Win32 Trojan-gen

I downloaded Norrton Ghost in .iso format. I scanned it ( still in .iso format) with avast4 and it found a win32Trojan-gen virus. I did not mount the iso image because of this. Can I mount the image without installing , then have Avast scan all the files so I can delete the file that has the virus ? tks

I suspect that this is likely to be a false positive detection.
What is the infected file name, where was it found e.g. (C:\windows\system32\infected-file-name.xxx) ?
Check the avast! Log Viewer (right click the avast ‘a’ icon), Warning section, this contains information on all avast detections.

If you have something like iso buster or another iso reader that can extract the file that is being detected (mounting I shouldn’t have though would install), and extract the file to a temporary location (see below). You would probably have to pause the standard shield to be able to extract it.

Create a folder called Suspect in the C:\ drive, e.g. C:\Suspect. Now exclude that folder in the Standard Shield, Customize, Advanced, Add, type (or copy and paste) C:\Suspect* That will stop the standard shield scanning any file you put in that folder. You should now be able to export any file in the chest to this folder and upload it to VirusTotal without avast alerting.

You could also check the offending/suspect file at: VirusTotal - Multi engine on-line virus scanner and report the findings here.

The description is so long that the warning text never got beyond …iso. I will extract the iso ( iso buster) or mount the iso then do a avast scan and advise. tks

Here are the findings but I dont understand it: Tks

File KEYGEN.EXE received on 07.06.2008 21:55:52 (CET)
Current status: finished
Result: 17/33 (51.52%)
Compact Compact
Print results Print results
Antivirus Version Last Update Result
AhnLab-V3 2008.7.4.1 2008.07.05 Win-Trojan/Krunchy.37376.B
AntiVir 7.8.0.64 2008.07.05 -
Authentium 5.1.0.4 2008.07.06 W32/Heuristic-210!Eldorado
Avast 4.8.1195.0 2008.07.06 Win32:Trojan-gen {Other}
AVG 7.5.0.516 2008.07.06 -
BitDefender 7.2 2008.07.06 Packer.Krunchy.A
CAT-QuickHeal 9.50 2008.07.04 (Suspicious) - DNAScan
ClamAV 0.93.1 2008.07.06 PUA.Packed.Krunchy
DrWeb 4.44.0.09170 2008.07.06 -
eSafe 7.0.17.0 2008.07.03 -
eTrust-Vet 31.6.5929 2008.07.05 -
Ewido 4.0 2008.07.06 -
F-Prot 4.4.4.56 2008.07.06 W32/Heuristic-210!Eldorado
F-Secure 7.60.13501.0 2008.07.03 Suspicious:W32/Malware!Gemini
Fortinet 3.14.0.0 2008.07.06 -
GData 2.0.7306.1023 2008.07.06 Win32:Trojan-gen
Ikarus T3.1.1.26.0 2008.07.06 Packer.Krunchy.A
Kaspersky 7.0.0.125 2008.07.06 -
McAfee 5332 2008.07.04 -
Microsoft 1.3704 2008.07.06 -
NOD32v2 3244 2008.07.05 -
Norman 5.80.02 2008.07.04 -
Panda 9.0.0.4 2008.07.06 Suspicious file
Prevx1 V2 2008.07.06 Malicious Software
Rising 20.51.60.00 2008.07.06 -
Sophos 4.31.0 2008.07.06 Mal/Generic-A
Sunbelt 3.1.1509.1 2008.07.04 -
Symantec 10 2008.07.06 Infostealer.Gampass
TheHacker 6.2.96.373 2008.07.05 -
TrendMicro 8.700.0.1004 2008.07.05 TROJ_Generic.A
VBA32 3.12.6.8 2008.07.06 -
VirusBuster 4.5.11.0 2008.07.06 Packed/FRBR
Webwasher-Gateway 6.6.2 2008.07.05 Win32.Malware.gen (suspicious)
Additional information
File size: 37376 bytes
MD5…: f2a385272e41b16eaf5714361a884f26
SHA1…: 6ce2ea9f7ff692b8a6629fc124c3134c467a0285
SHA256: 0c0ae704caf88a35b5166ea55a0a26478fbdb72a98a40c7a6e327dedee43124d
SHA512: 5959a85be562d547adcc3e1ecc130b5cc4c19f1a3370008e129b4940cafb014f
cb63f9cc627010fde05b3cfa94b9919ae6b45a52a80d0a94a55eaad8a6f4be07
PEiD…: kkrunchy → Ryd
PEInfo: PE Structure information

