Fixed: mIRC reported as IRC.Zapchast

[AdamM]

After upgrading to 1.6.2, when I went to use my copy of mIRC 6.0.3 for the first time the Resident killed it and told me I had in fact executed IRC.Zapchast, a backdoor trojan. This is a legitimate (albeit old) copy of mIRC that I've had on my system and used since February 2008. TeaTimer is 1.6.6.32. My OS is XP Professional. Resident logs this:

29/03/2009 13:37:42 Encountered and terminated IRC.Zapchast in C:\Program Files\mIRC\mirc.exe!

 

[Yodama]

Thank you for reporting this false positive.
It has been confirmed and will be fixed with the next detection update scheduled for Wednesday 2009-04-01.

 

[AdamM]

Are you sure this was fixed? I've updated to the latest version but I'm still getting the false positive.

I understand this may be part of a wider TeaTimer 1.6.6.32 problem, but if so then why is this thread marked as 'fixed'?

 

[Yodama]

Did you restart the Teatimer or the computer after the update 2009-04-01?

 

[AdamM]

Unless you're suggesting that I haven't once turned off my machine between the 1st April and the present, then no, I did not reboot directly after installing the update; although I did restart TeaTimer after it reported the false positive again, to no avail.

Why, do you think this corrupted my update somehow?

 

[drragostea]

Try giving the machine a reboot.

 

[AdamM]

Astonishingly, that didn't work.

 

[Yodama]

ok, then please email to detections@spybot.info with a reference to this thread and give the following information:

* include the resident log to your email
* also include a full spybot S&D report to your email (scan , then right-click scan result and select to save full report)
* state when you did the Teatimer update and if there were other parts of Spybot S&D updated as well (best attach the downloaded.ini located in C:\program files\Spybot - Search & Destroy\Updates)

 

[AdamM]

Email sent. I also included the mirc.exe if you want to check that over.

 

[Yodama]

thank you for sending in the files.
I can confirm that the false positive still occurred with the version of mirc you supplied. This will be fixed with the next detection update scheduled for 2009-04-22.

 

[AdamM]

So I was right, it was the version number! Is it possible to make sure the false positive is eliminated with all versions?

 

[Yodama]

yes, you were right.

It is possible however it would be easier if mirc would use signed code. Since this is not the case we are dependend on a file whitelist which requires to get updated regularly which could lead to missing files in the whitelist. The later could be an issue if malware misused mirc files or uses files which are similar to mirc files.

 

[AdamM]

I can confirm the false positive does not appear after this update. Cheers!