FYI...

- http://www.spybotupdates.com/index.php?page=updatehistory
Latest Update: 2005-11-25
Dialer
+ DialerPlatform
Hijacker
+ CoolWWWSearch.SearchAssistant + Smitfraud-C. + CoolWWWSearch.Feat2Installer + CoolWWWSearch.Service + CoolWWWSearch.Feat2DLL
Keylogger
+ Phoenix
Malware
+ VirtuMonde + SintCorporation
PUPS
+ Download Accelerator Plus
Trojan
+ Z-Quest

(Update list shown currently unavailable using SSD app update as of date/time of this post.):confused:

Ditto here in Canada but the detection rules executable Here (http://www.safer-networking.org/en/download/index.html) seem to have reverted back to 18.11 over the last few minutes.
New definitions withdrawn for some reason?

Regards,
Silj

Reverted back? No, never was there ;)

The content on the website was added yesterday as usual, but someone must have accidently released it without waiting till today... the files were only uploaded a few minutes ago (btw the checksum on the download page probably was the old one as well, as the manual installer was only created and the website on that updated today)...

So: nothing withdrawn, updates have come in the usual rythm - every Friday :)

Normal download (from SSD app) OK from this end now as of date/time of this post.

:bigthumb:

I'm good to go, now as well Pepi http://img.photobucket.com/albums/v330/siljaline/xblueman.gif

Regards,
Silj

Does anyone know where I can find information about the detection criteria of this "Keylogger Phoenix" ?

The reason I'm asing is that Spybot has identified a file "C:\Windows\setup1.exe" as Phoenix, but I'm reasonably sure that I don't have any keylogger on my system (as I scan daily with spybot, ad-aware and two antivirus apps). The itself has a version information that says something like "Microsoft Visual Basic 6.0 Setup Toolkit" (Version 6.0.0.8171, Size 286.720 Bytes).

Does this help?
http://www.viruslist.com/en/news?id=1149

Silj

No really, but thanks anyway!

I was more searching for the criteria built into the latest detection rules, how this "Phoenix" malware gets detected. I'd like to check if it's a false positive.

http://www.spybotupdates.com/index.php?page=updatehistory
<quote>
Keylogger
+ Phoenix
</quote>

Silj

I was aware of that, but thanks anyway. :)

What I'm looking for are the exact criteria (e.g. filenames, hashes,...) which are used to identify this "Phoenix" keylogger.
As I said, I just want to make sure, it's a false positive!

I was aware of that, but thanks anyway. :)

What I'm looking for are the exact criteria (e.g. filenames, hashes,...) which are used to identify this "Phoenix" keylogger.
As I said, I just want to make sure, it's a false positive!
I don't believe it is an F/P but I'll let the powers that be address your query.

Regards,
Silj

I'm fairly sure now, that this is an false positive!
Have a look at here (http://www.dslreports.com/forum/remark,14879377), where they describe exactly the same file that was found on my computer.
I also scanned it via virusscan.jotti.org and every scanner reported a clean file!

I hope someone read this here - if not, I'll try to repost this as a separate thread! :D

Elandril wrote:
I hope someone read this here - if not, I'll try to repost this as a separate thread! :D
You should since I don't believe your thread has any connection with the original post.

Silj

i just posted on the false positives forum! :D

I do have the same situation (the file setup1.exe reported as containing the phoneix keylogger).

I believe the detection is a false positive too and hopefully somebody will confirm or deny this assumption soon and stop debating about if this is or not the right place to post the query.

Setup1.exe
Description: Visual Basic 6.0 Setup Toolkit
Size: 280 KB (286,720 bytes)

If you want I can post a hex dump.

It has been confirmed as a false positive (see here (http://forums.spybot.info/showthread.php?t=620))! :bigthumb:

Thanks @ Elandril.