Avast WEBforum

Other => Viruses and worms => Topic started by: cengliong on November 05, 2006, 05:30:50 AM

Title: Win32:ShareAll-H [Trj]
Post by: cengliong on November 05, 2006, 05:30:50 AM

Hi,

My VPS version was 0645-4, 03/11/2006. When I scanned my files with thorough scan, I found that I've got a Trojan Horse.

My warning log contains:
05/11/2006 11:06:51 Welly 2220 Sign of  "Win32:ShareAll-H [Trj]" has been found in
"C:\Program Files\iolo\System Mechanic Professional 6\SysMech6.exe\[ASPack]" file.

I've checked the file on http://virusscan.jotti.org/ and the result was infected by Trojan-Spy.Banker.69 (detected only by VBA32)

Your help would be appreciated

cengliong

Title: Re: Win32:ShareAll-H [Trj]
Post by: Lisandro on November 05, 2006, 01:59:20 PM

Seems a false positive.
As a workaround, please, add the file to the Standard Shield exclusion list untill you can receive new virus database (vps) updates.

Title: Re: Win32:ShareAll-H [Trj]
Post by: DavidR on November 05, 2006, 04:04:53 PM

You could also check the offending/suspect file at: VirusTotal - Multi engine on-line virus scanner (http://www.virustotal.com/xhtml/index_en.html) , this uses the Windows version of avast and has a greater number of different scanners, 27 at last count.

Title: Re: Win32:ShareAll-H [Trj]
Post by: igor on November 06, 2006, 11:26:06 AM

Additionally, please pack the misdetected executable into a password-protected ZIP or RAR and send it to virus@avast.com, please (with a "False positive" subject, for example).

Title: Re: Win32:ShareAll-H [Trj]
Post by: cengliong on November 07, 2006, 12:12:48 AM

The new VPS still detecting it as a trojan ( 0646-0, 06/11/2006 ). I've tried VirusTotal and it gave the same result :
  Avast  -> Win32:ShareAll-H
  VBA32 -> suspected of Trojan-Spy.Banker.69 (paranoid heuristics)

I've just sent the file to virus@avast.com

Title: Re: Win32:ShareAll-H [Trj]
Post by: curried on November 08, 2006, 10:35:49 AM

Hi cengliong,

  the VPS of 1st November (0645-0) picked up ShareAll-H in SysMech6.exe for me,
and I got the same result as you when using the multi-scan, VBA32 found Spy.Banker.69 (paranoid heuristics), and commented "possibly infected/malware.  Might be false +ve".

Still not good for the blood pressure when you think you are clean!

I have SysMech6 locked in the Chest until safe to let it out to play....   

Title: Re: Win32:ShareAll-H [Trj]
Post by: cengliong on November 08, 2006, 11:28:10 AM

Newer VPS (646-2, 07/11/2006) gives a clean result. Let us wait for VBA32 to update its database.

Title: Re: Win32:ShareAll-H [Trj]
Post by: Lisandro on November 08, 2006, 11:31:48 AM

Quote from: cengliong on November 08, 2006, 11:28:10 AM

Newer VPS (646-2, 07/11/2006) gives a clean result. Let us wait for VBA32 to update its database.

Well, we're not that bad  ;)

Title: VBA32
Post by: cengliong on November 08, 2006, 03:24:40 PM

My friend once said VBA32 is very good at detecting trojans. If its new database gives a clean result, then should I take it as if my file is safe?

Title: Re: VBA32
Post by: Lisandro on November 08, 2006, 05:36:35 PM

Quote from: cengliong on November 08, 2006, 03:24:40 PM

My friend once said VBA32 is very good at detecting trojans. If its new database gives a clean result, then should I take it as if my file is safe?

Most probably... but, after all, as you've done before, the better will be submitting the file to on-line scanners.

Title: Re: Win32:ShareAll-H [Trj]
Post by: cengliong on November 09, 2006, 04:38:03 AM

OK, thanx..