Author Topic: Virus found in dcraw.exe  (Read 5336 times)

0 Members and 1 Guest are viewing this topic.

Jens Rieger

  • Member
  • **
  • Posts: 23
    • View Profile
Virus found in dcraw.exe
« on: 2016-02-01 05:49:58 »
Hi,
while performing a virus scan on my computer, a virus (Gen:Variant.Razy.10188)was found in the file "dcraw.exe". My virus scanner is GDATA Antivirus.
Has anyone got the same message?

greetings

Jens

Daan van Rooijen

  • Administrator
  • Sr. Member
  • *****
  • Posts: 933
    • View Profile
Virus found in dcraw.exe
« Reply #1 on: 2016-02-01 06:04:21 »
It sounds like a false positive to me. Gen.Variant.Kazy is a trojan, not a virus, and it attacks critical windows files, not something random like dcraw.exe.

I'd recommend that you upload your dcraw.exe to Google's [link=https://www.virustotal.com]VirusTotal[/link] site to see what the other major AV-programs think of it.
I'm volunteering as a moderator - I do not work for Cerious Software, Inc.

Jens Rieger

  • Member
  • **
  • Posts: 23
    • View Profile
Virus found in dcraw.exe
« Reply #2 on: 2016-02-01 06:21:35 »
VIRUSTOTAL shows this analysis
[link]https://www.virustotal.com/de/file/84f7f6e9f7b66d38c09d0f42f072410adf38b6be10324cac0b37e6755d767160/analysis/1454325426/[/link]

Daan van Rooijen

  • Administrator
  • Sr. Member
  • *****
  • Posts: 933
    • View Profile
Virus found in dcraw.exe
« Reply #3 on: 2016-02-01 06:51:47 »
Too bad, that is an inconclusive outcome. I'll send a note about this to Cerious just to be safe.

Which version of ThumbsPlus installed this dcraw.exe file? Also, could you state the date/time stamp and the size of the dcraw.exe file?

If someone who reads this is using the same version, maybe he can upload it to VirusTotal as well, to see if his and your file have the same SHA256 fingerprint. If so, your installed copy has not been modified by a trojan or virus.
I'm volunteering as a moderator - I do not work for Cerious Software, Inc.

Jens Rieger

  • Member
  • **
  • Posts: 23
    • View Profile
Virus found in dcraw.exe
« Reply #4 on: 2016-02-01 07:05:29 »
TP Version is 10 sp1 beta 2 built 4007 (Windows 10 german). The dcraw file is from Nov. 20 2015 19:28. When I open the propertoes of it, it shows me SIZE 485kb, SIZE ON DISK 488KB.
The virus definitions of GDATA are updeted every day. Gdata says that it cannot clean the file and whants to delete it.

IlseKasten

  • Full Member
  • ***
  • Posts: 50
    • View Profile
Virus found in dcraw.exe
« Reply #5 on: 2016-02-01 08:44:49 »
I have the same file and VIRUSTOTAL give the Same result. I renamed this file. TP give no errormessage. Might be helpful to know the purpose of this file.

IlseKasten

  • Full Member
  • ***
  • Posts: 50
    • View Profile
Virus found in dcraw.exe
« Reply #6 on: 2016-02-01 08:50:13 »
Just downloaded dcraw.exe from http://originaldll.com/file/dcraw.exe/30132.html
This file seems to be clean.

Daan van Rooijen

  • Administrator
  • Sr. Member
  • *****
  • Posts: 933
    • View Profile
Virus found in dcraw.exe
« Reply #7 on: 2016-02-01 18:56:45 »
Dcraw.exe is used by the DCRaw plug-in (plug_digiraw.tpp) to convert camera raw files into images.

There is no single 'original' version of dcraw.exe because it is provided as C source code to developers, who all compile their own executable versions. However, if you and Jens had the same outcome on Virustotal, it is very likely that you both had the 'original' version as distributed with TP10 build 4007 (I still use an older build, so I couldn't verify that by myself).
I'm volunteering as a moderator - I do not work for Cerious Software, Inc.

Jens Rieger

  • Member
  • **
  • Posts: 23
    • View Profile
Virus found in dcraw.exe
« Reply #8 on: 2016-02-02 06:05:19 »
Scanned the file again today. Same result. More findings on virustotal.

[link]https://www.virustotal.com/de/file/84f7f6e9f7b66d38c09d0f42f072410adf38b6be10324cac0b37e6755d767160/analysis/[/link]

Daan van Rooijen

  • Administrator
  • Sr. Member
  • *****
  • Posts: 933
    • View Profile
Virus found in dcraw.exe
« Reply #9 on: 2016-02-02 07:03:29 »
Yes, but that is to be expected because AV-developers share the strings by which they identify malware. They do not all blindly add the strings that others found though, so I'm curious if established researchers like Kaspersky, AVG or F-Prot will add them.
I'm volunteering as a moderator - I do not work for Cerious Software, Inc.

Daan van Rooijen

  • Administrator
  • Sr. Member
  • *****
  • Posts: 933
    • View Profile
False alert
« Reply #10 on: 2016-02-09 20:39:32 »
The latest analysis shows that GDATA is no longer identifying the dcraw.exe file as malware. None of the major researchers ever considered it to be malware, so at this point it is safe to assume that it was a false positive.

https://www.virustotal.com/en/file/84f7f6e9f7b66d38c09d0f42f072410adf38b6be10324cac0b37e6755d767160/analysis/
I'm volunteering as a moderator - I do not work for Cerious Software, Inc.