( base data )
entrypointaddress.: 0x3f88e6
timedatestamp…: 0x47bdfbd6 (Thu Feb 21 22:31:50 2008)
machinetype…: 0x14c (I386)

( 1 sections )
name viradd virsiz rawdsiz ntrpy md5
kkrunchy 0x1000 0x2caa8f 0x8200 7.91 d44ac095005b91ad1a7c122381ecf35e

( 1 imports )

KERNEL32.DLL: LoadLibraryA, GetProcAddress

( 0 exports )
Prevx info: http://info.prevx.com/aboutprogramtext.asp?PX5=49EB719C00242BB992FC005DC0D2460092E8DFDC
packers (Authentium): Malware_Prot.J
packers (F-Prot): Malware_Prot.J

Here are the results from Jotti Malware scan:

Scan taken on 07 Jul 2008 05:34:53 (GMT)
A-Squared
Found nothing
AntiVir
Found nothing
ArcaVir
Found nothing
Avast
Found Win32:Trojan-gen {Other}
AVG Antivirus
Found nothing
BitDefender
Found Packer.Krunchy.A
ClamAV
Found PUA.Packed.Krunchy
CPsecure
Found BackDoor.W32.Hupigon.dsx
Dr.Web
Found nothing
F-Prot Antivirus
Found nothing
F-Secure Anti-Virus
Found nothing
Fortinet
Found nothing
Ikarus
Found nothing
Kaspersky Anti-Virus
Found nothing
NOD32
Found nothing
Norman Virus Control
Found nothing
Panda Antivirus
Found nothing
Sophos Antivirus
Found Mal/Generic-A
VirusBuster
Found nothing
VBA32
Found nothing

Jotti isn’t as good as it doesn’t have as many scanners and it also uses Linux versions of the AVs.
I feel virustotal is the better option as it uses the windows version of avast (more packers supported) and there are currently over 30 different scanners.

As to what to make of it, there are sufficient hits to say it is suspect most certainly, but many of those hits are flagged Suspicious (usually means heuristic detection), Generic or -gen at the end of the malware name (a signature designed to catch multiple variants of the same virus type), which are more prone to false detection. Some also seems to be more concerned with the packing method, so the jury is still out.

So I would say don’t install it, send the sample (the one you uploaded to VT) to avast for analysis.

Send the sample to virus@avast.com zipped and password protected with the password in email body, a link to this topic might help and possible false positive in the subject.

Or you can also add the file to the User Files (File, Add) section of the avast chest (if it isn’t already there) where it can do no harm and send it from there (select the file, right click, email to Alwil Software). No need to zip and PW protect when the sample is sent from chest. A copy of the file/s will remain in the original location, so any further action you take can remove that.

OK. the last method is easiest. Tks

You’re welcome.

I could not send the file to avast. I tried twice, once directly from the chest , the other from the User folder . Both emails were returned. What next ? try later ?

Can you explain in more detail why they couldn’t be sent ?
What are the errors, etc. ?

What is your email client ?
Have you filled in the details in the Program Settings, SMTP section, see image.

Oops ! I did not know I had to fill in the SMTP section. Hopefully it can now be sent. Tks again

No problem, hopefully that will resolve the problem.

If not you will need to answer the questions asked.

Would I get an analysis and reply from Alwil? Tks

You aren’t normally contacted unless they need more information.

Periodically (after the auto VPS updates) scan the file from within the chest then it should be OK to install. Alwil are normally quick to correct an FP once identified, so hopefully not to long.

OK Tks .

You’re welcome.

I updated latest virus definitions from Avast and its now no longer a problem with Keygen.exe Avast is fast in responding to false triggers. Thanks to you and Avast I can now install the program.