Trojan SHeur, TrendMicro, AVG

Discussion in 'malware problems & news' started by abanerji, Sep 16, 2007.

Thread Status:
Not open for further replies.
  1. abanerji

    abanerji Registered Member

    Joined:
    Aug 2, 2006
    Posts:
    37
    First, my details :-

    Windows version : XP-pro SP2 (patched, confirmed with Secunia site inspector)
    AVG version and virus db version : 7.5.487 and 269.13.21/1010
    Other antivirus software installed : nil
    Other protection software installed : AVG anti-spyware 7.5, ZoneAlarm free 6.5.737.000, ProcessGuard free 3.405

    I had bought a Western Digital external harddisc in Feb 2007, and it came with their software WDSync. I don't use the software; instead I backup my data files to this external HD using Explorer copy function. However, before starting to use the external HD, I had copied (not installed) the WDSync.exe file to my internal harddisc as a precaution. At that time, AVG did not find any issue with this WDSync file.

    Today, I did an online scan from TrendMicro website, and TrendMicro informed that the only malware in my PC is a generic low-threat trojan, viz., avg75free_432a861.exe (which I had downloaded on 31st december 2006, before installing) ! Although TrendMicro wanted to clean it, I did not allow. I have kept a screenshot of TrendMicro's results page.

    However, while TrendMicro was scanning, AVG suddenly popped up and gave the "trojan SHeur.NFD infected file (WDSync)" message. Interestingly, TrendMicro didn't find this file to be infected.

    I have not yet been able to submit the file to jotti, since their server is continuously busy. However, I tried to upload at NormanSandbox and their server returned error (file could not be uploaded) ... this makes me even more suspicious.

    At present, I have moved the file to vault.

    Thanks.
     
  2. the Tester

    the Tester Registered Member

    Joined:
    Jul 28, 2002
    Posts:
    2,854
    Location:
    The Gateway to the Blue Hills,WI.
    You could try Virus Total's multi-scanner.

    http://www.virustotal.com/

    Some people prefer it over Jotti's.
    I use it and seldom have to wait long to upload a file.
     
  3. abanerji

    abanerji Registered Member

    Joined:
    Aug 2, 2006
    Posts:
    37
    Thank you for your reply. I managed to get the file tested at virustotal (after stopping resident shield) ... the relevant parts are :-

    File WDSync.exe received on 09.16.2007 23:22:40 (CET)
    Current status: finished
    Result: 2/32 (6.25%)

    Antivirus Version Last Update Result
    AVG 7.5.0.485 2007.09.16 -
    Sunbelt 2.2.907.0 2007.09.15 VIPRE.Suspicious
    Webwasher-Gateway 6.0.1 2007.09.16 Virus.Win32.FileInfector.gen (suspicious)

    Additional information
    File size: 4347904 bytes
    MD5: d8a1b837f40c4f3e94518ee10509df66
    SHA1: abef9d752fffeb2df0c7ebde5a6ac7383af51c32
    packers: embedded
    packers: embedded
    Sunbelt info: VIPRE.Suspicious is a generic detection for potential threats that are deemed suspicious through heuristics​

    I notice from the above results that their test included AVG 7.5.0.485, which gave negative. However, my AVG is a later 7.5.487.
    I also tried testing at jotti, but the result was getting stuck at Panda. A-squared to Norman (including AVG) found nothing.

    Meanwhile, AVG technical support has said : "Unfortunately, the previous virus database might have detected the mentioned virus on some legitimate applications. We can confirm that it was a false alarm. We have immediately released a new virus update that removes the false positive detection on this file. Please update your AVG and check your files again. This file is not detected by AVG with AVG Virus Database version 269.13.21/1012".

    I shall do a complete sys-scan with the latest defs ... hopefully, all will come ok.
    Could you please tell me why sunbelt and webwasher also suspected virus - I am curious.
     
  4. lucas1985

    lucas1985 Retired Moderator

    Joined:
    Nov 9, 2006
    Posts:
    4,047
    Location:
    France, May 1968
    Webwasher, as a gateway AV, is overly paranoid. It's probably detecting the runtime packer.
     
  5. abanerji

    abanerji Registered Member

    Joined:
    Aug 2, 2006
    Posts:
    37
    Ok, thank you. Adds to my knowledgebase.
     
Loading...
Thread Status:
Not open for further replies.