False positive of Trojan _IS_NSM.ex_ part of Now Software installer

Hello all:

I ran a scan with Avast! Home 4.8.1229. It detected what it identified as a Win32:Spyware-gen [trj] Trojan Horse, IS_NSM.ex, in an installer file “Install NUDC-W 4.5.2.exe”.

I have had this installer file for many years, and it has been scanned by many virus/malware scanners and this is the first time any scanner has identified it as containing a trojan.

The installer package is available from http://www.siteadvisor.com/sites/nowsoftware.com/downloads/10823856/ and that site declares that the package was scanned by McAfee SiteAdvisor and is safe: “In our tests, this download was free of adware, spyware and other potentially unwanted programs”. It says that IS_NSM.ex is a file system modification done by the installer:
ADD c:\WINDOWS\Temp\Install NUDC-W 4.5.2_IS_NSM.ex_

So, it seems that this is a false positive by Avast.

Upload it to VirusTotal and post the results.

VirusTotal results:

File Install_NUDC-W_4.5.2.exe received on 05.18.2008 19:20:29 (CET)
Current status: finished

Result: 5/32 (15.62%)

Antivirus Version Last Update Result
AhnLab-V3 - - -
AntiVir - - -
Authentium - - -
Avast - - -
AVG - - -
BitDefender - - -
CAT-QuickHeal - - -
ClamAV - - -
DrWeb - - -
eSafe - - Suspicious Archive Structure
eTrust-Vet - - -
Ewido - - -
F-Prot - - File is damaged
F-Secure - - -
Fortinet - - -
GData - - -
Ikarus - - -
Kaspersky - - -
McAfee - - -
Microsoft - - -
NOD32v2 - - -
Norman - - -
Panda - - Suspicious file
Prevx1 - - Malicious Software
Rising - - -
Sophos - - -
Sunbelt - - -
Symantec - - -
TheHacker - - -
VBA32 - - -
VirusBuster - - -
Webwasher-Gateway - - Trojan.Spy.Gen

I’m assuming the avast detection was win32:trojan-gen ?
If so that too is a generic signature and like those heuristic (suspicious) or .gen detections in VT are more prone to FP.

You should submit the sample as a possible false positive, see http://forum.avast.com/index.php?topic=34950.msg293451#msg293451, how to report it to avast! and what to do to exclude them until the problem is corrected.

Avast reported it as:
Win32:Spyware-gen [trj]
Trojan Horse

I’ve done as you suggested: I e-mailed virus@avast.com telling them about the false positive and providing them a link to download the zipped installer archive.

Yes, the -gen at the end of the malware name indicates a generic signature, it is trying to catch multiple variants of the same type of malware and is a fine balance between detecting a new variant and detecting something valid as infected.