Avast! detecting VundoFix as win32:Trojan-gen (Other)

[ky331]

avast 4.8.1229
080802-0

is interecepting download of, and restricting access to, Atribune's VundoFix, one of the key tools used by HJT experts to remove vundo infections.

http://vundofix.atribune.org/

detected as win32:Trojan-gen (Other)

[polonus]

Hi ky331,

Another FP through generic scanning, and an annoying as such, put to inclusion list and send to avast so this will be no longer flagged in the next update. Did you upload the file to VirusTotal, what more scanners had the FP?

polonus

[ky331]

Polonos:   VundoFix is an extremely well-known, and often-used, removal tool.   Since it removes vundo infections, I can understand there being potential for a "mix up" between its removal capabilities vs. malware that inflicts the infection.

from Jotti:

VundoFix.exe
MD5:  47c30bc6c5161307ea9b8b12ba8b5af9

avast! Found Win32:Trojan-gen {Other}
ikarus  Found Generic.Virtumod
sophos Found Mal/VB-M

the remaining 17 scanners said it was clean

------------------------------------------------------------------

VirusTotal  (File size: 119808 bytes)

9 say it's infected, 26 say it's clean.

the alleged infections are the same 3 above, from Jotti, plus the following:

CAT-QuickHeal : (Suspicious) - DNAScan
eSafe: Suspicious File
GData : Win32:Trojan-gen
NOD32v2 : unpack error
Panda : Suspicious file
Sunbelt:  Malware.Win32.CodeAnalyzer!cobra (v)

[DavidR]

Send the sample to virus@avast.com zipped and password protected with the password in email body, a link to this topic might help and possible false positive in the subject.

Or you can also add the file to the User Files (File, Add) section of the avast chest (if it isn't already there) where it can do no harm and send it from there (select the file, right click, email to Alwil Software). No need to zip and PW protect when the sample is sent from chest. A copy of the file/s will remain in the original location, so any further action you take can remove that.

This is the bast way to have the file analysed and the VPS corrected for all users of avast and vundofix. I don't know what might be in the innards of vundofix, perhaps some signatures that are used to detect vundo and these could be the issue. However it still needs to be analysed.

I see from you results that avast isn't alone in its detection, though most are either heuristic or generic detections.

[ky331]

per request, I have just e-mailed avast a copy of the file from my virus chest, along with a link to this thread.

[polonus]

Hi DavidR,

Yes this is the two-sided sword of generic (heuristic) scanning taking specific code by the throat that should not be stopped by a scanner. Just as you said somewhere else these finds should be flagged as "potential riskware" or "potential generic malware" so the advanced user can establish himself to run it or not. Or the generics could have an overruling whitelist to exclude  known to be good tools and programs. I think it is a pain in the neck for a malware fighter when his advice is to use VundoFix on an infection and the very cleansing tool is flagged as malware on download. The tool had something in the past, and the way the tool works makes it could be flagged generically as riskware. But again if generic scanning is that indiscriminate it is too drastic to my liking. There should be more shades of gray for the advanced user that could fence for himself.

polonus

[ky331]

I realize I just e-mailed the sample, and so it probably hasn't been analyzed yet...
but just wanted to note that update 080803-0 also has the same detection.

[misak]

FP will be fixed in VPS 080804-0. This thread start when current VPS was released...

[ky331]

thank you for your response.   I have just confirmed that the f/p has been fixed with the release of 080804-0.