Avast Finds Virus but

Hi, I downloaded a file called Cain & Abel v2.0 for Windows 9x (discontinued) from here
http://www.techtv.com/screensavers/darktips/story/0,24330,3602921,00.html and select download it redirects to here http://www.oxid.it/cain.html and then Avast says warning Virus( Win32:Trojan-gen. {VC}) is on your computer. So I checked the file with another visrus scanner called AntiVir Personal Edition v 6.22xxx and it says cain20.exe Contains a signature of the (dangerous) backdoor program BDS/Cain.2.0 Backdoor server programs. I didn’t get warning for the Win XP ver, just the win 98 version. Maybe someone could try the siyte mentioned and see if Avast warns of virus. Maybe sone could send from chest because mine wont send SMTP. Please Advise.

I tried to send it from chest but get error from SMTP mail problem. Seems I can never to get that to work for a long time now. It used to work way back in eariler version of avast. I can use the SMTP email with Outlook Express but not with Avast Send from Chest option in Avast.

Running Win 98 on computer with Virus warning.

Thanks

Hi,

uuhm… what exactly is your problem/question ?

two AV-programs warn you of a file you downloaded from a dubious source ?
Delete it, and EOD …

you could of course try other scanners (e.g. from KAV, RAV, Trend, Softwin, Panda, F-prot) until you get blue in the face…

;D ;D :wink: :wink:

Hi whocares

I just didn’t think Tech-TV would advise to download a progie that had a virus. I sort of figured Tech-TV had a rep to maintain.

Thanks for the input though.

Hello,

I use the 2.5 version (for Windows XP) of Cain & Abel, as it was referenced here. It was installed a few months ago, while I have been using Avast! Home 4 for almost one year now ;).

Avast! is always up-to-date (thanks to the automatic update feature), and the real-time shield is activated. But it had never detected this software as a trojan, except today since 0424-0 VPS file. I am aware of false positives with this signature file (I had the same problem with the WinRAR installer than another board member), but the updated 0424-1 VPS file keeps telling this software is Win32:Trojan-gen. {VC}.

Though I assume some part of the executable could be considered as a trojan because of its features, e.g. sniffing networking protocols, I ultimately doubt Avast! should claim this program actually is a trojan.

Thanks for your reading :). Keep up the good work.

Well, I guess my english is not easy to read ; but if you need more information, I just can try to explain better :).

Everyone who is thinking of me as trying to get my message back at the top of the list would be, ahem, right ;D.

Hi,
@1) right
@2) why not ? lots of other AV-scanner also consider it a trojan/backdoor

So, I don’t think this detection should or will be dropped, but you could send it in, of course, to virus@avast.com and ask alwil to reconsider

:wink:

This COULD be a false alarm… Only Avast is showing me a positive - but Avast is the best at finding deep down baddies i’ve been finding… I’ve checked it with Ewido (50,000+ Trojan Defs), Dr.Web (Best Heuristics), and Kaspersky (Best overall single engined detection) and finally Trend Micro (Pc-Cillian)

Dr.Web ®Copyright © Igor Daniloff, 1992-2004
Engine version: 4.31b
Total 50742 virus-finding records.
Last update: Wed Jun 9 18:10:02 2004
cain20.exe - Ok

