Avast feedback and possible false positive/misleading result?

Hi Guys,

I am trying out Avast! on my low-spec laptop at home. I’ve been a long-term user of AVG
and I think I prefer Avast!, as it seems to tax my poor old (384MB) laptop less than other
tools I’ve tried. I particularly like the boot-time scan feature and being able to run as a
screen saver. Nice work!

Being a bit of an old git, I didn’t much like the funky default skin, but that’s merely a minor
cosmetic detail, and besides, I’ve now downloaded and chosen one that suits me better :slight_smile:

As an ex software-engineer, I spend an awful lot of time supporting and maintaining
friends’ and family’s PCs, and so I keep an extensive library of recovery tools. Avast reports
one of them as being infected with “Win32-Trojen-gen {Other}”, when in fact I’m
pretty sure it isn’t (I have AVG and Sophos on my other PCs and neither reports a problem).

I uploaded the suspect file to virscan.org, and some of the scanners they ran reported that
it is a password or possible-hacking tool (which is fair enough, 'cos it is!), and 3 reported it
as a trojan.

Details as follows:

File Name : WirelessKeyView.exe
File Size : 39424 byte
File Type : PE32 executable for MS Windows (GUI) Intel 80386 32-bit
MD5 : 693efd600afd791cd492b33b585b0226
SHA1 : 19521e63747b6f251df493c6d11b598c7c3d27c3

Of the 39 virus scanners that virscan.org ran, 27 reported nothing at all, between 7 or
9(!) reasonably report it as riskware, password/hacker tool (or “Generic” application!?):

AntiVir 7.9.0.10 SPR/PSW.Messen.BB
Arcavir 1.0.5 Riskware.Pswtool.Messen.Bb
BitDefender 7.60825.2046869 Application.Generic.14256 [Whatever that means!]
CP Secure 1.1.0.715 PSWTool.W32.Messen.bb
Ikarus T3.1.01.44 not-a-virus:PSWTool.Win32.Messen.bb
Kaspersky 5.5.10 not-a-virus:PSWTool.Win32.Messen.bb
nProtect 2008-10-31.01 Application.Generic.14256 [Whatever that means!]
Panda 9.05.01 HackTool/MSNpass.G
Quick Heal 9.50 PSWTool.Messen.bb (Not a Virus)

And 3, including Avast!, report it as a Trojan (gen):
AVAST! 3.0.1 081102-0 Win32:Trojan-gen {Other}
GData 19.1256/19.84 Win32:Trojan-gen {Other} [Engine:B]
The Hacker 6.3.1.1 v00135 Trojan/Messen.bb 0.755

So my question is, of course, am I at risk if I run this application?

TIA

Luc

GData uses two scanning engines, avast being one, the avast Win32:Trojan-gen is generic signature (the -gen at the end of the malware name), so that is trying to catch multiple variants of the same type of malware and is a fine balance between detecting a new variant and detecting something valid as infected. Though being a tool it is likely that purpose which triggers the generic alert, it probably could be better defined.

Though you should send it for analysis.
If it is indeed a false positive (more likely should be classed as a [Tool] after the detection name), see http://forum.avast.com/index.php?topic=34950.msg293451#msg293451, how to report it to avast! and what to do to exclude them until the problem is corrected.

You can change the skin if you with (more than you can shake a stick at), right click anywhere in the center of the skin or the menu and use the Select Skin, you van choose one of the others installer or the get more link. Or from the settings item in the menu Common section, uncheck Enable skins for the Simple User Interface, etc.

From avast version 5 there will be a new GUI as there will be no skins, the thrid party skinning software will no longer be available.

Hi DavidR,

Thanks very much for your prompt response; I have reported the “virus” as you said, and
added it to my exclusion list.

You can change the skin if you with (more than you can shake a stick at), right click…
Like I said, I’ve already changed my skin!

Thanks once again
Luc

No problem, glad I could help.

Welcome to the forums.

actually i do think it is a virus, depending on how you use it. This application was meant to help you recover your wireless keys from the networking service on your computer. But at the same time you can use it to steal wireless passwords in order to obtain free internet, but other than that it seems pretty fair that some AV detect it as a password cracking swoftware.

But no, you are not in danger as long as the application is working for you, and you only. How do you know this?
well, does the application even work, if you run it, does a window pop up telling you the keys?, then yes you are fine.

if you double click the application to launch it and nothing happens then no, you are not fine.

Not just how you use it but if your installed it as it could be installed without your knowledge.

The use aspect of any tool will always give AVs a problem as they have no real means to fathom intent. Which is why reclassifying the malware name of the detection and giving it a suffix of [Tool] would still alert on detection, then it is the user that determines intent/use.