Trojan-Spy.HTML.Fraud.gen (modification)

I use avast! on both of my computers, but I sometimes like to experiment with other software. I do the experimenting with my desktop.

Yesterday I replaced avast! with AOL AVS on the desktop. When AOL AVS was activated it asked to do a scan. It took 2 hours & found Trojan-Spy.HTML.Fraud.gen (modification). I allowed AVS to neutralize it before I thought to upload it to virustotal or jotti. It was in C:\Documents and Settings for my MSN mail account.

avast!, AVGAS, ewido, Spyware Terminator & A-Squared never found it. I think it may be a false positive.

I plan to keep AOL AVS for a month then NOD32 trial for 30 days before returning to avast!. avast! is staying on my laptop. I probably shouldn’t mess around trying out other anti-virses, but sometimes curiosity sometimes gets the best of me. I am happy with avast!.

What were the results…

There is a great possibility of being a false positive… indeed.

One of the things you need to consider about experimenting with other AVs, who do you go to for help if you have any issues and what is that support likely to be like.

Since I know little about AOhell’s AV solution or its detections, at a guess the ‘.gen’ at the end of the malware name could indicate a generic signature trying to catch many variants with one signature, this can have an increased false positive detection rate. Perhaps you should also test AOhell’s support for their AV solution and see what transpires.

To properly confirm a false positive detection, you need the infected file name and the location of the file, this can give an indication also you could also check the offending/suspect file at: VirusTotal - Multi engine on-line virus scanner
Or Jotti - Multi engine on-line virus scanner if any other scanners here detect them it is less likely to be a false positive. You can’t do this with the file in the chest (or any other form of quarantine), you will need to move it out.

My personal view on this switching between AVs, if it isn’t broke don’t fix it, your security isn’t something to experiment with.

http://www.viruslist.com/en/search?VN=Trojan-Spy.HTML.Fraud.gen&referer=aol

Trojan-Spy.HTML.Fraud.gen

Aliases
Trojan-Spy.HTML.Fraud.gen (Kaspersky Lab) is also known as: Phish-BankFraud.eml (McAfee), Trojan Horse (Symantec), TrojanSpy:HTML/UrlSpoof.E* (RAV), HTML_SWENFRAUD.A (Trend Micro), TR/URLSpoof.P (H+BEDV), HTML/URLspoof.B@expl (FRISK), VBS.Trojan.Inor.Z.Spoofer (SOFTWIN), HTML.Phishing.Bank-31 (ClamAV), Exploit/URLSpoof (Panda)
Detection added Nov 23 2004
Description added Dec 29 2004
Behavior TrojanSpy
Technical details

This family of Trojans utilises spoofing technology. The Trojans themselves are contained in fake HTML pages. Messages, purportedly from banks, financial institutions, internet stores, software companies etc. are sent to users. These messages contain a link to the fake page; this link exploits the Frame Spoof vulnerability in Internet Explorer.

The Frame Spoof vulnerability is present in Internet Explorer v. 5.x and 6.x, and detailed in Microsoft Security Bulletin MS04-004. The bulletin also gives recommendations on how to recognise spoofed sites.

Once a user visits the fake site, and enters account details or personal information, these details will be sent to a malicious remote user, who will then have access to users’ confidential information.