Author Topic: MBR:Yurn-A (RTK) in new RGK signatures  (Read 15693 times)

0 Members and 1 Guest are viewing this topic.

February 14, 2019, 04:27:03 PM

Faergor

  • Newbie

  • Offline
  • *

  • 48
  • Reputation:
    0
    • View Profile
MBR:Yurn-A (RTK) in new RGK signatures
« on: February 14, 2019, 04:27:03 PM »
Hi, I had no problems before, but I downloaded the newest signatures 20190213_112737, and I found in C:\ProgramData\Roguekiller\signatures\mbr a thing called MBR:Yurn-A (RTK) this trojan, or whatever it is.
It was found by avast.

I am for some reason no longer even able to upload anything to virustotal, it says "Please answer the following puzzle to help us prevent abuse", doesnt let em upload either that mbr file or any other to virustotal.

I commonly scan my computer with roguekiller, avast, eset online scanner (its a one time scan only), malwarebytes and mbar. Nothing was found. Only avast found this file.
Thanks

I am uploading this file here to this post,can you please check it? Thanks

edit: I was able to upload file to virustotal,and it found this:
https://www.virustotal.com/#/file/81f2e7a10c7f5b46134756822c22d363659d1ead7999a75373a8f165d1b7309f/detection

file is flagged as same virus by both avg and avast, but nothing else.

Reply #1February 14, 2019, 05:05:13 PM

Curson

  • Global Moderator
  • Hero Member

  • Offline
  • *****

  • 2809
  • Reputation:
    100
    • View Profile
Re: MBR:Yurn-A (RTK) in new RGK signatures
« Reply #1 on: February 14, 2019, 05:05:13 PM »
Hi Faergor,

Thanks for your feedback.

Avast and AVG are detecting RogueKiller's MBR malware signature database file, this is not a malicious file.
Since RogueKiller cannot run without this file being present, please do not delete it and put it in your antivirus exclusion list. In case you already deleted it, please restore it.

Sorry for the inconvenience, we will fix this as soon as possible.

Regards.

Reply #2February 14, 2019, 05:24:58 PM

Faergor

  • Newbie

  • Offline
  • *

  • 48
  • Reputation:
    0
    • View Profile
Re: MBR:Yurn-A (RTK) in new RGK signatures
« Reply #2 on: February 14, 2019, 05:24:58 PM »
I know, it is part of the signature database, but could version of this file be malicious?
Can you scan this file I uploaded please and verify if this is real or false positive?
I mean, if by any chance it slipped through your radar when you were uploading the signatures, or if not, then if it got infected on my computer by something else?

I downloaded even newer database today, half an hour ago, so I suppose this hould be safe, but perhaps older one was unsafe.

Reply #3February 14, 2019, 05:39:53 PM

Curson

  • Global Moderator
  • Hero Member

  • Offline
  • *****

  • 2809
  • Reputation:
    100
    • View Profile
Re: MBR:Yurn-A (RTK) in new RGK signatures
« Reply #3 on: February 14, 2019, 05:39:53 PM »
Hi Faergor,

No, it's a confirmed false positive. We were not compromised in any way.
If you feel unsafe adding the mbr file in your exclusion list, please download the signatures package once again. We removed the offending signature, so it's not detected anymore.

Regards.

Reply #4February 14, 2019, 05:42:10 PM

Faergor

  • Newbie

  • Offline
  • *

  • 48
  • Reputation:
    0
    • View Profile
Re: MBR:Yurn-A (RTK) in new RGK signatures
« Reply #4 on: February 14, 2019, 05:42:10 PM »
great,thanks mate :)

Reply #5February 14, 2019, 05:59:26 PM

Curson

  • Global Moderator
  • Hero Member

  • Offline
  • *****

  • 2809
  • Reputation:
    100
    • View Profile
Re: MBR:Yurn-A (RTK) in new RGK signatures
« Reply #5 on: February 14, 2019, 05:59:26 PM »
Hi Faergor,

You are very welcome.

Regards.

Reply #6February 14, 2019, 08:40:44 PM

Faergor

  • Newbie

  • Offline
  • *

  • 48
  • Reputation:
    0
    • View Profile
Re: MBR:Yurn-A (RTK) in new RGK signatures
« Reply #6 on: February 14, 2019, 08:40:44 PM »
I downloaded 20190214_084435 signature and it still shows same virus.
I uploaded the file here for analysis.
I sent avg and avast email regarding this issue as well, hopefully they will resolve this.

I am going to look if there is newer signature after this one, you mentioned that you fixed this.

I will try and let you know if it will still show up :D

Reply #7February 15, 2019, 10:35:58 AM

Curson

  • Global Moderator
  • Hero Member

  • Offline
  • *****

  • 2809
  • Reputation:
    100
    • View Profile
Re: MBR:Yurn-A (RTK) in new RGK signatures
« Reply #7 on: February 15, 2019, 10:35:58 AM »
Hi Faergor,

Thanks for your feedback.
Does the detection keep occuring ?

