MBR:Yurn-A (RTK) in new RGK signatures

[Faergor]

Hi, I had no problems before, but I downloaded the newest signatures 20190213_112737, and I found in C:\ProgramData\Roguekiller\signatures\mbr a thing called MBR:Yurn-A (RTK) this trojan, or whatever it is.
It was found by avast.

I am for some reason no longer even able to upload anything to virustotal, it says "Please answer the following puzzle to help us prevent abuse", doesnt let em upload either that mbr file or any other to virustotal.

I commonly scan my computer with roguekiller, avast, eset online scanner (its a one time scan only), malwarebytes and mbar. Nothing was found. Only avast found this file.
Thanks

I am uploading this file here to this post,can you please check it? Thanks

edit: I was able to upload file to virustotal,and it found this:
https://www.virustotal.com/#/file/81f2e7a10c7f5b46134756822c22d363659d1ead7999a75373a8f165d1b7309f/detection

file is flagged as same virus by both avg and avast, but nothing else.

[Curson]

Hi Faergor,

Thanks for your feedback.

Avast and AVG are detecting RogueKiller's MBR malware signature database file, this is not a malicious file.
Since RogueKiller cannot run without this file being present, please do not delete it and put it in your antivirus exclusion list. In case you already deleted it, please restore it.

Sorry for the inconvenience, we will fix this as soon as possible.

Regards.

[Faergor]

I know, it is part of the signature database, but could version of this file be malicious?
Can you scan this file I uploaded please and verify if this is real or false positive?
I mean, if by any chance it slipped through your radar when you were uploading the signatures, or if not, then if it got infected on my computer by something else?

I downloaded even newer database today, half an hour ago, so I suppose this hould be safe, but perhaps older one was unsafe.

[Curson]

Hi Faergor,

No, it's a confirmed false positive. We were not compromised in any way.
If you feel unsafe adding the mbr file in your exclusion list, please download the signatures package once again. We removed the offending signature, so it's not detected anymore.

Regards.

[Faergor]

great,thanks mate

[Curson]

Hi Faergor,

You are very welcome.

Regards.

[Faergor]

I downloaded 20190214_084435 signature and it still shows same virus.
I uploaded the file here for analysis.
I sent avg and avast email regarding this issue as well, hopefully they will resolve this.

I am going to look if there is newer signature after this one, you mentioned that you fixed this.

I will try and let you know if it will still show up

[Curson]

Hi Faergor,

Thanks for your feedback.
Does the detection keep occuring ?

Regards.

[Faergor]

No,not anymore.
I have newer signature 20190210_151546 and I no longer detect it with avast. I sent file mbr to avast and avg yesterday and explained issue to them.
Still waiting until they let me know result of analysis and hopefully exclude this.

Ok,so,2 questions:
1.is there possibility that perhaps this mbr file got infected on my computer?
OR
2. My mbr file was false positive all along? Have you please scanned the file I uploaded here (the one that was being flagged as a virus) and can you confirm that my file was false positive all along and certainly was not infected?
It was never found by anything other than avast.

Thanks just want to make sure that my file was never infected in first place.

[Curson]

Hi Faergor,

No, there is no possibility that the file was infected on your computer.
Yes, we analysed the file and we can confirm it was a false positive. Please don't worry, your computer was never at risk.

Regards.

[Faergor]

Thanks a lot .
You guys are doing a great job.
Sorry for asking so many questions and making sure. Appreciate it a lot:)

[Curson]

Hi Faergor,

You are very welcome.
Thanks for the kind words.

Regards.

[Faergor]

One thing popped my mind.
Stupid question, Im sure for 99,99% that you did,but:
You scanned the file I uploaded unzipped,right?

I was not able to detect it with avast when it was zipped, once I unzipped it, it was detected by avast right away (the previous versions that were detectable)

Thanks and sorry for so many (and some stupid) questions

[Faergor]

I received reply from AVG.

"Hello,

Thank you for contacting AVG.

Our virus specialists have been working on this request and they confirmed this detection is correct.

We understand it is unpleasant, and we will be happy to analyze the file again as soon as it matches our guidelines. Please refer to the following article about the AVG virus policy"


I think they mean the file was not false positive, but actual virus.
I uploaded the file here:
https://www.avg.com/en-us/false-positive-file-form

I had a false positive form picked. I explained the issue to them as well. That happened yesterday.

1.You guys of course scanned the file unzipped,right? It is not detectable when zipped.
2.have they made a mistake with the detection? I think they say it is a real threat, while you say its not.

What should I do? Ignore what they said? How come it showed up as a virus and they claim its real?
Thanks

[Curson]

Hi Faergor,

Yes, we unzipped it before the analysis.
What AVG means is that the file does contains malware code, but it's inactive. Such code is used in signatures to detect the live malware.
I advise you to read this article for better understanding : What Is a Virus Signature?

Regards.