Avast WEBforum

Other => General Topics => Topic started by: TAP on January 27, 2005, 03:31:09 AM

Title: What exactly is Win32:Trojan-gen. {xxx} ?
Post by: TAP on January 27, 2005, 03:31:09 AM

Sorry if this has asked before. I've noticed that avast! always specifies malware name (especially to trojan-like) as the following.

VBS:Malware [Gen]
VBS:Generic-Direct
VBS:Malware [Encrypted]
VBS:Malware [Script]
Win32:Trojan-gen. {UPX!}
Win32:Trojan-gen. {VC}
Win32:Trojan-gen. {Delphi}
Win32:Trojan-gen. {Other}

I know from somewhere that all these called " generic name ".

- Are these generic names automatically generate by some special kind of malware detection method or something similar to traditional heuristics (as far as I know avast! has no heuristics in its on-demand scanner) for an unknown/generic malware?

- Or, some insignificant malware detected by avast!'s traditional signature-based method but ALWIL's virus analyst simply gives generic names to those malware instead of specific name?

Please give me some explanations about that or drop some URLs for its meaning.

Thanks

Title: Re: What exactly is Win32:Trojan-gen. {xxx} ?
Post by: TAP on January 27, 2005, 10:02:21 AM

I think I found an answers my self by do a search and try to read that huge search results, there no needs to answer me.

Thanks  ;)

Title: Re: What exactly is Win32:Trojan-gen. {xxx} ?
Post by: DavidR on January 27, 2005, 03:06:38 PM

If you think you have found the answer, why not post the answer, it can be confirmed and it may help others.

Title: Re: What exactly is Win32:Trojan-gen. {xxx} ?
Post by: RejZoR on January 27, 2005, 03:13:54 PM

I'm still wondering if ALL of these signatures are really pure generic or are also malware files that are not worth having it's own name?

Title: Re: What exactly is Win32:Trojan-gen. {xxx} ?
Post by: TAP on January 29, 2005, 12:43:25 AM

Personally, I hardly believe that some of them must be generic names that automatically generate by generic detection, no more no less.

For example, on machine infected by VBS/Redlof (polymorphic/encrypted Visual Basic Script virus) avast! detect most of them as VBS:Redlof but some of them detected as VBS:Malware [Script]  ;D. It just like Macro virus created by some virus generator and most of them would detected as Macro virus.gen (detected by some kind of generic/family detection). But I haven't seen something like Win32:Worm-gen. {UPX!}, it would be great if avast! can detect some or most of ITW worms by its generic detection like Trojan-like

But that's just my guess, I may be completely wrong.

Title: Re: What exactly is Win32:Trojan-gen. {xxx} ?
Post by: RejZoR on January 29, 2005, 10:35:40 AM

I have seen Win32:SpyBot-GEN signature few times on Jotti but i don't know what exactly does that GEN mean in the end. Maybe the generic signature is only for non packed SpyBot versions (supporting so many packers can be problematic,but unpacked is always the same).