Antivirus false positives with the TDSS Remover
Recently I’ve been contacted by a user who was afraid to run the TDSS Remover, because Kaspersky Antivirus found a Rootkit.Win32.Agent in it.
This was a false positive – sometimes they do happen with AVs. I contacted Kaspersky Lab, and happily, the problem was solved the same day (thanks guys and respect to Eugene 
). See the quote below.
But the issue is persistent! Today, a user of Avast! contacted me with the same problem. I checked VirusTotal and found 5(!) FP from major(!) antivirus vendors.
Avast 4.8.1351.0 2010.02.16 Win32:Rootkit-gen
Comodo 3958 2010.02.16 UnclassifiedMalware
GData 19 2010.02.16 Win32:Rootkit-gen
Sophos 4.50.0 2010.02.16 Sus/Rootkit-A
Symantec 20091.2.0.41 2010.02.16 Suspicious.Insight
Wow! It looks like antiviruses are simply brainlessly repeating each other’s faults. And actually preventing you from using a tool that would do the job they’ve failed to do.
The e-mail from Kaspersky’s virus lab goes below.
> —–Original Message—–
> From: newvirus@kaspersky.com [mailto:newvirus@kaspersky.com]
> Sent: Tuesday, February 16, 2010 2:39 PM
> To: alisa@esagelab.com; eugene@kaspersky.com
> Subject: Re: false positive [KLAN-60635401]
>
>
> Это было ошибочное срабатывание.
> Оно будет исправлено.
> Благодарим Вас за помощь.
>
> ——————————————-
> С наилучшими пожеланиями,
> Фирсов Павел.
> Вирусный аналитик,
> ЗАО “Лаборатория Касперского”
The text is in Russian, stating that the FP was fixed – check automatic translation by Google.
I note that the latest Remover.exe has decreased in size dramatically.
v1.6.3.1 – 1084 KB (1,110,016 bytes) – Downloaded 13 February 2010
v1.6.3.4 – 180 KB ( 184,320 bytes) – Downloaded 28 February 2010
This appears to be due to a major revision in the way the program is compiled.
As far as I can see the problematic rk_remover.sys driver is no longer created.
This has solved the AVG false alarm detection.
Without revealing anything to help the Rootkit authors is there anything you can say regarding this major revision to your utility?
Hi DougCuk,
I am pleased with our users’ attentiveness
Indeed, the Remover’s size has changed dramatically in the latest build, because we stopped using a code protector (VMProtect). The reasons for this are as follows:
1. VMProtect often causes FPs from antivirus software. Got pissed with them, finally.
2. The Remover will be moving to a completely new core shortly. Thus, no need to protect the old one any more.
3. We are compassionate about those poor paranoid guys who buy AVs’ suspicions regarding the Remover, and reverse engineer the tool to ensure it’s not a malware
As per rk_remover.sys, it is still utilized. Howewer, normally it is deleted after you quit the program.