Regards.

Reply #8February 15, 2019, 11:33:34 AM

Faergor

  • Newbie

  • Offline
  • *

  • 48
  • Reputation:
    0
    • View Profile
Re: MBR:Yurn-A (RTK) in new RGK signatures
« Reply #8 on: February 15, 2019, 11:33:34 AM »
No,not anymore.
I have newer signature 20190210_151546 and I no longer detect it with avast. I sent file mbr to avast and avg yesterday and explained issue to them.
Still waiting until they let me know result of analysis and hopefully exclude this.

Ok,so,2 questions:
1.is there possibility that perhaps this mbr file got infected on my computer?
OR
2. My mbr file was false positive all along? Have you please scanned the file I uploaded here (the one that was being flagged as a virus) and can you confirm that my file was false positive all along and certainly was not infected?
It was never found by anything other than avast.

Thanks :D just want to make sure that my file was never infected in first place.

Reply #9February 15, 2019, 11:56:09 AM

Curson

  • Global Moderator
  • Hero Member

  • Offline
  • *****

  • 2809
  • Reputation:
    100
    • View Profile
Re: MBR:Yurn-A (RTK) in new RGK signatures
« Reply #9 on: February 15, 2019, 11:56:09 AM »
Hi Faergor,

No, there is no possibility that the file was infected on your computer.
Yes, we analysed the file and we can confirm it was a false positive. Please don't worry, your computer was never at risk. :)

Regards.

Reply #10February 15, 2019, 12:02:39 PM

Faergor

  • Newbie

  • Offline
  • *

  • 48
  • Reputation:
    0
    • View Profile
Re: MBR:Yurn-A (RTK) in new RGK signatures
« Reply #10 on: February 15, 2019, 12:02:39 PM »
Thanks a lot :D.
You guys are doing a great job.
Sorry for asking so many questions and making sure. Appreciate it a lot:)

Reply #11February 15, 2019, 03:43:33 PM

Curson

  • Global Moderator
  • Hero Member

  • Offline
  • *****

  • 2809
  • Reputation:
    100
    • View Profile
Re: MBR:Yurn-A (RTK) in new RGK signatures
« Reply #11 on: February 15, 2019, 03:43:33 PM »
Hi Faergor,

You are very welcome.
Thanks for the kind words.

Regards.

Reply #12February 15, 2019, 04:44:23 PM

Faergor

  • Newbie

  • Offline
  • *

  • 48
  • Reputation:
    0
    • View Profile
Re: MBR:Yurn-A (RTK) in new RGK signatures
« Reply #12 on: February 15, 2019, 04:44:23 PM »
One thing popped my mind.
Stupid question, Im sure for 99,99% that you did,but:
You scanned the file I uploaded unzipped,right?:D

I was not able to detect it with avast when it was zipped, once I unzipped it, it was detected by avast right away (the previous versions that were detectable)

Thanks and sorry for so many (and some stupid) questions :D

Reply #13February 15, 2019, 06:50:44 PM

Faergor

  • Newbie

  • Offline
  • *

  • 48
  • Reputation:
    0
    • View Profile
Re: MBR:Yurn-A (RTK) in new RGK signatures
« Reply #13 on: February 15, 2019, 06:50:44 PM »
I received reply from AVG.

"Hello,

Thank you for contacting AVG.

Our virus specialists have been working on this request and they confirmed this detection is correct.

We understand it is unpleasant, and we will be happy to analyze the file again as soon as it matches our guidelines. Please refer to the following article about the AVG virus policy"


I think they mean the file was not false positive, but actual virus.
I uploaded the file here:
https://www.avg.com/en-us/false-positive-file-form

I had a false positive form picked. I explained the issue to them as well. That happened yesterday.

1.You guys of course scanned the file unzipped,right? It is not detectable when zipped.
2.have they made a mistake with the detection? I think they say it is a real threat, while you say its not.

What should I do? Ignore what they said? How come it showed up as a virus and they claim its real?
Thanks :)


Reply #14February 15, 2019, 07:19:52 PM

Curson

  • Global Moderator
  • Hero Member

  • Offline
  • *****

  • 2809
  • Reputation:
    100
    • View Profile
Re: MBR:Yurn-A (RTK) in new RGK signatures
« Reply #14 on: February 15, 2019, 07:19:52 PM »
Hi Faergor,

Yes, we unzipped it before the analysis.
What AVG means is that the file does contains malware code, but it's inactive. Such code is used in signatures to detect the live malware.
I advise you to read this article for better understanding : What Is a Virus Signature?

Regards.