Mistake with AsPack (?)

Avast Free Antivirus / Premium Security
1

Hi Support!
Today I was alarmed by Avast (VPS 080208-0)
E:\Autorun.exe[ASPack] Win32:StartPage-552 [trj]
No one of other antivirus scanners does not pop up any alarms: neither DrWeb CureIt, nor AVZ, nor Sophos, nor Panda ActiveScan.
Now I’m confused!
Is it really infected or simply a mistake Avast with AsPack?
Here is the file: http://download.yousendit.com/DA962E4559244B01
Can you check it and assure me?
Thank You!

2

Send the sample to virus@avast.com zipped and password protected with the password in email body, a link to this topic might help and possible false positive in the subject.

Or you can also add the file to the User Files (File, Add) section of the avast chest where it can do no harm and send it from there (select the file, right click, email to Alwil Software). No need to zip and PW protect when the sample is sent from chest. A copy of the file/s will remain in the original location, so any further action you take can remove that.

You could also check the offending/suspect file at: VirusTotal - Multi engine on-line virus scanner and report the findings here. I feel virustotal is the better option as it uses the windows version of avast (more packers supported) and there are currently over 30 different scanners.

If it is indeed a false positive, add it to the exclusions lists:
Standard Shield, Customize, Advanced, Add and
Program Settings, Exclusions
Restore it to its original location, periodically check it (scan it in the chest), there should still be a copy in the chest even though you restored it to the original location. When it is no longer detected then you can also remove it from the Standard Shield and Program Settings, exclusions.

3

Thank You! Now I’m sure that there is the bug in Avast Antivirus and it needs to be corrected!
Virustotal results:

Antivirus Version Last Update Result
AhnLab-V3 2008.2.6.10 2008.02.05 -
AntiVir 7.6.0.62 2008.02.08 -
Authentium 4.93.8 2008.02.08 -
Avast 4.7.1098.0 2008.02.09 Win32:StartPage-552
AVG 7.5.0.516 2008.02.09 -
BitDefender 7.2 2008.02.09 -
CAT-QuickHeal None 2008.02.08 -
ClamAV 0.92 2008.02.09 -
DrWeb 4.44.0.09170 2008.02.09 -
eSafe 7.0.15.0 2008.01.28 -
eTrust-Vet 31.3.5522 2008.02.08 -
Ewido 4.0 2008.02.09 -
FileAdvisor 1 2008.02.09 -
Fortinet 3.14.0.0 2008.02.09 -
F-Prot 4.4.2.54 2008.02.08 -
F-Secure 6.70.13260.0 2008.02.09 -
Ikarus T3.1.1.20 2008.02.09 Trojan-Downloader.Win32.Delf.AIY
Kaspersky 7.0.0.125 2008.02.09 -
McAfee 5226 2008.02.08 -
Microsoft 1.3204 2008.02.09 -
NOD32v2 2861 2008.02.09 -
Norman 5.80.02 2008.02.08 -
Panda 9.0.0.4 2008.02.09 -
Prevx1 V2 2008.02.09 -
Rising 20.29.22.00 2008.01.30 -
Sophos 4.26.0 2008.02.09 -
Sunbelt 2.2.907.0 2008.02.09 -
Symantec 10 2008.02.09 -
TheHacke 6.2.9.214 2008.02.09 -
VBA32 3.12.6.0 2008.02.09 -
VirusBuster 4.3.26:9 2008.02.09 -
Webwasher-Gateway 6.6.2 2008.02.09 -

Additional information
File size: 241152 bytes
MD5: d8849cfa89f9c3e3cbf2684e98958346
SHA1: 611703840c2436a9c6c9f9a5a5425889069ac9fa
PEiD: ASPack v2.12 → Alexey Solodovnikov
packers: ASPack

4

Well, I am not that sure about it.
There is a code for start page hijacking in the executable.
What is E:\ anyway?

5

There is no mistake with AsPack (which is just a packer). The only mistake can be on the final extracted content but judging by the detection and filename i just wouldn’t run the file assuming it’s just another false positive. Sometimes even avast! recognizes something that no other (or onle few) detect.

6

It’s my DVD drive

OK, as I see the only thing that it does is to change my IE homepage every time I’ve run it? But it is not harmful?
Anyway, I never use IE. Only Opera and FireFox from time to time.

7

It’s not a false positive (especially since you confirmed that it does indeed change the start page). Thats what you CAN see, there is probably more going on behind pretty GUI…

8

Well based on your saying it changes your home/start page in IE, I would think the detection is good as I wouldn’t expect Autorun.exe to be changing your start page and the avast malware name would seem to be correct for what it does.

9

Indeed, nothing should change your start page in IE unless you give it permission to do so. That is, you actively make the decision to change the start page and not some unknown program making the decision for you.