False Positive: Win32: Trojan-gen {Other} (Virus/Worm)

Since about 1½ days ago Avast! has started giving false positives for compiled AutoIt scripts.
I wrote a one line script with the code Sleep(5000), causing the script to do nothing but wait for five seconds, then quit. Even this comes up with the “A Virus Was Found!” prompt.
The compiled version of this script was submitted to VirusTotal (which, by the way, uses an older version of Avast! than I do) :
http://www.virustotal.com/sv/analisis/f62b5aeb1e77d4ccdef8331d8169a966

Only 2 scanners detects this file. With F-Secure saying Suspicious, it’s more likely prone to FPs. GData uses two engines, one is avast!.

Send file in a password-protected zip folder to virus@avast.com with False Positive in subject and the password mentioned in the email body.

Done and done. But I can’t keep submitting files to Avast!. Not only because it will be lots of files; I cannot send .exe-files from GMail (not even if put in a PW-protected archive that is then once again put in a PW-protected zip); and I also do job-related work that I cannot share.

Everything worked fine up until this Thursday.

Sorry, but we need a sample to remove this problem. Sleep(5000) FP file would do.

Yes, and I have mailed an .exe-file, albeit I had to change the ending before packing, since GMail won’t accept files with .exe-ending.

If you have the latest version 4.8.1282 only just released, the submission process should be easier,.

If you have a copy in the chest you could submit from there (right click on it, email to Alwil, the new process actually uploads via HTTP on the next auto/manual update) no need to zip or change the file type

Well, it seems everything is working the same way as before Thursday (that is: fine). Thanks for all help.

You’re welcome, I can only assume yourself or someone sent a sample for analysis and correction of the VPS. avast are usually quick to correct if a FP is identified.

Hi,I’m new .I don’t think i’m hijacking this thread cause my prob does relate to Win32:trojan-gen.I didn’t want to open another thread for nothing,but if I need to please let me know and I will. I installed avast today and when I restarted my comp and it did a scan while booting it said that I have Win32 trojan gen{other}I moved it to the chest.When I checked the chest it says the original location is c:\Program Files\Alwil Software\Avast4\DATA\moved.Do you have any suggestions as to what I can do?.Is this a false positive? should I try deleting the file?.Thank you in advance.

Well the trojan-gen covers a multitude of sins as it is a generic signature so the malware could be totally different.

What is the infected file name ?

However, the location you give is strange for a first installation as this is normally associated with a previously detected file and you elected to move/rename the file. That is normally the only way it would end up in the avast4\data\moved folder.

So normally this would indicate an old detection, did you do a boot-time scan after the install and did avast find something ?

Now it is where it should have been in the first detection, in the chest where it can do no harm.

Deletion is never a good option, you simply have none left, especially when in the same breath you mention ‘could this be a false positive.’ So the last thing you would want to do is delete something if there is the remotest possibility it is an FP. But you need to confirm that, which can only be done by analysis/scan and if you deleted it you couldn’t do that, I hope you are getting the picture that deletion isn’t a good option.

Heya David,

When I first installed Avast yes it did a scan during boot n it did find something.Don’t worry I’m not hasty to delete lol.I read the forums here before I even remotely thought of doing anything especially since I have such little knowledge of how to handle this stuff my self.Since I last posted Avast has now found a JS:Agent-CV [trj]and Win95:CIH-1106 in C:\Users\Gus(that’s me)\AppData\Local\Temp.I have a few questions.How serious is this?Would it be solved easier if I just formatted the comp? and is this the kind virus/trojan whatever it is that steals info like ebay info etc?.

Sorry for the 50 questions just curious as to how this thing works

Sorry I can’t even hazard a guess as to how serious this is. I will say one thing a format is an extreme measure of last resort, which I doubt is remotely likely.

You keep mentioning the malware name and its location, which is great, but leave out probably the most important part the actual file name. Which I asked for in my last post.

Try a search on google for the malware name and you are likely to find very little as there is no standard naming convention so you end up with lots of aliases, now try the same search based on the infected file name and you get more specific information and you will also see many of the different aliases.

