I just loaded On2 Flix Pro (video conversion software to create Flash videos) and was told there was an update.
The application doesn’t have the smarts to update itself directly, instead sending you to the website to download a zip file containing the new update.
It installed successfully (well, the first attempt failed trying to register itself online to make sure I wasn’t copying it – super annoying DRM ties each install to a particular piece of hardware, making it hard to move between computers), but then when I went to run it I got an AVG error informing me that there was a trojan horse in the file winprojector8.exe – PSW.Ldpinch.VKM to be exact.
I’m fairly confident this is a false positive, but I can’t be sure, because there’s no digital signature or md5 or anything for this file, OR the zip file that I downloaded the application in, OR the self-installing .exe that came out of the zip file.
In case anyone else is running into this error, here are the md5s for each file:
577cbe65ae7f718b365b560e5109773b SetupFlixProPC_8_545.exe
4dbc59a37e213fc096f69eb9f6085964 SetupFlixProPC_8_545.zip
260e655dd577e54cd3a215feb60aa021 winprojector8.exe (the allegedly infected file)
Currently Googling for the md5 of the infected file yields this virscan.org URL, which indicates a few other applications detect a trojan in this file as well.
I have contacted On2 support (usually I get a response within 24 hours) and await what I hope will just be a ‘false positive’ response.
If they’d published an md5 hash of these files, I wouldn’t need to be worried. But they didn’t, so I am.
If you’re putting a file on the Internet up for download, please always publish a hash of the file – md5sum or sha1sum would be best – so that people can verify that what they think they’re getting is what you want them to be getting.