false positive or irony "Win32:Tibs-AIB [Trj] in avast.int"?

4/6/2007 1:49:21 PM ed-admin 2176 Sign of “Win32:Tibs-AIB [Trj]” has been found in “C:\Program Files\Alwil Software\Avast4\DATA\integ\avast.int” file.

Strange… that file is VRDB from avast!

Anyway, it should be there but to know if a file is a false positive, please submit it to JOTTI or VirusTotal and let us know the result. If it is indeed a false positive, send it in a password protected zip to virus@avast.com
Please, mention in the body of the message why you think it is a false positive and the password used. Thanks.
If the file is too big, you can use the ftp server of avast to send the file. Upload them to ftp://ftp.avast.com/incoming (please, note that you won’t have READ access to the ftp server, just write - so you won’t even be able to see what you’ve just uploaded).

As a workaround, you can add these files to the Standard Shield provider (on-access scanning) exclusion list.
Left click the ‘a’ blue icon, click on the provider icon at left and then Customize. Go to Advanced tab and click on Add button…

This link is a tutorial on how to help correct a virus detection that you believe to be false:
http://forum.avast.com/index.php?topic=25009.msg204838#msg204838

guess it’s a false positive sending to avast
Complete scanning result of “avast.int”, received in VirusTotal at 04.07.2007, 03:25:29 (CET).

Antivirus Version Update Result
AhnLab-V3 2007.4.7.0 04.06.2007 no virus found
AntiVir 7.3.1.48 04.06.2007 no virus found
Authentium 4.93.8 04.06.2007 no virus found
Avast 4.7.936.0 04.06.2007 Win32:Tibs-AIB
AVG 7.5.0.447 04.07.2007 no virus found
BitDefender 7.2 04.07.2007 no virus found
CAT-QuickHeal 9.00 04.06.2007 no virus found
ClamAV devel-20070312 04.07.2007 no virus found
DrWeb 4.33 04.06.2007 no virus found
eSafe 7.0.15.0 04.06.2007 no virus found
eTrust-Vet 30.7.3549 04.06.2007 no virus found
Ewido 4.0 04.06.2007 no virus found
FileAdvisor 1 04.07.2007 no virus found
Fortinet 2.85.0.0 04.06.2007 no virus found
F-Prot 4.3.1.45 04.04.2007 no virus found
F-Secure 6.70.13030.0 04.06.2007 no virus found
Ikarus T3.1.1.3 04.06.2007 no virus found
Kaspersky 4.0.2.24 04.07.2007 no virus found
McAfee 5003 04.06.2007 no virus found
Microsoft 1.2405 04.06.2007 no virus found
NOD32v2 2171 04.06.2007 no virus found
Norman 5.80.02 04.05.2007 no virus found
Panda 9.0.0.4 04.06.2007 no virus found
Prevx1 V2 04.07.2007 no virus found
Sophos 4.16.0 04.06.2007 no virus found
Sunbelt 2.2.907.0 04.07.2007 no virus found
Symantec 10 04.07.2007 no virus found
TheHacker 6.1.6.085 04.04.2007 no virus found
VBA32 3.11.3 04.06.2007 no virus found
VirusBuster 4.3.7:9 04.06.2007 no virus found
Webwasher-Gateway 6.0.1 04.06.2007 no virus found

Aditional Information
File size: 8145968 bytes
MD5: 6718ba881a4aafec320494186b618316
SHA1: bd600313eccf391d8d8fc81e9f0f2714f11db077
packers: exefile

That is a bit strange, the VRDB integ\avast.int is unique to every installation because it depends on what files are on your system and included in the VRDB scan.

All I can think of is perhaps there was an exe or dlll file that was infected but the VPS signatures didn’t detect it at that time and elements of the file being used somehow matched a new signature. I believe you could delete the avast.int file and when you do a manual VRDB Generate a new file would be Created. But, it would be safer to rename the file to say avast-int.old and then do a manual VRDB Generate now, that way it could be at some point sent to avast as I think they would be interested in it.

I just scanned mine and no detection.

new avast.int seem’s clean. “old one sent to avast as false positive before i read your message DavidR”

Thanks for the feed back, it is very strange that avast.int is detected since it is avast that complies it. I’m sure the avast team will be interested in this very strange occurrence.

Any way good that you have resolved the problem.

I would like to see an official word about this…
The most strange is that I thought the VRDB file was encrypted to avoid any ‘infection’…
Why the VRDB is being detected as infected? Could it be an infected file added to it? If I remember correctly, Igor said the files are scanned BEFORE being added to VRDB, so…

I think it is nothing more than a coincidence that a string within the VRDB matched a signature and it happened during the compilation of the avast.int file after or during a VRDB generation.

I’m not sure about an infected file being added to it, I believe one of the team mentioned that files were scanned before being included in the VRDB and also as the complete file isn’t included I can’t see how it might be infected.

If as I mentioned before malware not previously detected may be after a VPS update, so that would allow some infected file past any scan prior to the VRDB generation, but that brings us back to the fact that the complete file isn’t included just the information to be able to effect a repair.

All in all very strange.

This is the reason I’ve asked some ‘official’ answer here…

It might happen if:

  • the file is added to VRDB before avast! detects it
  • the detection is added later
  • the signature for the detection is chosen at the very small part stored in VRDB

It’s not very likely, of course, but yes, it might happen…

The original poster, treker96mk2 has submitted the file it would be interesting to see what you discover.

Mystery solved 8)