Avast! is picking-up on the sbautoupdate.exe [SpywareBlaster’s auto-update]

as Win32:Trojan-Gen (Other) [Virus/Worm]

Avast 4.8.1201, database version 080626-0
SpywareBlaster 4.1

I assume this will be confirmed as a false positive. I also assume this file is common-enough that many of you have it on your machine, to confirm my findings.

Unfortunately, it seems that other anti-viruses are likewise picking up on this file…
just recently, AVG “found” it… and later, upon confirming their F/P, updated their detection database. Nevertheless, more companies are picking it up, as I indicate below.

VirusTotal confirms the following two correct checksums:

MD5…: 5d0e5821eb35cda9c320c1bdf1a4b695
SHA1…: 62b09b3503c05a3cc853bb8bdfcc8292fd200e53

VirusTotal results: 26 companies believe it’s clean, but 7 say it’s infected:

Avast Win32:Trojan-gen {Other}

CAT-QuickHeal (Suspicious) - DNAScan

F-Secure W32/Malware

GData Win32:Trojan-gen

Norman W32/Malware

Panda Suspicious file

Webwasher-Gateway Virus.Win32.FileInfector.gen!94 (suspicious)

Confirmed … same here … though in my last weekly scan on 6/21 avast did not report this.

No doubt they will fix it quickly. I am a bit surprised at false positives like this one and the recent Yahoo home page … that can be noticed by such a large proportion of the avast community getting by the “let’s not shoot ourselves” test.

Ditto…

Likewise, avast is picking mine too. Raised an eyebrow when I read what the alert was about.

As usual, please submit the FP file to virus at avast.com

I have the same thing as you all have. It appears that this maybe a false positive.

Update: False positive emailed.

kubecj,

please advise us if you are unaware of how to download the latest version of an incredibly well known product like Spywareblaster and we can point you at the site … if you need to know the Yahoo home page url we can provide that too.

If you need some help with quality control testing … let us know too.

Yes, I am being critical … and yes, I know guys are being responsive to the false positives … but I hope you can also try to find a way to avoid some of the more obvious FP’s that hit so many avast users.

This is not about ability to download anything. There is about zillion of software packages, each in multiple versions. We simply can’t have all of them in the cleanset for testing. So the most effective and foolproof FP removal happens when we are getting the exact file.

Regarding what is well known and what is not, that depends on the point of view.

Regarding what is well known and what is not, that depends on the point of view.

Well it depends more on numbers than a point of view. “zillions of software packages” is a total red herring and you know it.

I suspect there are just about as many users of the Yahoo home page on the planet as avast users though the two groups may not be coincident. I also suspect that the number of users of the up to date Spywareblaster is a significant subset of avast users.

Only you can decide how many such false positives you believe your users are willing to live with and how many is too much bad news for your product’s reputation.

I think you get my point.

these f/p’s have been corrected, with the release of avast database update 080626-1

