Worm Alarm that was not there before!

I am getting a worm alarm in the update program “UPDATE.exe” for Black Hawk Down that was not there on previous scans. This is a genuine original cd from GSP white label. Can anyone explain why this is so. Is this a false alarm?

Update. I have done a scan of the disc with avast and spybot and it has come back negative. Why an I getting this alert after the file has been installed but not from the initial install file?

You don’t say what the malware name was of the detection ?

Virus signatures are continually added or updated, so it is possible that something previously not detected now is.

The installation file has to unpack the files and in that state avast may not detect update.exe within the installation file, it would depend on the packing (compression/archive) method of the installation file, the type of scan you did, etc.

You could also check the offending/suspect update.exe at: VirusTotal - Multi engine on-line virus scanner and report the findings here. You can’t do this with the file securely in the chest, you need to extract it to a temporary (not original) location first, see below.

Create a folder called Suspect in the C:\ drive, e.g. C:\Suspect. Now exclude that folder in the Standard Shield, Customize, Advanced, Add, type (or copy and paste) C:\Suspect* That will stop the standard shield scanning any file you put in that folder. You should now be able to export any file in the chest to this folder and upload it to VirusTotal without avast alerting.

If it is indeed a false positive, see http://forum.avast.com/index.php?topic=34950.msg293451#msg293451, how to report it to avast! and what to do to exclude them until the problem is corrected.

I can not say which malware is detected because avast just states that a Virus/worm is detected with the title of Win32:Trojan-gen {Other}. My computer started acting very slowly and I did a scan that reported that this file was infected. The scan also found a similar threat in a couple of other locations. I have since done a clean re-install of XP and I am in the process of installing all my applications and games. This alert has come up again when I am trying to re-install Black Hawk Down. The install is being interupted because of this alert and I am reluctant to ignore the alert to complete the install. I therefore can not upload the offending file unless I install it. I appreciate that new detections are continually being created but This file has previously been on my computer for quite a while. If a infection is true in this case how come it has taken so long to detect it? If I can safely install this file I will then try to upload it to Virustotal.

You have said the malware name, it is Win32:Trojan-gen {Other}

The avast Win32:Trojan-gen is generic signature (the -gen at the end of the malware name), so that is trying to catch multiple variants of the same type of malware and is a fine balance between detecting a new variant and detecting something valid as infected.

So there is a possibility that this could be a false positive detection, which you should confirm using virustotal as suggested in my post.

Since the file being detected is update.exe, don’t let it update.

Have you got 7zip http://www.7-zip.org/ (like winzip) ?
as you can open installation files and extract update.exe (to the suspect folder as suggested) from the Black Hawk Down installation file. This would save installing to get the file.

Thanks for your reply. I will try what you suggest in the morning and post back with the results. It is getting a bit late for me now.

You’re welcome, a bit late for me too, 01:33 a.m. here.

Hi DavidR

I have managed to upload the file to Totalvirus. The report said that 3 out of 36 scanners reported the trojan threat. Avast, GData, Ikarus.
Another file (Pack.exe) was also reported as having this threat. I have uploaded this also and the same result came back as for the update.exe file. With only 3 showing the threat can I treat this has a false positive.

I would also like to mention that I think the slow down on my computer might not have been this detection but rather the fact that I had run cCleaner. I think it might have deleted something that it should not have.

Lee

GData uses two AV engines one is avast, so that is effectively one detection between them, so I would say there is a strong likelihood it is an FP that you should report and exclude as in the link I gave in my first reply.