Hi, I downloaded a file called Cain & Abel v2.0 for Windows 9x (discontinued) from here http://www.techtv.com/screensavers/darktips/story/0,24330,3602921,00.html and select download it redirects to here http://www.oxid.it/cain.html and then Avast says warning Virus( Win32:Trojan-gen. {VC}) is on your computer. So I checked the file with another visrus scanner called AntiVir Personal Edition v 6.22xxx and it says cain20.exe Contains a signature of the (dangerous) backdoor program BDS/Cain.2.0 Backdoor server programs. I didn’t get warning for the Win XP ver, just the win 98 version. Maybe someone could try the siyte mentioned and see if Avast warns of virus. Maybe sone could send from chest because mine wont send SMTP. Please Advise.
I tried to send it from chest but get error from SMTP mail problem. Seems I can never to get that to work for a long time now. It used to work way back in eariler version of avast. I can use the SMTP email with Outlook Express but not with Avast Send from Chest option in Avast.
I use the 2.5 version (for Windows XP) of Cain & Abel, as it was referenced here. It was installed a few months ago, while I have been using Avast! Home 4 for almost one year now ;).
Avast! is always up-to-date (thanks to the automatic update feature), and the real-time shield is activated. But it had never detected this software as a trojan, except today since 0424-0 VPS file. I am aware of false positives with this signature file (I had the same problem with the WinRAR installer than another board member), but the updated 0424-1 VPS file keeps telling this software is Win32:Trojan-gen. {VC}.
Though I assume some part of the executable could be considered as a trojan because of its features, e.g. sniffing networking protocols, I ultimately doubt Avast! should claim this program actually is a trojan.
Thanks for your reading :). Keep up the good work.
This COULD be a false alarm… Only Avast is showing me a positive - but Avast is the best at finding deep down baddies i’ve been finding… I’ve checked it with Ewido (50,000+ Trojan Defs), Dr.Web (Best Heuristics), and Kaspersky (Best overall single engined detection) and finally Trend Micro (Pc-Cillian)
Kaspersky 5.0
Scanned file: cain20.exe
cain20.exe - archived by WiseSFX
cain20.exe/WISE0000.BIN - OK
cain20.exe/WISE0001.BIN - OK
cain20.exe/WISE0002.BIN - OK
cain20.exe/WISE0003.BIN - OK
cain20.exe/WISE0004.BIN - OK
cain20.exe/WISE0005.BIN - OK
cain20.exe/WISE0006.BIN - OK
cain20.exe/WISE0007.BIN - OK
cain20.exe/WISE0008.BIN - OK
cain20.exe/WISE0009.BIN - OK
cain20.exe/WISE0010.BIN - OK
cain20.exe/WISE0011.BIN - OK
cain20.exe/WISE0012.BIN - OK
cain20.exe/WISE0013.BIN - OK
cain20.exe/WISE0014.BIN - OK
cain20.exe/WISE0015.BIN - OK
cain20.exe/WISE0016.BIN - OK
cain20.exe/WISE0017.BIN - OK
cain20.exe/WISE0018.BIN - OK
cain20.exe/WISE0019.BIN - OK
cain20.exe/WISE0020.BIN - OK
cain20.exe/WISE0021.BIN - OK
cain20.exe/WISE0022.BIN - OK
cain20.exe/WISE0023.BIN - OK
cain20.exe/WISE0024.BIN - OK
cain20.exe/WISE0025.BIN - OK
cain20.exe/WISE0026.BIN - OK
cain20.exe - OK
Ewido Report:
Cain20.EXE = CLEAR
Trend Micro
Cain20.exe: Ok
I WILL do some further testing as well on it, because i’m aware of a loophole with most AV products where they cannot properly scan BIN files, while Avast does. ;D
Interesting thing to note so far on this one, is Avast brings up the alert if you even mouse over this in explorer directory.
However, if you drop it in a RAR archive, it doesn’t trip off, and even shell-extension right-click scan of the archive, doesn’t trigger the alert as well.
Anyone explain the reasoning as to why that might happen?
PS: Still investigating the file, but ran into this curious behavior.
Thanks for your reply :). But as stated by Kobra who kindly did nice testing, it seems that not so many programs consider it as a backdoor.
The point is the user knows what he installed while using this program (contrary, for instance, to Back Orifice variants whose server executables hide themselves).
I just didn't think Tech-TV would advise to download a progie that had a virus. I sort of figured Tech-TV had a rep to maintain
If you didnt know Kevin Rose was a former Hacker. His Dark tips often tell how to hack programs and things. well it coes as no surprise that some AV programs detect it as infected
Well, the funny thing is (and I should have told it before) that I actually excluded the whole “C:\Program Files” directory, where this program was installed. The alert began with 0424-0 VPS file, in spite of this exclusion (I am using Avast! Home 4.1.396) ; so I uninstalled Cain & Abel 2.5b47 yesterday.
In the meantime, Avast! updated to 0424-2 ; I have just installed Cain & Abel 2.5b52 and removed the exclusion : it seems that it is no longer signaled as a trojan…
i am using the beta version with the latest update. but yesterday during boot time scan i got the following win32 virus:lovelorn(vbs)
the system halted during boot and i was only able to move it and do nothing else. what should i do about it ? is it harmful to keep it in the system?
I’ve sent this file out to a Virus/Trojan forensics lab, and they found that indeed, the Abel part of this product IS a Trojan, however the Cain part is now.
So yes, its properly flagged as a Trojan, and any AV that doesn’t pick it up, should be picking it up.
Thanks for your work and your clear answer :). Neither Abel nor Cain is flagged as trojan anymore, though (i.e. since I updated this program - both of them were before). I have also updated Avast! to 4.1.412 and VPS to 0424-3.
Well that blows, because i’m told Abel is a Trojan by Forensics friend. Also, i’ve now confirmed that with 3 other AV companies, and someone I trust to analyze, which is Kevin over at BOClean Anti-Trojan. He says its a trojan too.