A series of suspected Win32:Trojan-gen {Other} false positives

Viruses and worms
1

I have three files, all direct from reputable sources, which Avast! is identifying with Win32:Trojan-gen {Other}

The first two are located in the BootDrv folder of my GIGABYTE motherboard CD. Details as follows:
-Disc is the GIGABYTE 6-Quad / S-Series Intel 3-series Utility CD (DVD)

  • GSATA32.exe hits for generic Trojan.
  • MSM64.exe hits for generic Trojan.
    -Both have been emailed to ALWIL
    -VirusTotal scans of both files yield about 7 hits out of 36.
    -Both are related to the setup of RAID drivers during the initial setup of a bare system.

Then we have a hit in the Auzentech driver package for the Prelude 7.1 card.
-Package name is driver20k1_auz_refcd2_rc1.zip
-File path is \MTB6\Setup\MToolBox.bin\TargetDir
-File name is Toolbox.exe
-File has NOT been emailed to ALWIL as it is too large
-VirusTotal scan yields 4/36 hits.
-This one is a part of the Creative Media Toolbox which is now being bundled in Auzentech drivers.

In both cases, the packages have come straight from the driver source. Can anyone shed some light on this?

2

If you can post the URLs for the virustotal results we can see what else detects them and what the malware is called.

The avast Win32:Trojan-gen is generic signature (the -gen at the end of the malware name), so that is trying to catch multiple variants of the same type of malware and is a fine balance between detecting a new variant and detecting something valid as infected.

So it is possible that some of the other detections on VT are generic or heuristic (suspicious).

3

GSATA32.exe - http://www.virustotal.com/analisis/a7229f66f16caf477df026a20cd65046 (permalink; does not show Avast detection as of the 10/25/2008 database), or http://www.virustotal.com/analisis/ae35d2dc8d7808042dc0d2d7f899a81b (my most recent analysis which shows Avast detection on the 10/30/2008 database).

MSM64.exe - http://www.virustotal.com/analisis/bbeacc46d9a990ac3d590cfee6de2325 (permalink, which DOES show detection by Avast as of 10/29/2008)

Toolbox.exe - http://www.virustotal.com/analisis/1fa44fa1892e1f9a4ad3894f54bd1727 (permalink, which DOES show detection by Avast as of 10/29/2008)

I figured this was probably a heuristics-based identification that is a little over-sensitive. No big problem, it would just be nice to have it fixed so Avast doesn’t keep going after my driver updates =)

4

It certainly seems like generic/heuristic detections in all those that detected these.

Send the sample to virus@avast.com zipped and password protected (you could put all samples in the one zip) with the password in email body, a link to this topic, virustotal results, etc. might help and false positive/undetected malware in the subject.

Or you can also add the file to the User Files (File, Add) section of the avast chest (if it isn’t already there) where it can do no harm and send it from there (select the file, right click, email to Alwil Software). No need to zip and PW protect when the sample is sent from chest. A copy of the file/s will remain in the original location, so any further action you take can remove that. Unfortunately you can’t group multiple samples in this way.

If it is indeed a false positive and they seem so, see http://forum.avast.com/index.php?topic=34950.msg293451#msg293451, how to report it to avast! and what to do to exclude them until the problem is corrected. Periodically check it (scan it in the chest), there should still be a copy in the chest even though you restored it to the original location. When it is no longer detected then you can also remove it from the Standard Shield and Program Settings, exclusions.