#384 Massive False Positive: PUA.VBS.FSO FOUND

open
nobody
Scanner (176)
8
2012-09-05
2008-04-22
No

Hi ClamWin Folks,

Today I got a massive false positive list for the virus "PUA.VBS.FSO". ClamWin thought that 69 files were infected. Here is the list of files:
D:\Download\Temp\Clip20040119171028.zip: PUA.VBS.FSO FOUND
D:\Download\Win32\ASP.NET Resource Kit\asprk.exe: PUA.VBS.FSO FOUND
D:\Download\Win32\AutoIt\SciTE4AutoIt3.exe: W32.Autoit.Obfus-1 FOUND
D:\Download\Win32\CorelDraw Graphics Suite 12\CGS12EPSMultiPatch.msp: PUA.VBS.FSO FOUND
D:\Download\Win32\Delphi 6.0\BorlandDelphiPersonalEdition.exe: PUA.VBS.FSO FOUND
D:\Download\Win32\Drivers\Networking\Adapter\Wired\Intel Pro\PRO2KXP (12.3).exe: PUA.VBS.FSO FOUND
D:\Download\Win32\Drivers\Printers\HP DeskJet 5440 (Photo Printer)\temp\setup\HPSoftwareUpdate\HPSoftwareUpdate.msi: PUA.VBS.FSO FOUND
D:\Download\Win32\Drivers\Printers\HP Deskjet 6540\Windows 9x drivers for network sharing\6500\Applications\HPSU\HP Software Update.msi: PUA.VBS.FSO FOUND
D:\Download\Win32\Drivers\Printers\HP Deskjet 6540\Windows 9x drivers for network sharing\6500_enu_win9x_me.exe: PUA.VBS.FSO FOUND
D:\Download\Win32\Offline-Update\ctupdate472.zip: PUA.VBS.FSO FOUND
D:\Download\Win32\Open Office\OOo_1.1.5_Win32Intel_install.zip: PUA.VBS.FSO FOUND
D:\Download\Win32\Open Office\OOo_2.4.0_Win32Intel_install_wJRE_en-US.exe: PUA.VBS.FSO FOUND
D:\Download\Win32\Tortoise SVN\TortoiseSVN-1.4.7.11792-win32-svn-1.4.6.msi: PUA.VBS.FSO FOUND
D:\Download\Win32\Tortoise SVN\TortoiseSVN-1.4.8.12137-win32-svn-1.4.6.msi: PUA.VBS.FSO FOUND
D:\Download\Win32\UnCheck\unchk3.zip: PUA.VBS.FSO FOUND
D:\Download\Win32\Windows 2000\W2KSP4_EN.EXE: PUA.VBS.FSO-1 FOUND
D:\Download\Win32\Windows All\Debugging Tools for Windows\dbg_x86_6.8.4.0.msi: PUA.VBS.FSO FOUND
D:\Download\Win32\Windows Installer Cleanup Utility\msicuu2.exe: PUA.VBS.FSO-1 FOUND
D:\Download\Win32\Windows NT4\IE401sp2.exe: PUA.VBS.FSO FOUND
D:\Download\Win32\Windows NT4\sp6i386.exe: PUA.VBS.FSO-1 FOUND
D:\Download\Win32\Windows XP\Microsoft Baseline Security Advisor 2.0.1\MBSASetup-EN.msi: PUA.VBS.FSO FOUND
D:\Programming\Delphi7\Syn Text Editor\Backup\3rd Party\synsrc-2.1.0.45.7z: PUA.VBS.FSO FOUND
D:\Programming\Delphi7\Syn Text Editor\Source\scripts\cmnfunc.vbs: PUA.VBS.FSO FOUND
D:\Programming\Delphi7\Syn Text Editor\Source\scripts\cs-rcs.vbs: PUA.VBS.FSO-1 FOUND
D:\Programming\Delphi7\Syn Text Editor\Syn\scripts\cmnfunc.vbs: PUA.VBS.FSO FOUND
D:\Programming\Delphi7\Syn Text Editor\Syn\scripts\cs-rcs.vbs: PUA.VBS.FSO-1 FOUND
D:\Programming\Inno Setup\ALogic LH\Distribution\Source\Runtimes\Open Office 2.4\openoffice.org-core06.cab: PUA.VBS.FSO FOUND
D:\Programming\Inno Setup\ALogic LH\Runtimes\Open Office 2.4.svn\text-base\openoffice.org-core06.cab.svn-base: PUA.VBS.FSO FOUND
D:\Programming\Inno Setup\ALogic LH\Runtimes\Open Office 2.4\openoffice.org-core06.cab: PUA.VBS.FSO FOUND
D:\Programming\Inno Setup\WinMerge\New\Src\Languages.svn\text-base\CheckTranslations.vbs.svn-base: PUA.VBS.FSO FOUND
D:\Programming\Inno Setup\WinMerge\New\Src\Languages\CheckTranslations.vbs: PUA.VBS.FSO FOUND
D:\Programming\VB6\4Square\BackUP\1.030 - 4 Square.7z: PUA.VBS.FSO FOUND
D:\Programming\VB6\4Square\Source\Open_And_SaveAS.bas: PUA.VBS.FSO FOUND
D:\Programming\VB6\Archive\RawSeattle Tools\Tools\Time Cycle 3.7z: PUA.VBS.FSO FOUND
D:\Programming\VB6\Archive\RawSeattle Tools\Tools\Time Cycle 4.7z: PUA.VBS.FSO FOUND
D:\Programming\VB6\Archive\RawSeattle Tools\Tools\Time Cycle 5.7z: PUA.VBS.FSO FOUND
D:\Programming\VB6\Archive\RawSeattle Tools\Tools\Time Cycle 6.7z: PUA.VBS.FSO FOUND
D:\Programming\VB6\Archive\RawSeattle Tools\Tools\Time Cycle.7z: PUA.VBS.FSO FOUND
D:\Programming\VB6\Archive\RawSeattle Tools\Tools\TimeCycle.7z: PUA.VBS.FSO FOUND
D:\Programming\VB6\Archive\Time Cycle\TimeCycle.bas: PUA.VBS.FSO FOUND
D:\Programming\VB6\Dale's AOL\Source\Main.frm: PUA.VBS.FSO FOUND
D:\Programming\VB6\DataRobot Buddy\Backup\Data Robot Buddy 1.0.7z: PUA.VBS.FSO FOUND
D:\Programming\VB6\DataRobot Buddy\Source\TextStream.bas: PUA.VBS.FSO FOUND
D:\Programming\VB6\KaZaA Control\Source\frmUpdater.frm: PUA.VBS.FSO FOUND
D:\Programming\VB6\KaZaA Control\Source\modApp.bas: PUA.VBS.FSO FOUND
D:\Programming\VB6\Lemmings the Revolution Backup\BackUP\Lemmings the Revolution Backup 2.7z: PUA.VBS.FSO FOUND
D:\Programming\VB6\Lemmings the Revolution Backup\BackUP\Lemmings the Revolution Backup.7z: PUA.VBS.FSO FOUND
D:\Programming\VB6\Lemmings the Revolution Backup\Source\frmSelectFolder.frm: PUA.VBS.FSO FOUND
D:\Programming\VB6\Studies\Data Eraser\Data Eraser 1.7z: PUA.VBS.FSO FOUND
D:\Programming\VB6\Studies\Data Eraser\Data Eraser 2.7z: PUA.VBS.FSO FOUND
D:\Programming\VB6\Studies\Data Eraser\modErase.bas: PUA.VBS.FSO FOUND
D:\Programming\VB6\Studies\FSO Deltree Study\Module1.bas: PUA.VBS.FSO FOUND
D:\Programming\VB6\VB Error Handler\Source\modApp.bas: PUA.VBS.FSO FOUND
D:\Programming\VB6\VS2003 Trial\Source\TextStream.bas: PUA.VBS.FSO FOUND
D:\Restore\Download\Programming\Visual Basic\Multi-Threaded Downloader.7z: PUA.VBS.FSO FOUND
D:\Restore\Download\Updates\Visual Studio\IntelSDK (Windows Installer 1.2).msi: PUA.VBS.FSO FOUND
D:\Restore\Programming\Time Cycle 7.5.7z: PUA.VBS.FSO FOUND
D:\Restore\Programming\Time Cycle 7.7z: PUA.VBS.FSO FOUND
D:\Temp\Jeff\Runtimes\Open Office 2.4\openoffice.org-core06.cab: PUA.VBS.FSO FOUND
D:\Temp\scripts\cmnfunc.vbs: PUA.VBS.FSO FOUND
D:\Temp\scripts\cs-rcs.vbs: PUA.VBS.FSO-1 FOUND
D:\Webs\OrganicSacramento.org\2007-09-27\gdform.asp: PUA.VBS.FSO-1 FOUND
D:\Webs\RawSacramento.org\BackUp\2002-09-09 Developer (ASP, TXT, MDB, INC).7z: PUA.VBS.FSO FOUND
D:\Webs\RawSacramento.org\BackUp\2002-09-09 Developer (ASP, TXT, MDB, INC, SLN, JS, DOC).7z: PUA.VBS.FSO FOUND
D:\Webs\RawSacramento.org\BackUp\2002-09-09 Developer (ASP, TXT, MDB, INC, SLN, JS, DOC, PWD).7z: PUA.VBS.FSO FOUND
D:\Webs\RawSacramento.org\BackUp\2003-01-22 Developer (ASP, TXT, MDB, INC, SLN, JS, DOC, PWD).7z: PUA.VBS.FSO FOUND
D:\Webs\RawSacramento.org\BackUp\RawSac Full 2002-09-10.zip: PUA.VBS.FSO FOUND
D:\Webs\RawSacramento.org\Final Remote Version Before Account Cancellation\html\Bin\Next Event.asp: PUA.VBS.FSO FOUND
D:\Webs\RawSacramento.org\html\Bin\Next Event.asp: PUA.VBS.FSO FOUND

