Trojan SHeur, TrendMicro, AVG

First, my details :-

Windows version : XP-pro SP2 (patched, confirmed with Secunia site inspector)
AVG version and virus db version : 7.5.487 and 269.13.21/1010
Other antivirus software installed : nil
Other protection software installed : AVG anti-spyware 7.5, ZoneAlarm free 6.5.737.000, ProcessGuard free 3.405

I had bought a Western Digital external harddisc in Feb 2007, and it came with their software WDSync. I don't use the software; instead I backup my data files to this external HD using Explorer copy function. However, before starting to use the external HD, I had copied (not installed) the WDSync.exe file to my internal harddisc as a precaution. At that time, AVG did not find any issue with this WDSync file.

Today, I did an online scan from TrendMicro website, and TrendMicro informed that the only malware in my PC is a generic low-threat trojan, viz., avg75free_432a861.exe (which I had downloaded on 31st december 2006, before installing) ! Although TrendMicro wanted to clean it, I did not allow. I have kept a screenshot of TrendMicro's results page.

However, while TrendMicro was scanning, AVG suddenly popped up and gave the "trojan SHeur.NFD infected file (WDSync)" message. Interestingly, TrendMicro didn't find this file to be infected.

I have not yet been able to submit the file to jotti, since their server is continuously busy. However, I tried to upload at NormanSandbox and their server returned error (file could not be uploaded) ... this makes me even more suspicious.

At present, I have moved the file to vault.

Thanks.

 

You could try Virus Total's multi-scanner.

http://www.virustotal.com/

Some people prefer it over Jotti's.
I use it and seldom have to wait long to upload a file.

 

Thank you for your reply. I managed to get the file tested at virustotal (after stopping resident shield) ... the relevant parts are :-

File WDSync.exe received on 09.16.2007 23:22:40 (CET)
Current status: finished
Result: 2/32 (6.25%)

Antivirus Version Last Update Result
AVG 7.5.0.485 2007.09.16 -
Sunbelt 2.2.907.0 2007.09.15 VIPRE.Suspicious
Webwasher-Gateway 6.0.1 2007.09.16 Virus.Win32.FileInfector.gen (suspicious)

Additional information
File size: 4347904 bytes
MD5: d8a1b837f40c4f3e94518ee10509df66
SHA1: abef9d752fffeb2df0c7ebde5a6ac7383af51c32
packers: embedded
packers: embedded
Sunbelt info: VIPRE.Suspicious is a generic detection for potential threats that are deemed suspicious through heuristics​

I notice from the above results that their test included AVG 7.5.0.485, which gave negative. However, my AVG is a later 7.5.487.
I also tried testing at jotti, but the result was getting stuck at Panda. A-squared to Norman (including AVG) found nothing.

Meanwhile, AVG technical support has said : "Unfortunately, the previous virus database might have detected the mentioned virus on some legitimate applications. We can confirm that it was a false alarm. We have immediately released a new virus update that removes the false positive detection on this file. Please update your AVG and check your files again. This file is not detected by AVG with AVG Virus Database version 269.13.21/1012".

I shall do a complete sys-scan with the latest defs ... hopefully, all will come ok.
Could you please tell me why sunbelt and webwasher also suspected virus - I am curious.

 

Webwasher, as a gateway AV, is overly paranoid. It's probably detecting the runtime packer.

 

Ok, thank you. Adds to my knowledgebase.