1. False positive.
I still think most of us are having/were having a false positive warning form AVG.
A key date is 4th November 2008.
Before 04/11/08 several people were having issues
with a Trojan found in an Open Office (OOo) download.
See "Trojan downloaded with OO software" thread.
In the Getting started, Setup and Troubleshooting.
On 05/11/08 many reports of AVG finding a Trojan.
See this thread "AVG found trojan horse in open office files"
and many other discussion boards.
AVG are calling this Generic8.BCQ
AVG is finding it in "msi-pkgchk.exe".
and the CAB file where, I guess, it was put by the OOo developers
when they 'packeged up the files ready for download'.
The CABinet file is called "openoffice.org-core02.cab".
Several posts refer to AVG having had false positive.
I think this is another 'AVG false positive'.
As far as I can find no other Anti Virus software
is reporting "msi-pkgchk.exe" as 'infected' or 'a Trojan'.
I am using the paid for "AVG Internet Security".
This includes Firewall, Anti-Virus, LinkScanner, Anti-Spyware, Anti-Spam, Anti-Rootkit etc.
Right now it is at
AVG version: 8.0.199
Virus DB: 270.9.0/1777
In my case, see my first post (on Wed Nov 05, 2008 10:51 pm),
my 'OOo Download' D:\OpenOffice2-4-1-DL\openoffice.org-core02.cab
was found to be 'infected'. This file had been 'tested and passed'
every day at 02:05 from 05/10/2008 until 04/11/2008 (a whole month).
Then, on 05/11/2008, using an Virus DB Updated done at 21:39 on 04/11/2008,
my AVG 'detected the Trojan'.
Now, it is much more likely that my 'program file', which is in
an expected place, C:\Program Files\OpenOffice.org 2.4\program\msi-pkgchk.exe
to get infected.
For both the 'program file' and a CAB file that I happened to have,
in a location that was not very predictable,
to both get infected - on the same day - is not nearly so likely.
Anything is possible. As an aside - Malware has been found on the International Space Station!
My point is
Is it likely that a 'real Trojan' has the following characteristics.
1. It is present in several OOo Downloads, in the CAB Files, of several versions of OOo.
- Several 2.4.x
- In "OpenOffice version 3.0.9357.500" reported by owilky.
- the Post by TheGurkha on Fri Nov 07, 2008 11:21 am reports
"... portable version of OOo which is put together by PortableApps.com."
2. It is not detected by any Anti Virus product for a month.
In cnebrandt's case for several months.
See his post on Wed Nov 05, 2008 12:54 am
3. It is then widely detected by one AV Vendor's products
4. Several days later it is still not being reported as being detected by any other vendor.
5. There is no information on AVG's site as to what
"Trojan horse Downloader.Generic8.BCQ" is, how it works etc.
6. There is no 'patch from OOo' to say somthing along the lines
of 'Security Issue - Trojan in CAB files / Trojan in download files...'.
I could go on...
Given all of this I just waited for AVG to get back to me
and I left the 'files in the AVG vault'.
Apart from the automated reply I have still not heard back from AVG
(see my post of Thu Nov 06, 2008 12:54 am).
This afternoon I have 'retrieved the files from the vault' and have tested them with.
AVG version: 8.0.199
Virus DB: 270.9.0/1777Both files ("msi-pkgchk.exe" and "openoffice.org-core02.cab") now Pass.
So, AVG seem to have corrected their 'false positive'.
I don't know when - I've not had any feedback from AVG.
See my next post.