Author Topic: Win32:ShareAll-H [Trj] (Read 5682 times)

cengliong · « **on:** November 05, 2006, 05:30:50 AM »

Hi,

My VPS version was 0645-4, 03/11/2006. When I scanned my files with thorough scan, I found that I've got a Trojan Horse.

My warning log contains:
05/11/2006 11:06:51 Welly 2220 Sign of "Win32:ShareAll-H [Trj]" has been found in
"C:\Program Files\iolo\System Mechanic Professional 6\SysMech6.exe\[ASPack]" file.

I've checked the file on http://virusscan.jotti.org/ and the result was infected by Trojan-Spy.Banker.69 (detected only by VBA32)

Your help would be appreciated

cengliong

Lisandro · « **Reply #1 on:** November 05, 2006, 01:59:20 PM »

Seems a false positive.
As a workaround, please, add the file to the Standard Shield exclusion list untill you can receive new virus database (vps) updates.

DavidR · « **Reply #2 on:** November 05, 2006, 04:04:53 PM »

You could also check the offending/suspect file at: VirusTotal - Multi engine on-line virus scanner , this uses the Windows version of avast and has a greater number of different scanners, 27 at last count.

igor · « **Reply #3 on:** November 06, 2006, 11:26:06 AM »

Additionally, please pack the misdetected executable into a password-protected ZIP or RAR and send it to virus@avast.com, please (with a "False positive" subject, for example).

cengliong · « **Reply #4 on:** November 07, 2006, 12:12:48 AM »

The new VPS still detecting it as a trojan ( 0646-0, 06/11/2006 ). I've tried VirusTotal and it gave the same result :
Avast -> Win32:ShareAll-H
VBA32 -> suspected of Trojan-Spy.Banker.69 (paranoid heuristics)

I've just sent the file to virus@avast.com

curried · « **Reply #5 on:** November 08, 2006, 10:35:49 AM »

Hi cengliong,

the VPS of 1st November (0645-0) picked up ShareAll-H in SysMech6.exe for me,
and I got the same result as you when using the multi-scan, VBA32 found Spy.Banker.69 (paranoid heuristics), and commented "possibly infected/malware. Might be false +ve".

Still not good for the blood pressure when you think you are clean!

I have SysMech6 locked in the Chest until safe to let it out to play....

cengliong · « **Reply #6 on:** November 08, 2006, 11:28:10 AM »

Newer VPS (646-2, 07/11/2006) gives a clean result. Let us wait for VBA32 to update its database.

Lisandro · « **Reply #7 on:** November 08, 2006, 11:31:48 AM »

Quote from: cengliong on November 08, 2006, 11:28:10 AM

Newer VPS (646-2, 07/11/2006) gives a clean result. Let us wait for VBA32 to update its database.

Well, we're not that bad

cengliong · « **Reply #8 on:** November 08, 2006, 03:24:40 PM »

My friend once said VBA32 is very good at detecting trojans. If its new database gives a clean result, then should I take it as if my file is safe?

Lisandro · « **Reply #9 on:** November 08, 2006, 05:36:35 PM »

Quote from: cengliong on November 08, 2006, 03:24:40 PM

My friend once said VBA32 is very good at detecting trojans. If its new database gives a clean result, then should I take it as if my file is safe?

Most probably... but, after all, as you've done before, the better will be submitting the file to on-line scanners.

cengliong · « **Reply #10 on:** November 09, 2006, 04:38:03 AM »

OK, thanx..

Author Topic: Win32:ShareAll-H [Trj] (Read 5682 times)

cengliong

Win32:ShareAll-H [Trj]

Lisandro

Re: Win32:ShareAll-H [Trj]

DavidR

Re: Win32:ShareAll-H [Trj]

igor

Re: Win32:ShareAll-H [Trj]

cengliong

Re: Win32:ShareAll-H [Trj]

curried

Re: Win32:ShareAll-H [Trj]

cengliong

Re: Win32:ShareAll-H [Trj]

Lisandro

Re: Win32:ShareAll-H [Trj]

cengliong

VBA32

Lisandro

Re: VBA32

cengliong

Re: Win32:ShareAll-H [Trj]