Kaspersky 5.0
Scanned file: cain20.exe
cain20.exe - archived by WiseSFX
cain20.exe/WISE0000.BIN - OK
cain20.exe/WISE0001.BIN - OK
cain20.exe/WISE0002.BIN - OK
cain20.exe/WISE0003.BIN - OK
cain20.exe/WISE0004.BIN - OK
cain20.exe/WISE0005.BIN - OK
cain20.exe/WISE0006.BIN - OK
cain20.exe/WISE0007.BIN - OK
cain20.exe/WISE0008.BIN - OK
cain20.exe/WISE0009.BIN - OK
cain20.exe/WISE0010.BIN - OK
cain20.exe/WISE0011.BIN - OK
cain20.exe/WISE0012.BIN - OK
cain20.exe/WISE0013.BIN - OK
cain20.exe/WISE0014.BIN - OK
cain20.exe/WISE0015.BIN - OK
cain20.exe/WISE0016.BIN - OK
cain20.exe/WISE0017.BIN - OK
cain20.exe/WISE0018.BIN - OK
cain20.exe/WISE0019.BIN - OK
cain20.exe/WISE0020.BIN - OK
cain20.exe/WISE0021.BIN - OK
cain20.exe/WISE0022.BIN - OK
cain20.exe/WISE0023.BIN - OK
cain20.exe/WISE0024.BIN - OK
cain20.exe/WISE0025.BIN - OK
cain20.exe/WISE0026.BIN - OK
cain20.exe - OK

Ewido Report:
Cain20.EXE = CLEAR

Trend Micro
Cain20.exe: Ok

I WILL do some further testing as well on it, because i’m aware of a loophole with most AV products where they cannot properly scan BIN files, while Avast does. ;D

Interesting thing to note so far on this one, is Avast brings up the alert if you even mouse over this in explorer directory.

However, if you drop it in a RAR archive, it doesn’t trip off, and even shell-extension right-click scan of the archive, doesn’t trigger the alert as well.

Anyone explain the reasoning as to why that might happen?

PS: Still investigating the file, but ran into this curious behavior.

Thanks for your reply :). But as stated by Kobra who kindly did nice testing, it seems that not so many programs consider it as a backdoor.

The point is the user knows what he installed while using this program (contrary, for instance, to Back Orifice variants whose server executables hide themselves).

I noted this too :).

I just didn't think Tech-TV would advise to download a progie that had a virus. I sort of figured Tech-TV had a rep to maintain
If you didnt know Kevin Rose was a former Hacker. His Dark tips often tell how to hack programs and things. well it coes as no surprise that some AV programs detect it as infected
  • AVPE & RAV each consider 1 of the versions as backdoor
  • KAV only says tool.reboot, but from the description I’d consider it definetly unwanted on my PC

Don’t you think, that Users who DO know about it AND want it, should be knowledgable enough to exclude it from scanning via avast’s options… :wink:

Well, the funny thing is (and I should have told it before) that I actually excluded the whole “C:\Program Files” directory, where this program was installed. The alert began with 0424-0 VPS file, in spite of this exclusion (I am using Avast! Home 4.1.396) ; so I uninstalled Cain & Abel 2.5b47 yesterday.

In the meantime, Avast! updated to 0424-2 ; I have just installed Cain & Abel 2.5b52 and removed the exclusion : it seems that it is no longer signaled as a trojan…

i am using the beta version with the latest update. but yesterday during boot time scan i got the following win32 virus:lovelorn(vbs)
the system halted during boot and i was only able to move it and do nothing else. what should i do about it ? is it harmful to keep it in the system?

regards
Sunny

The program is named “Cain & Abel.” Shouldn’t that be a clue? ???

Its developper is christian :slight_smile: ?

I’ve sent this file out to a Virus/Trojan forensics lab, and they found that indeed, the Abel part of this product IS a Trojan, however the Cain part is now.

So yes, its properly flagged as a Trojan, and any AV that doesn’t pick it up, should be picking it up.

Thanks for your work and your clear answer :). Neither Abel nor Cain is flagged as trojan anymore, though (i.e. since I updated this program - both of them were before). I have also updated Avast! to 4.1.412 and VPS to 0424-3.

Well that blows, because i’m told Abel is a Trojan by Forensics friend. Also, i’ve now confirmed that with 3 other AV companies, and someone I trust to analyze, which is Kevin over at BOClean Anti-Trojan. He says its a trojan too.

Wonder why Avast no longer recognizes it? ???

Well, what version did you send exactly ? I trust you, and I trust Avast! : I might have misconfigured something too :)…