false positive or irony "Win32:Tibs-AIB [Trj] in avast.int"?

[treker96mk2]

4/6/2007 1:49:21 PM   ed-admin   2176   Sign of "Win32:Tibs-AIB [Trj]" has been found in "C:\Program Files\Alwil Software\Avast4\DATA\integ\avast.int" file.

[Lisandro]

Strange... that file is VRDB from avast!

Anyway, it should be there but to know if a file is a false positive, please submit it to JOTTI or VirusTotal and let us know the result. If it is indeed a false positive, send it in a password protected zip to virus@avast.com
Please, mention in the body of the message why you think it is a false positive and the password used. Thanks.
If the file is too big, you can use the ftp server of avast to send the file. Upload them to ftp://ftp.avast.com/incoming (please, note that you won't have READ access to the ftp server, just write - so you won't even be able to see what you've just uploaded).

As a workaround, you can add these files to the Standard Shield provider (on-access scanning) exclusion list.
Left click the 'a' blue icon, click on the provider icon at left and then Customize. Go to Advanced tab and click on Add button...

This link is a tutorial on how to help correct a virus detection that you believe to be false:
http://forum.avast.com/index.php?topic=25009.msg204838#msg204838

[treker96mk2]

guess it's a false positive sending to avast
Complete scanning result of "avast.int", received in VirusTotal at 04.07.2007, 03:25:29 (CET).

Antivirus   Version   Update   Result
AhnLab-V3   2007.4.7.0   04.06.2007   no virus found
AntiVir   7.3.1.48   04.06.2007   no virus found
Authentium   4.93.8   04.06.2007   no virus found
Avast   4.7.936.0   04.06.2007   Win32:Tibs-AIB
AVG   7.5.0.447   04.07.2007   no virus found
BitDefender   7.2   04.07.2007   no virus found
CAT-QuickHeal   9.00   04.06.2007   no virus found
ClamAV   devel-20070312   04.07.2007   no virus found
DrWeb   4.33   04.06.2007   no virus found
eSafe   7.0.15.0   04.06.2007   no virus found
eTrust-Vet   30.7.3549   04.06.2007   no virus found
Ewido   4.0   04.06.2007   no virus found
FileAdvisor   1   04.07.2007   no virus found
Fortinet   2.85.0.0   04.06.2007   no virus found
F-Prot   4.3.1.45   04.04.2007   no virus found
F-Secure   6.70.13030.0   04.06.2007   no virus found
Ikarus   T3.1.1.3   04.06.2007   no virus found
Kaspersky   4.0.2.24   04.07.2007   no virus found
McAfee   5003   04.06.2007   no virus found
Microsoft   1.2405   04.06.2007   no virus found
NOD32v2   2171   04.06.2007   no virus found
Norman   5.80.02   04.05.2007   no virus found
Panda   9.0.0.4   04.06.2007   no virus found
Prevx1   V2   04.07.2007   no virus found
Sophos   4.16.0   04.06.2007   no virus found
Sunbelt   2.2.907.0   04.07.2007   no virus found
Symantec   10   04.07.2007   no virus found
TheHacker   6.1.6.085   04.04.2007   no virus found
VBA32   3.11.3   04.06.2007   no virus found
VirusBuster   4.3.7:9   04.06.2007   no virus found
Webwasher-Gateway   6.0.1   04.06.2007   no virus found

Aditional Information
File size: 8145968 bytes
MD5: 6718ba881a4aafec320494186b618316
SHA1: bd600313eccf391d8d8fc81e9f0f2714f11db077
packers: exefile

[DavidR]

That is a bit strange, the VRDB integ\avast.int is unique to every installation because it depends on what files are on your system and included in the VRDB scan.

All I can think of is perhaps there was an exe or dlll file that was infected but the VPS signatures didn't detect it at that time and elements of the file being used somehow matched a new signature. I believe you could delete the avast.int file and when you do a manual VRDB Generate a new file would be Created. But, it would be safer to rename the file to say avast-int.old and then do a manual VRDB Generate now, that way it could be at some point sent to avast as I think they would be interested in it.

I just scanned mine and no detection.

[treker96mk2]

new avast.int seem's clean. "old one sent to avast as false positive before i read your message DavidR"

[DavidR]

Thanks for the feed back, it is very strange that avast.int is detected since it is avast that complies it. I'm sure the avast team will be interested in this very strange occurrence.

Any way good that you have resolved the problem.

[Lisandro]

I'm sure the avast team will be interested in this very strange occurrence.

I would like to see an official word about this...
The most strange is that I thought the VRDB file was encrypted to avoid any 'infection'...
Why the VRDB is being detected as infected? Could it be an infected file added to it? If I remember correctly, Igor said the files are scanned BEFORE being added to VRDB, so...

[DavidR]

I think it is nothing more than a coincidence that a string within the VRDB matched a signature and it happened during the compilation of the avast.int file after or during a VRDB generation.

I'm not sure about an infected file being added to it, I believe one of the team mentioned that files were scanned before being included in the VRDB and also as the complete file isn't included I can't see how it might be infected.

If as I mentioned before malware not previously detected may be after a VPS update, so that would allow some infected file past any scan prior to the VRDB generation, but that brings us back to the fact that the complete file isn't included just the information to be able to effect a repair.

All in all very strange.

[Lisandro]

All in all very strange.

This is the reason I've asked some 'official' answer here...

[igor]

It might happen if:
- the file is added to VRDB before avast! detects it
- the detection is added later
- the signature for the detection is chosen at the very small part stored in VRDB

It's not very likely, of course, but yes, it might happen...

[DavidR]

The original poster, treker96mk2 has submitted the file it would be interesting to see what you discover.

[Lisandro]

It might happen if:
- the file is added to VRDB before avast! detects it
- the detection is added later
- the signature for the detection is chosen at the very small part stored in VRDB

It's not very likely, of course, but yes, it might happen...

Mystery solved