Wireshark-users: Re: [Wireshark-users] Wireshark v1.2.0's msvcp90.dll real or FP?
From: Gerald Combs <gerald@xxxxxxxxxxxxx>
Date: Mon, 22 Jun 2009 11:45:53 -0700
Phillip Pi wrote:
> On Mon, Jun 22, 2009 at 10:56:12AM -0700, Gerald Combs wrote:
> 
>>> Strange. My DiamondCS MD5 v1.4.0.0 tool doesn't match yours from
>>> portable Wireshark (after extraction): 7B80921F9F6126F53F4250E2B23E0EA3
>> I copied msvcp90.dll to a temp directory and ran "upx -q" on it using
>> UPX 3.01w on it. The UPX-ed hashes are:
>>
>> MD5(msvcp90.dll)= 7b80921f9f6126f53f4250e2b23e0ea3
>>
>> I generated the hashes using "openssl md5", "openssl sha1", and "openssl
>> rmd160" respectively.
> 
> OK, that's better. So the files aren't tampered. Also, notice more than 
> one online scanners detected suspicious beside SuperAntiSpyware?

Yes. Please note that

  1) We've received quite a few virus reports in the past:
     http://wiki.wireshark.org/FalsePositives

  2) So far they've _all_ been false positives.

  3) Trying to get confirmation about a specific positive for a specific
     file from a specific vendor is often an exercise in joylessness.

I'm not quite ready to declare this a false positive. However, the
hashes for msvcp90.dll that we shipped match the ones on multiple
systems (which appear to be clean), and the hashes for the version of
UPX used to compress msvcp90.dll match those from a fresh download from
SourceForge. It really, really looks like a false positive right now.