PWS:Win32/Lineage.gen!C.dam keylogger warning

[GoogleCodeExporter]

What steps will reproduce the problem?
1. Installation of 64bit Peazip v5 from this link
http://sourceforge.net/projects/peazip/files/5.0.1/peazip-5.0.1.WINDOWS.exe/down
load

Tried again using mirror link here, same result:
2. Installation of 64bit Peazip v5 from this mirror link
http://download.cnet.com/PeaZip/3000-2250_4-10602256.html?part=dl-&subj=dl&tag=b
utton

What is the expected output? What do you see instead?
As soon as I installed (with options to install sponsor software unticked), box 
popped up from MS Security Essential warning of the threat in this newly 
installed file:
PWS:Win32/Lineage.gen!C.dam in
C:\Program Files\PeaZip\res\zpaq\is-RKPK0.tmp
MS Essentials then quarantined, but then warned could not find the file to 
remove.

What version of the product are you using? On what operating system?
Peazip installation was 5.01
MS Security Essentials version:
  Antimalware Client Version: 4.3.215.0
  Engine Version: 1.1.9700.0
  Antivirus definition: 1.155.2454.0
  Antispyware definition: 1.155.2454.0
  Network Inspection System Engine Version: 2.1.9700.0
  Network Inspection System Definition Version: 106.0.0.0
OS Windows 7 Home Premium SP 1
AVG Free anti virus also installed but did not report warning.

Please provide any additional information below.

Original issue reported on code.google.com by sid1997...@googlemail.com on 17 Aug 2013 at 6:34

[GoogleCodeExporter]

The issue seems a false positive, pointing to zpaq that being a less known 
executable that sometimes was mistakenly reported as suspicious in the past 
(every time the issue was recognized as false positive).
Alternatively, as "is-RKPK0.tmp" is not featured in the installer neither 
packed, nor as temporary file to be created during installation or when using 
PeaZip, I can think to an external, possibly malicious software with no 
relation to PeaZip using this path to cove its tracks.
I'll try to contact Security Essentials team to report the incident.

Original comment by giorgio.tani.software@gmail.com on 17 Aug 2013 at 11:05

• Changed state: Invalid
• Added labels: ****
• Removed labels: ****

[GoogleCodeExporter]

OK, thanks for the quick response.

One other observation/question on the same matter - can you confirm that your 
website is hosted on sourceforge. Whilst I select www.peazip.org as the domain 
in my browser, once there, is refreshed with a sourceforge address?

Thanks.

Original comment by sid1997...@googlemail.com on 18 Aug 2013 at 9:49

• Added labels: ****
• Removed labels: ****

[GoogleCodeExporter]

Yes, as stated on Project Home tab PeaZip migrated to SourceForge due Google 
Code ceasing to provide download service in Jan 2014: 
http://google-opensource.blogspot.co.uk/2013/05/a-change-to-google-code-download
-service.html

SourceForge is now the main hosting resource for website and downloads due its 
high performances and reliability, however peazip.org domain is still alive 
even for most things points to SF, for various reasons, mainly
1) some countries are not allowed to access SourceForge
2) links in PeaZip's help menu: it is not reasonable to assume every user will 
update just because domains change, so I need to keep a fixed domain that may 
be redirected to any more convenient path if things changes in future.

Original comment by giorgio.tani.software@gmail.com on 18 Aug 2013 at 11:42

• Added labels: ****
• Removed labels: ****

[GoogleCodeExporter]

Thanks again for the reply and patience. I have found more information in 
respect of the installation package:

I have tried reinstalling and filename differs.
Resorted to Peazip 4 and managed to get hold of a copy of the tmp file created: 
See below between the ********:

(note I did not try and capture the file under PZ 5, but can have a go if that 
helps. The information below may shed light on what is happening:

Note also under the PZ4 installation, no virus warning.

The file is created when extracting files from the ZPAQ folder in the install 
package.

