New more gen?

VPS 0520-3, 19.05.2005
Win32:Adan-057 [Adw], Win32:Adware-gen. [Adw], Win32:Bancos-AU [Trj], Win32:Bancos-AV [Trj], Win32:Bancos-AW [Trj], Win32:Bancos-AX [Trj], Win32:Bancos-AY [Trj], Win32:Banker-CB [Trj], Win32:Dialer-367 [Trj], Win32:Dialer-368 [Trj], Win32:Dialer-gen. [Trj], Win32:Femad [Trj], Win32:FunWeb [Adw], Win32:Inservice-L [Trj], Win32:Inservice-M [Trj], Win32:Inservice-N [Trj], Win32:Inservice-O [Trj], Win32:IstDnldr-AE [Trj], Win32:Kelvir-S [Wrm], Win32:Lancontrol [Trj], Win32:Lancontrol-2 [Trj], Win32:Lancontrol-3 [Trj], Win32:MvgCons [Trj], Win32:Mytob-CI [Wrm], Win32:Rbot-VC [Trj], Win32:Rbot-VD [Trj], Win32:Robobot-G [Trj], Win32:Shelp [Wrm], Win32:Shelp-B [Wrm], Win32:Small-M [Trj], Win32:Spyware-gen. [Trj], Win32:Swizzor-N [Trj], Win32:Swizzor-O [Trj], Win32:Swizzor-P [Trj], Win32:Trojan-gen. {Rar!}, Win32:Trojano-1318 [Trj], Win32:Trojano-1344 [Trj], Win32:Trojano-1345 [Trj], Win32:Trojano-1346 [Trj], Win32:Trojano-1347 [Trj], Win32:Trojano-1349 [Trj], Win32:Vidlo-F [Trj]

I see that Win32:Adware-gen. [Adw], Win32:Dialer-gen. [Trj], & Win32:Spyware-gen. [Trj] in this new VPS release. Does this mean that avast will detect more adware, dialer & spyware using its generic detection like Trojan-gen did?
Can I said that avast generic is like a heuristic?

Actually Trojan-gen are not generic signatures :cry:
I doubt that these are. But only Alwil guys can tell us more.
But it would be really nice to see true generic matches.

Can someone from Alwil explain something here…

Trojan-gen are generically created signatures (by robot if i understood karel correctly).
Adware-gen fals in the same group,only that it’s created as Adware signature.
But i have seen SpyBot-Gen signature too. Now i assume this one is indeed a generic signature. Or just another generic made signature for SpyBot class only?
Just very curious,because in the past,there was lots of talking about generic detection which i have never seen (apart from Trojan-gen and that misterious SpyBot-Gen).
For example,Kaspersky detects loads of Rbots with Rbot-gen and IstBar.gen for IstBar spyware. Same for McAfee which generically detects even sub-groups (like Mytob.gen).
If we won’t see any heuristics,is it possible to use generic signatures to fill the gap?
Thanks

interesting… i think a big part of NOD32 heuristics sucess is generic detection as well. ( Able to detect all variant without signature ) …

As far as i know,NOD32 doesn’t use generic signatures. I have only seen them for IstBar and some Rbot variants. Other part are heuristics and not generic engine.

in the VPS 0530-3, 29.07.2005, I found this virus in the list: Win32
what is this virus? another type of generic? or maybe a typo?
when I go to Jotti page, sometimes I can see ArcaVir also detect as Win32.

ArcaVir “Win32” is a heuristic detection of a Win32 malware. Thats not the case with avast! for sure. But makes me wonder too what that means…

im hope Alwil Team will explain this…
btw, i (maybe) found a false positive, avast! VPS 0532-5 detect Win32:Trojano-1921 in one of Shutdown Monster software (ShutdC.exe).
i have sent the file. :wink:

Thanks for the submission.
Regarding the Win32 virus… I’d say it must be some typo. I’ll check it, but I’m quite sure there’s no special detection with this name.

OK, it seems to be a typo in the name (i.e. the real name is missing after the prefix) - sorry about the confusion.

hello all,
Avast just detected twice this Trj: Win32:Dialer-368 (trojan or dialer???)
i m a bit surprised of it cause neither housecall or avg detected it, maybe they didnt scaned .cap files… anyway it found that on 2 .cap files i saved while sniffing air. so im not so sure there was a trojan inside those files, unless they were infected… thats all. maybe any tip to be certain it is a trojan? (i put em on chest, maybe i open em l8r)
have nice day all :wink:
p.s:first day using avast btw

Submit the file to Jotti and let us know the results, i.e., if it is or not a false positive.
If you are getting a virus warning that you believe is a false positive, then if you can zip and password protect (‘virus’, will do) the suspect file and send it to virus (at) avast.com.
Give a brief outline of the problem, the fact that you believe it to be a false positive and include the password in the body of the email. Some info on the avast version and VPS number (see About avast: right click avast icon) will also help.

Also you can use virustotal service: http://www.virustotal.com/xhtml/index_en.html

Well, it doesn’t sound like a false positive. When capturing network packets, you can get lots of nasty stuff; probably not directly executable, but the data are there.

-:frowning: i surpassed the 60 mins while file was scanned…and post was deleted…
thx a lot both for answer. from igor answer i hope i can presume file is inofensive even if i have data that gives alarm…

http://virusscan.jotti.org/

AntiVir Found nothing
ArcaVir Found nothing

Avast Found Win32:Dialer-368

AVG Antivirus Found nothing
BitDefender Found nothing

ClamAV Found Dialer-135

Dr.Web Found nothing
F-Prot Antivirus Found nothing
Fortinet Found nothing
Kaspersky Anti-Virus Found nothing
NOD32 Found nothing
Norman Virus Control Found nothing
UNA Found nothing
VBA32 Found nothing

http://www.virustotal.com/

Antivirus Version Update Result
AntiVir 6.31.1.0 08.30.2005 no virus found

Avast 4.6.695.0 08.29.2005 Win32:Dialer-368

AVG 718 08.29.2005 no virus found

Avira 6.31.1.0 08.30.2005 TR/Dldr.Small.ayl.0

BitDefender 7.0 08.31.2005 no virus found
CAT-QuickHeal 8.00 08.30.2005 no virus found

ClamAV devel-20050725 08.30.2005 Dialer-135

DrWeb 4.32b 08.30.2005 no virus found
eTrust-Iris 7.1.194.0 08.30.2005 no virus found
eTrust-Vet 11.9.1.0 08.30.2005 no virus found
Fortinet 2.41.0.0 08.31.2005 no virus found
F-Prot 3.16c 08.31.2005 no virus found
Ikarus 0.2.59.0 08.30.2005 no virus found
Kaspersky 4.0.2.24 08.31.2005 no virus found
McAfee 4570 08.30.2005 no virus found
NOD32v2 1.1205 08.30.2005 no virus found
Norman 5.70.10 08.29.2005 no virus found
Panda 8.02.00 08.30.2005 no virus found
Sophos 3.97.0 08.31.2005 no virus found
Symantec 8.0 08.30.2005 no virus found
TheHacker 5.8.2.097 08.30.2005 no virus found
VBA32 3.10.4 08.30.2005 no virus found

btw as i dont know what was captured im not sure i should had submit it. …l8r ;-)=