Why avast versions detect this threat under 2 different names?

Hello forum friends,

The VT reports are, the urlscan here: http://www.virustotal.com/url-scan/report.html?id=7e7275247a07b99ae6b06ef8d027a54b-1310298228
and the file-analysis report here:
http://www.virustotal.com/file-scan/report.html?id=dfe99b9447265c493ec0ef0b72951aa57d1ac154f1835984fc8e96e3204686fb-1310305908

The wepawet analysis is found here: http://wepawet.iseclab.org/view.php?hash=7e7275247a07b99ae6b06ef8d027a54b&t=1310306104&type=js (suspicious)

and the accompanying Anubis report can be found here:
http://anubis.iseclab.org/?action=result&task_id=192c1889690b9b8347dcd89014c91b8ce
given as Trojan-Spy.Win32.Perfloger (Sig-Id:448241)

Why in one case avast will flag Win32:Perflogger-CC [Tool]
and secondly as: Win32:PUP-gen [PUP]
The malware is also known as Spyware.Perfect: http://www.symantec.com/security_response/writeup.jsp?docid=2003-100210-1458-99&vid=4294906217

polonus

if i remeber correct, avast 4.8 does not scan for PUP and is using a signature name while the better detecting avast 5/6 engine is detecting it Generic as a PUP with no specific malware name (Generic = Recognising malware by its similarity to known items )

Products alerting on generic detection will often use broader naming than with exact detection, perhaps classing something as 'fam' or '.gen' to indicate that it belong to the same family or genus but cannot be labelled as a specific variant.
http://www.virusbtn.com/resources/glossary/generic_detection.xml

correct me if i am wrong…

file info ( found using the microsoft name from the VT scan )
http://www.microsoft.com/security/portal/Threat/Encyclopedia/Entry.aspx?Name=MonitoringTool%3AWin32%2FPerfectKeylogger

Summary MonitoringTool:Win32/PerfectKeylogger is a commercial monitoring program that monitors user activity, such as keystrokes typed. MonitoringTool:Win32/PerfectKeylogger is available for purchase at the company's website. It may also have been installed without user consent by a Trojan or other malware.

Hi Pondus,

I think your opinion really makes sense, well I looked the term up at Bugbopper and got this for a first result:
http://www.bugbopper.com/namelookup.asp?name=Perfloger
Then I got to the unique md5 hash and that got me here:
Win32:Perflogger-CC [Tool]
About the naming convention Platform-Family-Sequence,
we will find that here Win32 is the Platform name: Platform: Win32: Malware affecting all 32-bit platforms, including Win95, Win 98, WinMe, WinNT, Win2000, Win2003, WinXP, Vista, and Win7.
Perflogger is the Family name: &
Sequence proofs what youi said is true: 8 different variants of Perflogger were named before not-a-virus:Monitor.Win32.Perflogger.i etc. was named in the lab. At least 695 variants have been created since. not-a-virus:Monitor.Win32.Perflogger.i was a very early variant.
This means after that “not-a-virus:Monitor”, meaning after avast started to scan for risktool or PUP-detection,

polonus

and i guess “Perflogger” is short for “PerfectKeylogger” used by Microsoft

and you find it for sale here
OBS: the website has bad rep on URLVoid 3/17
hxxp://wxw.blazingtools.com/bpk.html