Hi ky331,

I too was flagged by avast for win32.Trojan-Gen (other) where C: POGRAM FILES\SPYWAREBLASTER\SBAUTOUPDATE.EXE was concerned. Read this posting here, then loaded the latest iAVS Update, and the file was no longer flagged. Then I scanned SBAUTOUPDATE.EXE at virustotal and there were more products flagging it (I suppose it is a False Positive):
Antivirus Version Last Update Result
AhnLab-V3 2008.6.26.0 2008.06.26 -
AntiVir 7.8.0.59 2008.06.26 -
Authentium 5.1.0.4 2008.06.25 -
Avast 4.8.1195.0 2008.06.26 Win32:Trojan-gen {Other}
AVG 7.5.0.516 2008.06.25 -
BitDefender 7.2 2008.06.26 -
CAT-QuickHeal 9.50 2008.06.25 (Suspicious) - DNAScan
ClamAV 0.93.1 2008.06.26 -
DrWeb 4.44.0.09170 2008.06.26 -
eSafe 7.0.17.0 2008.06.25 -
eTrust-Vet 31.6.5907 2008.06.26 -
Ewido 4.0 2008.06.26 -
F-Prot 4.4.4.56 2008.06.25 -
F-Secure 7.60.13501.0 2008.06.24 W32/Malware
Fortinet 3.14.0.0 2008.06.26 -
GData 2.0.7306.1023 2008.06.26 -
Ikarus T3.1.1.26.0 2008.06.26 -
Kaspersky 7.0.0.125 2008.06.26 -
McAfee 5325 2008.06.25 -
Microsoft 1.3704 2008.06.26 -
NOD32v2 3221 2008.06.26 -
Norman 5.80.02 2008.06.26 W32/Malware
Panda 9.0.0.4 2008.06.26 Suspicious file
Prevx1 V2 2008.06.26 -
Rising 20.50.32.00 2008.06.26 -
Sophos 4.30.0 2008.06.26 -
Sunbelt 3.0.1153.1 2008.06.15 -
Symantec 10 2008.06.26 -
TheHacker 6.2.92.362 2008.06.26 -
TrendMicro 8.700.0.1004 2008.06.26 -
VBA32 3.12.6.8 2008.06.26 -
VirusBuster 4.5.11.0 2008.06.23 -
Webwasher-Gateway 6.6.2 2008.06.26 Virus.Win32.FileInfector.gen!94 (suspicious)
Additional information
File size: 906792 bytes
MD5…: 5d0e5821eb35cda9c320c1bdf1a4b695
SHA1…: 62b09b3503c05a3cc853bb8bdfcc8292fd200e53
SHA256: 180ece47a119f3dd9f326db499efda2754d8b7dd0a0f6d2e39056f1279f2e9b3
SHA512: 3fc276cabf3423c18597d17eac56caff91997265228fa5911e23568de0646a02
bf87d9cbeb80ce97f0279a83497faf41a3adf7e9c647cfdff9440c94b84a3aa1
PEiD…: -
PEInfo: PE Structure information

( base data )
entrypointaddress.: 0x4b22a2
timedatestamp…: 0x484f34cd (Wed Jun 11 02:13:33 2008)
machinetype…: 0x14c (I386)

( 7 sections )
name viradd virsiz rawdsiz ntrpy md5
.text 0x1000 0x73d9c 0x0 0.00 d41d8cd98f00b204e9800998ecf8427e
.data 0x75000 0x47a4 0x0 0.00 d41d8cd98f00b204e9800998ecf8427e
.text1 0x7a000 0x50000 0x42000 6.43 5f5d36467069a9dfd292a8ad02089509
.adata 0xca000 0x10000 0xd000 0.00 938d6d97628275a512e07c66be5ccecf
.data1 0xda000 0x20000 0xb000 3.74 29c52db44c2d4ccc06650ba03bf8f3cf
.pdata 0xfa000 0x80000 0x7a000 7.99 2e99ba169be4ee78b8a03d3fe4170575
.rsrc 0x17a000 0x7000 0x7000 4.99 f3eb782f672007721aa8ebf9145802fa

( 3 imports )

