Avast 5 detect the virus,but Avast 6 isn't.

My avast 6 dont detect this file,but when i upload it at virustotal.com Avast 5 detects it. ???

http://www.virustotal.com/file-scan/report.html?id=b061e79a1cd75b614b485a47ffd1210794369a7dcc3fcebe793b1d565fe9c198-1301518364

Try turning on PUP and scan again…what is the result then ?

The same.Not detected.

I was playing with some samples and i found that some malwares are detected by Avast 5,but not by Avast 6.Should’t they have the same engine?

Here is the file

hxxp://www.2shared.com/file/bPaZqG6d/Trial_Reset.html

kill your link above ::slight_smile: >>> replace anything in it so that it can’t be launched from here.

Avira analysis

The file 'Trial Reset.exe' has been determined to be 'DAMAGED FILE (UNKNOWN)'. In particular this means that this file is damaged and not working properly. We could not find any malicious content. However the heuristic detection module may still detect this particular file even though it is damaged. In that case we will not adjust and remove detection for this damaged file.

I guess that explains it…

NORMAN sandbox
Trial Reset.exe : Not detected by Sandbox (Signature: W32/Suspicious_Gen2)

[ DetectionInfo ]
* Filename: C:\analyzer\scan\Trial Reset.exe.
* Sandbox name: NO_MALWARE
* Signature name: W32/Suspicious_Gen2.ERLUN.
* Compressed: YES.
* TLS hooks: NO.
* Executable type: Application.
* Executable file structure: OK.
* Filetype: PE_I386.

[ General information ]
* Decompressing UPX3.
* File length: 510186 bytes.
* MD5 hash: 782c0b7a148bc388de80fd4141b8e1cf.
* SHA1 hash: 8075f12ef7b1e4c0612eeb908c192e8da51c60e1.
* Packer detection: UPX 2.90 LMA.

[ Changes to registry ]
* Accesses Registry key “HKCU\Control Panel\Mouse”.
* Accesses Registry key “HKCU\Software\AutoIt v3\AutoIt”.

Hi lastsamurai & Pondus,

Make that link non-click through, like hxtp:// so the unaware may not go there and get something they do not want,
it is the “malpacker” used that is flagged, see this info here:
http://www.online-armor.com/oasis2/file/malware/mal_packer/trial_reset_exe/100821
and
http://www.threatexpert.com/files/trial-reset.exe.html

Corrected file analysis
http://www.virustotal.com/file-scan/report.html?id=b061e79a1cd75b614b485a47ffd1210794369a7dcc3fcebe793b1d565fe9c198-1301518364

Write up on the malware worm of this name from virus encyclopedia:

TRIAL RESET.EXE

Sample Accepted Time:2010-1-18 14:02:58
Infected Times:
TRIAL RESET.EXE Description:

The unsafe files using this name are associated with the malware groups:

Malicious Software
Worm

TRIAL RESET.EXE action as following:

The Process is packed and/or encrypted using a software packing process
Drops known malicious software during execution

Includes file creation code which could be used to test for interception by security products

TRIAL RESET.EXE also has the following action

Created as a process in your system.
Executed as a Process

Infected Countries

Maleware file TRIAL RESET.EXE detected on May 25 2009 in the following geographical region of the Prevx community:

Spain on May 25 2009
Same behavior related threat file name:

TRIAL RESET.EXE has the following brother program file:

98609537.EXE
23031662.EXE

07999972.EXE

94838136.EXE

46541623.EXE

98639568.DAT

Filesizes

Several different file size detected:

2,570,979 bytes
5,930,694 bytes

48,640 bytes

971,263 bytes

File Type

Maleware file TRIAL RESET.EXE is used by multiple object types including executable programs,objects.

File Activity

One or more files with the name TRIAL RESET.EXE creates, deletes, copies or moves the following files and folders:

create folder C:\WINDOWS\system32\28463
Creates c:\windows\system32\28463\KGUT.001

Creates c:\windows\system32\28463\KGUT.006

Creates c:\windows\system32\28463\KGUT.007

Creates c:\windows\system32\28463\KGUT.exe

Creates c:\windows\system32\28463\key.bin

Creates c:\windows\system32\28463\AKV.exe

Creates c:\docume~1\jim\locals~1\temp\Trial-Reset.exe

Deletes c:\docume~1\jim\locals~1\temp@3.tmp

Spread Way:

Windows Vulnerability

Registry Value Creation

MD5:k8oBaNMH5k6ODHqCLxO3Au75pLs71iQ1

SHA1:sFwj2VupP6AwfI8dT2WJi1CQ8s0EM5yK0g16Jedx

Source: htxp://angui123.cn/VirusEncyclopedia/3468.html

polonus

No, it doesn’t - the engine is the same, i.e. they have to detect the same, at least on-demand :slight_smile:
My avast! 6 detects it as Win32:Agent-AJGC [PUP] - so I suppose you haven’t really enabled PUP scanning for the particular scan.

Hi Igor,

But it is the malpacker software packing process used here that is flagged, right? Borland Delphi compiled…
Another example: http://xml.ssdsandbox.net/index.php/1a2f41508f1d089fe710507646cd6e90

polonus

Why is the PUP ending removed at VirusTotal ?

I don’t really know what is flagged and why it’s flagged as PUP. Maybe it’s just the particular packed sample detected by the outer wrapper.

As for why VT removes the suffix - don’t know, I also find it unfortunate.

SOPHOS analysis … this must be a world record response…50min

Trial Reset.exe -- identity created/updated The file(s) submitted were identified as a potentially unwanted application and detection is now available on the Sophos Databank.