
Share on other sites

Hi, @seraphodiabolus, and :welcome:

Primary indications, as you discerned from the VT logs, indicate that it may well be a false positive.  My first question to you is that is it picking the actual program file (usually located in C:\Program Files (or C:\Program Files (x86) if it is a 32 bit program on a 64bit version of Windows), or perhaps in your User directory (either \Users\{yourloginname}\AppData\Local\{some folder} or \Users\{yourloginname}\AppData\Roaming\{some folder}, where {some folder} is NOT Temp), or is it finding the installer for that program in a folder where you may have downloaded it to?

My guess is that it is the installer, which which may be why it did not pick it up on the initial full disk scan. 

Now on to your questions:

  1. Possibly.  A bit more analysis may be needed.  Probably need you logs submitted, see below for instructions.
  2. Possibly.  Obviously this is exclusive to question 1 - if 1 is true, this is false, and vice versa.
  3. This one is what makes me think it might be the installer file that you have for that software that is being picked up rather than the actual program installed on your machine.  Another thing to think about, though, is that every time you scan, the first thing that MBAM does is check for definition updates - and the first (and all previous) scans of the full disk may not have had the latest definition, which may have been downloaded when you performed a folder specific scan, and thus would be yet another indicator of a false positive.

At any rate, let's get some logs so we can start analyzing.

Please follow the instructions in the following post to gather the logs requested.

I'm almost positive that this is, in fact, a False Positive situation, but lets be sure.

If you need help with generating and / or posting the logs, please post back.  Otherwise, just attach your logs to your reply.

Link to post
Share on other sites

Thanks a lot for the quick feedback !

As I only scanned the folder, which contains ~ 6 files, the log is short. I thus post it below, instead of attaching it. Please let me know if it's okay (or not) to post the log directly.

Not a techie person, but my understanding of the log is my "local/folder scan" picked up the actual exe file (installer??) on the desktop. So it's neither in \Program Files\, nor \users\xxx\AppData\.

Please let me know if more info or more specific scan is needed. Thank you very much.

 

Malwarebytes Anti-Malware
www.malwarebytes.org

Scan Date: 4/17/2016
Scan Time: 12:41 PM
Logfile: MBAM_log_041716.txt
Administrator: No

Version: 2.2.1.1043
Malware Database: v2016.04.12.09
Rootkit Database: v2016.04.09.01
License: Free
Malware Protection: Disabled
Malicious Website Protection: Disabled
Self-protection: Disabled

OS: Windows 7 Service Pack 1
CPU: x64
File System: NTFS
User: Brenden-non admin

Scan Type: Threat Scan
Result: Completed
Objects Scanned: 9
Time Elapsed: 0 min, 13 sec

Memory: Disabled
Startup: Disabled
Filesystem: Enabled
Archives: Enabled
Rootkits: Disabled
Heuristics: Enabled
PUP: Enabled
PUM: Enabled

Processes: 0
(No malicious items detected)

Modules: 0
(No malicious items detected)

Registry Keys: 0
(No malicious items detected)

Registry Values: 0
(No malicious items detected)

Registry Data: 0
(No malicious items detected)

Folders: 0
(No malicious items detected)

Files: 1
Trojan.Agent, C:\Users\Brenden-non admin\Desktop\Areas of study\pharm\pharma flash cards\djvu Reader\DjVuReader.exe, No Action By User, [01f85558495063d3617d7be451afad53],

Physical Sectors: 0
(No malicious items detected)


(end)

Link to post
Share on other sites

OK, that is the executable itself to allow those study cards to display images in djVU format - it should be safe enough.  As long as you submitted that exact file, the djVUReader.exe, to VirusTotal and nothing was found on it, you should be good.

This might also have occurred because that may be an older version of that particular product, something you may want to look into by checking the version number of that program (we're pretty sure it's safe now that I see that it seems that this is a part of your flash cards - note the typeface, though - I'm not 100% sure it is safe, only reasonably sure) from the developer's website.  Here is the link for their website:

http://djvureader.org/

If you get the above one, you'll need a program that can extract .RAR files (7-zip can do it, so can WinRAR, although WinRAR is a free trial, whereas 7-Zip is free).  You can then extract that to a folder, check that folder with MBAM and if it does not cause issues, simply copy that file over the one in your flash cards folder and you should be set.

If you are interested in alternatives, there is this link where you might be able to find another viewing program that you feel safer with - but that might break your flash card application unless you are able to manually specify which djVU reader you want to use in the settings:

http://djvu.org/

HTH

Edited by John L. Galt
Fixed typographical errors
Link to post
Share on other sites

In addition to the advice offered...
 

Quote

 

Scan Date: 4/17/2016
Scan Time: 12:41 PM
Logfile: MBAM_log_041716.txt
Administrator: No

Version: 2.2.1.1043
Malware Database: v2016.04.12.09

 

 

Your MBAM database is outdated.
It may or may not "fix" the issue, but it would still be a good idea to update to the current database (2016.04.17.06).

If you think the file detection is a false positive, you may wish to upload the scan log AND an archived (zip, rar, etc.) version of the exe in the F/P section HERE.
The Research Team will evaluate the data and adjust the file detection, if needed.
(More information HERE.)

Thanks

Link to post
Share on other sites

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now
  • Recently Browsing   0 members

    • No registered users viewing this page.
Back to top
×
×
  • Create New...

Important Information

This site uses cookies - We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.