KERNEL32.dll: CreateThread, GlobalUnlock, GlobalLock, GlobalAlloc, GetTickCount, WideCharToMultiByte, IsBadReadPtr, GlobalAddAtomA, GlobalAddAtomW, GetModuleHandleA, GlobalFree, GlobalGetAtomNameA, GlobalDeleteAtom, GlobalGetAtomNameW, FreeConsole, GetEnvironmentVariableA, VirtualProtect, VirtualAlloc, GetProcAddress, GetLastError, LoadLibraryA, SetLastError, SetThreadPriority, GetCurrentThread, CreateProcessA, GetCommandLineA, GetStartupInfoA, SetEnvironmentVariableA, ReleaseMutex, WaitForSingleObject, CreateMutexA, OpenMutexA, GetCurrentThreadId, CreateFileA, FindClose, FindFirstFileA, FindFirstFileW, VirtualQueryEx, GetExitCodeProcess, ReadProcessMemory, UnmapViewOfFile, ContinueDebugEvent, SetThreadContext, GetThreadContext, WaitForDebugEvent, SuspendThread, DebugActiveProcess, ResumeThread, CreateProcessW, GetCommandLineW, GetStartupInfoW, CloseHandle, DuplicateHandle, GetCurrentProcess, CreateFileMappingA, VirtualProtectEx, WriteProcessMemory, ExitProcess, FlushFileBuffers, WriteConsoleW, GetConsoleOutputCP, WriteConsoleA, SetStdHandle, GetConsoleMode, GetConsoleCP, SetFilePointer, GetLocaleInfoA, GetStringTypeW, GetStringTypeA, LCMapStringW, MultiByteToWideChar, LCMapStringA, HeapSize, HeapReAlloc, QueryPerformanceCounter, VirtualFree, HeapCreate, HeapDestroy, GetFileType, SetHandleCount, GetEnvironmentStringsW, FreeEnvironmentStringsW, GetEnvironmentStrings, FreeEnvironmentStringsA, RtlUnwind, DeleteCriticalSection, GetStdHandle, WriteFile, TlsFree, TlsSetValue, TlsAlloc, TlsGetValue, Sleep, EnterCriticalSection, LeaveCriticalSection, GetVersionExA, InitializeCriticalSection, GetCurrentProcessId, GetModuleFileNameW, GetShortPathNameW, GetModuleFileNameA, MapViewOfFile, GetShortPathNameA, GetSystemTimeAsFileTime, HeapFree, HeapAlloc, GetProcessHeap, RaiseException, TerminateProcess, UnhandledExceptionFilter, SetUnhandledExceptionFilter, IsDebuggerPresent, GetCPInfo, InterlockedIncrement, InterlockedDecrement, GetACP, GetOEMCP, IsValidCodePage
USER32.dll: GetDesktopWindow, MoveWindow, SetPropA, EnumThreadWindows, GetPropA, GetMessageA, GetSystemMetrics, SetTimer, GetAsyncKeyState, KillTimer, BeginPaint, EndPaint, SetWindowTextA, GetDlgItem, CreateDialogIndirectParamA, ShowWindow, UpdateWindow, LoadStringA, LoadStringW, FindWindowA, WaitForInputIdle, MessageBoxA, InSendMessage, UnpackDDElParam, FreeDDElParam, DefWindowProcA, LoadCursorA, RegisterClassW, CreateWindowExW, RegisterClassA, CreateWindowExA, GetWindowThreadProcessId, SendMessageW, SendMessageA, PeekMessageA, TranslateMessage, DispatchMessageA, EnumWindows, IsWindowUnicode, PackDDElParam, PostMessageW, PostMessageA, IsWindow, DestroyWindow
GDI32.dll: CreateDCA, CreateDIBitmap, CreateCompatibleDC, SelectObject, SelectPalette, RealizePalette, BitBlt, DeleteDC, DeleteObject, CreatePalette

( 0 exports )
Norman Sandbox: [ General information ]

• IMPORTANT: PLEASE SEND THE SCANNED FILE TO: ANALYSIS@NORMAN.NO - REMEMBER TO ENCRYPT IT (E.G. ZIP WITH PASSWORD).
• File length: 906792 bytes.

[ Process/window information ]

• Creates process "sample.exe".
• Reads memory in process sample.exe.
• Modifies memory in process sample.exe.
• Modifies startup code of process sample.exe.

packers (Kaspersky): Armadillo

Weird, like to hear an explanation from the other forum members?

polonus

I manually updated VPS, too. The FP is gone.

Same, FP gone here as well.

Thank you Avast, 080626-1 solved the F/P for me, too.

My thanks too to kubecj and the rest of the avast team for the speedy correction of this false positive.