"Virus Guy" wrote:

> The file "KeyFinder.exe", which is a component file inside
> keyfinder.zip, is being flagged as:
>
> W32.W.Kolab (detected by AegisLab)

It's a false positive.

The exe is written in classic Visual Basic (VB6) with no obfuscation
or other trickery. Everything (strings, API calls, form structure) is
in plain sight. The file is signed with a valid certificate and the
author has a web site with several other utilities and a social media
presence. It'd be quickly found out if Sterjosoft was deliberately
spreading malware.

Since the program recovers product keys from MS and other vendors
applications, there are many references to places in the registry
where the info is stored. It's quite likely that this is the reason
for the detection. Also there are API calls to URLDownloadToFile and
ShellExecute. These are to download the latest database and launch a
browser to the site, so are benign.

If you were planning to run this on Win98 it will only work on XP and
above. To my mind this rather negates the point of writing it in VB6
but so much necessary use of the Win32 API is made that I guess he
was tempted to use some newer funcs for convenience and appearance.


--- NewsGate v1.0 gamma 2