Tricky Truck - Possible False Positive

Tried downloading hxxp://www.trickytruck.com/Tricky_Truck_Setup.exe Avast is detecting Win32:Malware-gen. I’m faily certain this is a false positive since VirusTotal and Jotti are both reporting the file as clean.

http://www.virustotal.com/file-scan/report.html?id=5e2aa8c747f6143b3767ea8f10085741c096bc1e213a4e95274e56c3b2ab2c46-1298816014

http://virusscan.jotti.org/en-gb/scanresult/6cd4694d3ebc4c607a88f02d7eda616503ca2735

Using Avast 6.0.1000 110227-0

EDIT: munged the URL

Well this one is strange it doesn’t appear that VT have updated the avast signatures (23/2/2011) as it wasn’t detected, but the GDATA detection is form the avast engine (one of its two AVs).

The other AV Jiangmin, who knows.

So I would say there is a high likelihood it is an FP:
Send the sample to avast as a False Positive:
Open the chest and right click on the file and select ‘Submit to virus lab…’ complete the form and submit, the file will be uploaded during the next update.

I did try to submit to the Virus lab but nothing happens. I don’t get any form to fill in and nothing seemed to be uploaded when I did a manual update. Am I doing something wrong?

It used to have a form to complete, but that doesn’t seem to be required now. Though if you do a manual update and actually watch the update process you will see the upload take place.

At 18MB the file is just a little over the default maximum filesize for sending to avast.

Open avast → settings → Virus Chest → change the “maximum size of file to send to avast” to 20000KB (20MB)

You will then be able to send to avast.

EDIT: It will take a while, it is with me…maybe sending in a password protected archive to virus(at)avast.com would be better

Scott

Ok, changing the max file size works. Thanks.

Unfortunately the file is too big to email (10MB limit per email!). Sending from Virus chest right now

Thanks Scott, I didn’t realised that it was larger than they max size to send. The new size is much larger (16MB as opposed to the old one, 4MB) and I though there wouldn’t be anything bigger than that you would need to send ;D

It used ot be 4MB? didn’t know that… :smiley:

I only remembered this because I saw this a while ago, with an older version (maybe 4) and the form wouldn’t appear if it was over the limit…

One thing I will say is that it needs changing somwhat…the sizes are in different formats all over the place.
The chest properties give it in Bytes (but doesn’t say that) then the settings are in MB and KB…
I am used to switching between mega/kilo etc. easily because I do it almost daily in physics but some will have trouble and find it really confusing…

But since there is now no wishlist topic…

It looks like the file has been submitted although it seemed to indicate finished when the upload progres bar was only about half-way through. File can be downloaded directly from the URL in my first post if the upload didn’t work.

BTW, it would be a good idea for the “submit to virus lab…” action to say that a file is not going to be submitted if it’s too large. If you don’t get any message, it’s easy to assume that the file has been submitted.

…and just read spg SCOTT’s last post. Yes - it would be a good idea to have the file sizes in Mb or Kb, but not both!

Hi afferis2,

Munge the link you gave in your first posting like this: hxtp://www.trickytruck.com/Tricky_Truck_Setup.exe
so no one can click it and get infected…
Wepawet gives it as suspicious: http://wepawet.iseclab.org/view.php?hash=4df8e3bfffaf3a9183ecd14c26ebcd91&t=1298826575&type=js
This one is also flagged by WOT: htxp://www.geardownload.com/games/tricky-truck-download.html
and suspicious: http://wepawet.iseclab.org/view.php?hash=30a2e4b449840eb11502398837a07bde&t=1298826861&type=js
also: http://www.malwaregroup.com/Domains/details/www.geardownload.com
Here it was found up also in an installer: http://www.virustotal.com/file-scan/report.html?id=088088fbcf94f1074ec00e2e868c6bdbb391b1353b2245f1152f96bbd8135776-1286980868
It could well be a false Bifrose detection because of a packer used or protection inside the installer,
but that should be established/determined by the avast analysts, but then on the other hand there is also the wepawet flagging the malware… There are certainly malicious rapidshare versions around…
sucuri says: www dot trickttruck dot comsite free of malware… and webuatation gives the site 80 out of 100 points,
Here it is also found clean by garyshood url av-scanner:
http://www.garyshood.com/virus/results.php?r=4f7f22369f1566e09f1aec608e41150e

polonus

I have some more information. Not sure if this is helpful, but…

I have just re-scanned previous versions of this file (I keep them for reference just in case). All versions are now showing the same infection with the current virus definitions, however no problems were detected when the file was originally downloaded. The most recent version was downloaded on 4th Jan 2011, so I suspect something has changed in the detection signatures (or whatever is used by Avast) since then.

Avast Auto-update is enabled so I should have been using the “latest and greatest” virus definitions when these files were downloaded.

Thanks for all the support received so far.

Yes, essentially the detection has been added at some point since you downloading it. Still detected here, so not removed from the database yet…

Hi spgScott,

I explained to you that the line between “obfuscation to protect” and "obfuscation to infect"can be a very thin line, and so could easily lead to initial FP’s,

polonus

It looks as though the problem is solved with the Avast update today.

Lots of thanks to everyone. The Avast virus scanner is good - Avast technical support is even better.

Yep, appears that the detection is removed :slight_smile:

Lots of thanks to everyone. The Avast virus scanner is good - Avast technical support is even better.
We are just avast users like you ;) You're welcome :)