Hi all,

A customer reported that their Antivirus software (Rising Antivirus 2007)
detected a virus in our product, specifically the "Backdoor.Agent.hyn" trojan
in the interop.shell32.dll file generated by Visual Studio 2005 on our behalf.

Running this file through http://www.virustotal.com/ indicates that Rising
Antivirus is the only product that finds a problem with the file, which I
generated for the test using a "clean" install of Visual Studio 2005 on an XP
VM.

Has anyone else seen this, or can anyone else confirm that this is a false
positive? I've found only one other mention of this on the 'net, on a chinese
site

Thanks! Jason

Hi Jason,

The interop.shell32.dll is just an interop assembly that contains metadata
used to consume COM type library from .NET. If you use Reflector
(http://www.aisto.com/roeder/dotnet/) to view it, you will see there're
just some interfaces or data structures.

It's probably because the malware you mentioned that has some identical
binary signature with this interop assembly. In my opinion, such issue
should probably be reported to the anti-virus software vendor.

That said, we might be able to workaround this by somehow changing the
content of this interop assembly so that it might bypass the anti-virus's
checking, but there's no guarantee that it will work.

You can give the interop assembly a strong name and sign it with a key
(such assembly is called primary interop assembly, PIA in short), this will
somehow change the binary content of the assembly. To do this, please refer
to following documents:

http://msdn2.microsoft.com/en-us/library/aa302338.aspx

Regards,
Walter Wang (wawang (AT) online (DOT) microsoft.com, remove 'online.')
Microsoft Online Community Support

==================================================
When responding to posts, please "Reply to Group" via your newsreader so
that others may learn and benefit from your issue.
==================================================

This posting is provided "AS IS" with no warranties, and confers no rights.