Is this part of the install process?

*********
(zpaq 0.08 file tuned for high compression (slow)
on the Calgary corpus. Uses 278 MB memory)

comp 5 9 0 3 22 (hh hm ph pm n)
  0 const 160
  1 icm 5  (orders 0-6)
  2 isse 13 1 (sizebits j)
  3 isse 16 2
  4 isse 18 3
  5 isse 19 4
  6 isse 20 5
  7 isse 20 6
  8 match 22 24
  9 icm 17 (order 0 word)
  10 isse 19 9 (order 1 word)
  11 icm 10 (sparse with gaps 1-3)
  12 icm 10
  13 icm 10
  14 icm 14 (pic)
  15 mix 16 0 15 24 255 (mix orders 1 and 0)
  16 mix 8 0 16 10 255 (including last mixer)
  17 mix2 0 15 16 24 0
  18 sse 8 17 32 255 (order 0)
  19 mix2 8 17 18 16 255
  20 sse 16 19 32 255 (order 1)
  21 mix2 0 19 20 16 0
hcomp
  c++ *c=a b=c a=0 (save in rotating buffer)
  d= 2 hash *d=a b-- (orders 1,2,3,4,5,7)
  d++ hash *d=a b--
  d++ hash *d=a b--
  d++ hash *d=a b--
  d++ hash *d=a b--
  d++ hash b-- hash *d=a b--
  d++ hash *d=a b-- (match, order 8)
  d++ a=*c a&~ 32 (lowercase words)
    a< 65 jt 14 a> 90 jt 10
    d++ hashd d-- (added: update order 1 word hash)
    *d<>a a+=*d a*= 20 *d=a jmp 9
    a=*d a== 0 jt 3 (order 1 word)
       d++ *d=a d--
    *d=0 d++
  d++ b=c b-- a=0 hash *d=a (sparse 2)
  d++ b-- a=0 hash *d=a (sparse 3)
  d++ b-- a=0 hash *d=a (sparse 4)
  d++ a=b a-= 212 b=a a=0 hash
    *d=a b<>a a-= 216 b<>a a=*b a&= 60 hashd (pic)
  d++ a=*c a<<= 9 *d=a (mix)
  d++
  d++
  d++ d++
  d++ *d=a (sse)
  halt
post
  0  (may be 0 for PASS or x for EXE/DLL (E8E9) or p for LZP)
     (if x, set ph=0, pm=3. LZP not recommmeded for max compression)
end
*************

Appreciate that you are not an anti-virus expert, but this is from within the 
Peazip install process.

Many thanks.

Original comment by sid1997...@googlemail.com on 18 Aug 2013 at 6:13

• Added labels: ****
• Removed labels: ****

[GoogleCodeExporter]

After re-testing 32 and 64 bit installers of different 5 and 4.x versions I can 
confirm you that no .tmp files are featured in the installer: you may 
see/detect .tmp files while they are being extracted from the installer and 
written to the disk, but those are simply InnoSetup installer temporary work 
files and should not appear after the installation process completed 
successfully.

The file sample is from max.cfg, a zpaq configuration file used in an older 
release of PeaZip, the file should be named max.cfg once it is extracted by the 
installer and you should see it named max.cfg if installation completed 
successfully.
The file is not featured in PeaZip 5 package, due to newer version of zpaq, 
anyway of course you will find temporary work files during extraction of each 
file from installer.

A guess I can cast from the first post, probably the virus scanning analyzed an 
incomplete file while it was being written to disk and raised a warning as it 
was mistaken for a viral file, that would probably not happen scanning the 
complete file.
Anyway it should not happen and in fact it is the first report of this type I 
receive, warning for a temporary file in the exact moment it is extracted from 
the installer.

Original comment by giorgio.tani.software@gmail.com on 19 Aug 2013 at 7:54

• Added labels: ****
• Removed labels: ****