Are Viruses found based on file name only? Ans: NO but I have more questions

[lakrsrool]

If viruses are detected by FILE NAME only then I would have to say that Avast has found a FALSE POSITIVE because the file is an executable file of an application program that I have had on my computer for many years.

The name of what I believe to be a possible false positive is AsteriskPassword.exe.

The kind of virus that Avast finds it to be: Win32:Malware-gen

The program path on my computer was: c:\Program Files\Thegrideon Software\Asterisk Password\AsteriskPassword.exe

The program is a Password Recovery file by Thegrideon Software: http://www.thegrideon.com/asterisk-password-recovery.html

Scanning with Jotti on-line scanner the following virus programs found the file to be a virus of some kind:
1) Avast - Win32:Malware-gen
2) AntiVir - SPR/PassView.N
3) G Data - Win32:Malware-gen
4) Quick Heal - Trojan.Agent.ATV
The other Sixteen virus program scans FOUND NOTHING. Thus Avast was one of 20% that considered the file a virus.

Scanning with Virus Total on-line scanner found the following: Result: 5/41 (12.2%) found positive.

What is odd is that I have had this program on my computer for many years and it has never been scanned as a threat of any kind up until now.

I emailed the zipped file to the Alwil Analysts with this same information I've posted here.

So again my question about how potential viruses are found by Anti-Virus programs: Are viruses found by FILE NAME or does the Anti-virus program actually check the code inside of files (including executables) and determine whether code within the file is considered to be a possible threat?

Thanks in advance.

[Milos]

Hi,
you can try it yourself -- change the filename an scan it ;-).

Avast! don't detect malware by filename.
http://en.wikipedia.org/wiki/Anti-virus_programs#Identification_methods

G Data uses Avast! as one of its engines.

Milos

[RejZoR]

I don't think any good antivirus is detecting malware based on filename. Maybe Mail Shield that checks parameters like file extension and few other parameters, but scan engine itself, i don't think so. Because this is a very inefficient way of detecting malware if you ask me or anyone else. Besides, you can test it yourself. Rename the file and you'll see if that evades detection. But i doubt you'll have any success...

[lakrsrool]

Your both correct!

I renamed the file to a program name that scans without any problem and Avast still found the file to have a VIRUS.

So it is NOT the name that is at issue here but the executable file itself.

I re-installed the Asterisk program at another location and scanned the new installed program and Avast scanned that new installed executable file as OK - NO VIRUS found.

What I found as well is that the executable file that Avast found to be infected with a VIRUS had a 2/21/08 6:12AM assigned to it and the file size was 756KB.

The newly installed program that according to Avast file was not infected with a VIRUS had the older date of 4/25/07 4:38AM assigned to it and the file size was smaller at 632KB. (which makes more sense because I had downloaded the install on 10/14/07.)

So it would appear clearly that the executable file had been altered and more code added based on the more recent assigned date and larger file size on the "infected" file.

I HAVE DELETED ALL FILES RELATED TO THE OLD INSTALLED PROGRAM.

So then I have the following questions:
1) The assigned date on the "infected" file was 2/21/08.  I would have to conclude that the change to this program was done as of that date.  So it would appear that whatever change occurred that resulted in a VIRUS was way back on 2/21/08.

If the answer to this question is "YES" then my next question would be:

2) Why had this VIRUS not been detected prior to now?  Could it be that this VIRUS was not known until now?

3) I am certain I have used the "infected" program many times since the new assigned date of 2/21/08 and done so as recently as the past month.  I am assuming that the VIRUS does not act unless the program is used. If my assumption is correct then my next question is:

4) How do I know what damage if any that the VIRUS has done from the date of 2/21/08 until now?

5) Could the assigned date not necessarily be when the program was altered? From what I know the Operating System will assign the date when the file is altered so I would think that this would be the date that the code was changed. Am I correct on this?

This is interesting stuff. I will say that I'm thankful that something was at least found that certainly looks like a change to an application program on my computer.  The issue of course is when did this occur and what has the change done at all.

I HAVE NOTICED THAT MY COMPUTER WILL HANG QUIT OFTEN AND THIS HAS BEEN GOING ON FOR MAYBE THE PAST 1 TO 1 1/2 YEARS.

Thanks in advance for any info on the topic.