There are so many False Positive for the Japanese Softwares specially regarding to the Japanese game softwares. This time I would like to make complete report of the false positive for the AV makers to be carefully check the sample before judging an innocent game as malware, specially Japanese software. I do the best I can to make this report can be used for the reference by all Malware Researcher for the False Positive analysis.
The japanese animation game "Ayakashibito/Ayaban" or "Ayakashiban"'s PC version update/patch function was detected as false positive by the multiple Anti Virus vendors as Trojan/Malware. The software is the animation game with the market of the adults, with having few network activities for playing it. The trigger of this false positive is based on 1) the PACKER used by the update file which is meant to make the small size of the installer/setup (causing the CRC counting is different, and so on..) and 2) the software is in Japanese so no one can see the popup message well..
Therefore I hereby making the full analysis on it.
You can downloaded it in Amazon at the below link:
This game which was made by the game office PROPELLER GAME (http://www.propeller-game.com) which the website is as per below :
And the AYABAN game itself was released from 2005, the game's website is quite good you can view it safely at this URL and I put the snapshot image of it:
In 2008 there was an version-up of this game software for the PC version which the update patch is up and online at the vendor's site at the below URL:
**) Additional: Due to this misjudged as "malware" URL sample was deleted from server.
**) Additional: Sample can be downloaded in the section 5 of this report
And this update/patch file is now malware-false-positive judged by multiple anti-virus softwares as malware according to the following result of the Virus Total as proof:
Above pages said the scan result of 27/ 42 (64.3%), some major anti-virus vendors claimed this software as the below malware:
The above malware info was wrong, since this is a goodware indeed, by this report I ask to AV makers to remove the FP detection of the current sample.Furthermore, I was having contact with the maker of software and was asked to help to clarify this matter.
To make clarification I made analysis for this sample accordingly as per following steps:
1. Analyzing the suspected malware "AyabanUpdate.exe"
2. Disassembly the suspected malware "AyabanUpdate.exe"
3. The Behavior Analysis of the suspected malware "AyabanUpdate.exe"
4. The detection references:
5. The Result (In progress...)
Sponsored by: 株式会社ケイエルジェイテック