[ QUOTE ]
O_x
wtf?
[/ QUOTE ]
The answer is
UPX. Many of virus makers pack their virii with this packer. So an executable become suspicious only because it packed. I made an experiment. I took my Windows Calculator, calc.exe, packed it with UPX and tested on virustotal.com. See the results:
File calc.exe received on 2007.10.12 13:44:21 (CET)
Current status: finished
Result: 3/32 (9.38%)
AhnLab-V3 2007.10.12.1 2007.10.12 -
AntiVir 7.6.0.23 2007.10.12 -
Authentium 4.93.8 2007.10.12 -
Avast 4.7.1051.0 2007.10.11 -
AVG 7.5.0.488 2007.10.11 -
BitDefender 7.2 2007.10.12 -
CAT-QuickHeal 9.00 2007.10.11 -
ClamAV 0.91.2 2007.10.12 -
DrWeb 4.44.0.09170 2007.10.12 -
eSafe 7.0.15.0 2007.10.10 suspicious Trojan/Worm
eTrust-Vet 31.2.5205 2007.10.12 -
Ewido 4.0 2007.10.12 -
FileAdvisor 1 2007.10.12 -
Fortinet 3.11.0.0 2007.10.12 -
F-Prot 4.3.2.48 2007.10.11 -
F-Secure 6.70.13030.0 2007.10.12 -
Ikarus T3.1.1.12 2007.10.12 Win32.Suspect.Infection.150035
Kaspersky 7.0.0.125 2007.10.12 -
McAfee 5139 2007.10.11 -
Microsoft 1.2908 2007.10.12 -
NOD32v2 2588 2007.10.12 -
Norman 5.80.02 2007.10.12 -
Panda 9.0.0.4 2007.10.11 -
Prevx1 V2 2007.10.12 -
Rising 19.44.42.00 2007.10.12 -
Sophos 4.22.0 2007.10.12 -
Sunbelt 2.2.907.0 2007.10.11 -
Symantec 10 2007.10.12 -
TheHacker 6.2.8.087 2007.10.12 -
VBA32 3.12.2.4 2007.10.12 -
VirusBuster 4.3.26:9 2007.10.11 -
Webwasher-Gateway 6.0.1 2007.10.12 Win32.ModifiedUPX.gen!90 (suspicious)
Additional information
File size: 62976 bytes
MD5: 35a3f3dc420721e28bf441ec0c2964d8
SHA1: bb19a349a2468aacc70c1e6bef8002595abd6a1d
packers: UPX
packers: UPX
packers: PE_Patch.UPX, UPX
You may download UPX at
http://upxshell.sourceforge.net/ and play around with various files. So you'll make sure iBolide is safe. But I cannot say the same about that 'free' changer.exe. It is NOT packed, so there must be another reason of false virus detection (if it is false).