What is your OS and firewall ?

Sorry about that .The first file name is svchost.exe.vir and the lastest files to get infected are 00000105 and 00000219.

My OS is vista home premium and I’m just using the firewall that comes with it.I was using the free zone alarm firewall before.But somebody told me it’s rubbish.

The svchost.exe.vir (.vir suffix) indicates that you sent this to the moved folder using avast’s Move/Rename option (not move to chest) the .vir suffix is what avast tags on the end of the file to rename it.

The numeric file names look like your average junk/malware names so considering their original location Temp they are no loss even if the detection was incorrect. They are in the chest out of harms way I wouldn’t worry about them further, wait three weeks scan them within the chest and if still detected delete them then.

I think they are right about ZA I don’t rate it either and nor do some firewall test sites, but it has an advantage over Vista firewall it has limited outbound protection, by default the Vista firewall’s outbound protection is disabled. You can enable it (don’t ask I don’t use Vista ;D) but even then it is rules based and you have to create the rules, so not very friendly.

Vista Firewall Control, check out this topic for some user friendly help for the Vista Firewall, Outbound protection, http://forum.avast.com/index.php?topic=30234.0

Any malware that manages to get past your defences will have free reign to connect to the internet to either download more of the same, pass your personal data (sensitive or otherwise, user names, passwords, keylogger retrieved data, etc.) or open a backdoor to your computer, so outbound protection is essential.

  • There are many freeware firewalls such as, Comodo (care required now it is a suite not to install the anti-virus element), PCTools Firewall Plus, Jetico, etc. - Zone Alarm free works fine with avast and has a reasonably friendly user interface, however, the free version is becoming bloated with trial ware and is also crippled as far as outbound protection goes In the Program Control, configuration area, the slider will only goes as far as Medium protection, if you want more you have to buy the Pro version.

See A Forum discussion on free firewalls http://forum.avast.com/index.php?topic=30808.0
See http://www.matousec.com/projects/firewall-challenge/results.php.

If you haven’t already got this software (freeware), download, install, update and run it, preferably in safe mode and report the findings (it should product a log file).

  1. SUPERantispyware On-Demand only in free version.
  2. MalwareBytes Anti-Malware, On-Demand only in free version http://download.bleepingcomputer.com/malwarebytes/mbam-setup.exe, right click on the link and select Save As or Save File (As depending on your browser), save it to a location where you can find it easily later.

I’ll try what you said right now.

OK let us know the results.

I scanned with both programs in safe mode SuperAnti-spyware didn’t find anything but Malware bytes did.Here’s the log file

Malwarebytes’ Anti-Malware 1.30
Database version: 1306
Windows 6.0.6000

11/17/2008 6:30:39 PM
mbam-log-2008-11-17 (18-30-26).txt

Scan type: Full Scan (C:|D:|)
Objects scanned: 124164
Time elapsed: 16 minute(s), 50 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 1
Files Infected: 2

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
C:\RECYCLER\S-1-5-21-1482476501-1644491937-682003330-1013 (Trojan.Agent) → No action taken.

Files Infected:
C:\RECYCLER\S-1-5-21-1482476501-1644491937-682003330-1013\Desktop.ini (Trojan.Agent) → No action taken.
C:\RECYCLER\crack_3.exe (Heuristics.Malware) → No action taken.

Run it again and allow the detections to be selected (by default they are) and click the Remove selected, that makes a copy in the quarantine and deletes the original.

All this is in one of your recycle bins, the last perhaps of note, cracks are very high risk files, outside of any legal or moral issue of using cracks, they frequently come with uninvited guests, after all who are you going to complain to if you happen to get infected using a crack.

So you just want me to run the scan again n tell it to remove all 3 things basically yeah lol?.

Yes, that’s about it as your report has “No action taken” since that is only generated after the scan is complete. You have to run it again to be able to remove them, they appear to be good detections and considering their location Recycler (trash can) they are of little value even assuming it was not a good detection so a no lose scenario.