As some of these files are source code I'm reluctant to just hand them all over, but upon request I will post any of the files needed. However, I did look at one such file, TextStream.bas and it's clearly harmless which makes me think your heuristics are tripping on any use of the FileSystemObject. I have attached TextStream.bas for your perusal.

Thanks,
Christian Blackburn

Discussion

  • TextStream.bas

     
    Attachments
  • Logged In: YES
    user_id=561770
    Originator: YES

    I would also liked to note that when I uploaded TextStream.bas to virustotal.com, I got a 0/32 positive rating. Since they also use ClamAV, I'm thinking this is a very recent signature causing problems.

     
  • Logged In: YES
    user_id=561770
    Originator: YES

    I've attached my ClamUpdateLog.txt for further details. By the way I'm using 0.93.
    File Added: ClamUpdateLog.txt

     
  • ClamUpdateLog.txt

     
    Attachments
  • alch
    alch
    2008-04-22

    Logged In: YES
    user_id=1004158
    Originator: NO

    this happens because you enabled "Detect Potentially Unwanted Applications" and VBS falls under that category because clamav engine is mainly a mail server virus scanner.

     
  • Peter Budts
    Peter Budts
    2008-05-14

    Logged In: YES
    user_id=498694
    Originator: NO

    ClamWin does not create the virus signatures. These are created by the ClamAV project.

    Read this FAQ about how to let them know about the problem.

    This is not a ClamWin bug.