Jump to content

Windows shortcut detected as malware but not on VirusTotal


Recommended Posts

A Windows shortcut to an URL is detected as "LNK/Agent.CH trojan 1" on my ESET Internet Security 14.0.22.0. However VirusTotal detection is none:

https://www.virustotal.com/gui/file/cba004a4a9bc884ba1ba002b7a45c43823b75de1e23c19d1c840ada8dff61ab9/detection

What is going on here? Anybody can take a look at the file?

Also, the option "Restore and exclude from scanning" is greyed out. It happened to that several times already, why can't I just whitelist some files?

URL-hxd.jpg

SadeemPC.com_URL.zip

eset-url-virus-can't-whitelist.png

Edited by Dakmp
Link to post
Share on other sites

When performing a scan at VT, always verify the date the last analysis was done. The scan link reference you posted was two months old. I just rescanned with this result:

Eset_LNK.thumb.png.a9859e568065787e1e4c2e19a254ce19.png

Link to post
Share on other sites

Also, always take note of VT's detection relations analysis. As noted in the below in the below screenshot, how this detected URL is packaged is the primary determinate in its maliciousness:

Eset_Relations.thumb.png.05c1eed8b36e98fdcadb3923be1a74b7.png

You can't restore it because Eset has removed it and deleted it from the archived download.

Link to post
Share on other sites
  • Administrators

I'd also add that VT uses a command-line on-demand scanner to scan files so threats that ESET detects on a machine where it is installed may not be always detected at VT.

Link to post
Share on other sites

I will also make this comment.

If it isn't obvious yet, any download containing sadeempc.com references, direct or indirect in it, most likely is malicious. Sadeempc.com is a known malware hosting web site.

Also a brief analysis by me noted a lot of crack downloads containing sadeempc.com references in them. Cracked software downloads are currently the primary method malware is being distributed. Refer to my postings on this subject in the forum's General Discussion section.

Link to post
Share on other sites

I understand that websites can provide malware downloads, but just a shortcut shouldn't be to blame, unless the shortcut itself install some malware or does something tricky on the system. Does it? Does the shortcut hack the registry or install "something"? Because looks like has more bytes than the shortcut should have.

Edited by Dakmp
Link to post
Share on other sites

I will also add that .lnk references in Win autorun locations such as startup directories, registry run keys, or the like  are as a rule, highly suspect.

Link to post
Share on other sites
Guest
This topic is now closed to further replies.
  • Recently Browsing   0 members

    No registered users viewing this page.

×
×
  • Create New...