False positive for Win32:Adloader-AC [Trj] and Win32:Agent-SG [Trj]

[babel2]

Hello!!
I’ve got infections. Theses are Win32:Adloader-AC [trj] and Win32:Agent-SG [trj] on some files. I’ve also scanned by TrendFlex online scan, but it says no infection found.
I guess Avast got false positives on them.
The files are .vhd file which are virtual hard drive for MS virtual server 2005 SP1 and the contents are Windows XP OS.  I also have the others such as .vhd of Linux and Windows 2000.  Avast does not say anything on them.
I don’t want to put these files to make sure these infections on "Virus total" web site, because it is a security issue for me.

Is this really false positive or true?

The VPS version is  080116-1 as the latest
And  Avast 4.7 home edition as Build dec.2007 (4.7.1098)

Thank you.
   

[Maxx_original]

i guess it's not a real false positive and it's not a real infection... i suppose, that the virtual drive images are compressed (zlib etc) and maybe even encrypted and should contain a "binary garbage", which matches to our detection... i can recommend that you should add the files (or the path) to exclusion list...

[igor]

I don't think they are false positives, the signatures look OK to me.

It's possible that the operating system inside of the images is infected (the first signature, actually, might correspond to a rootkit). Scanning the image files certainly isn't a reliable way of scanning those machines (an antivirus, installed inside of the image, would be better).
Of course, there are also other possibilities - e.g. the signatures might be on a currently unused disk sector (in the image, I mean)... so if there were any malicious files inside previously (possibly even on a previous OS, if the image was reinstalled and not created from scratch)... or maybe even other antivirus programs whose signature database might contain these samples... hard to say.

But I'm quite sure it's not a coincidence, as Maxx assumed.

[babel2]

Thank you for your suggestion!!
I totally understand yours. However I want to make sure for this issue that it is just infected or not or I could use these files without any problems or not.
I’m afraid, Avast does not support .vhd file?

Thank you.

[igor]

Unpacking (browsing the content without loading them into VirtualPC)? No, I'm afraid not.

[babel2]

Sorry, my Reply#3 was for Maxx_original as Reply#1.
Igor, I worry about running the .vhd file any more. How do you think when the .vhd is run as a virtual machine guest, then the trojans are also activated to the host OS and the guest world?  And do I have to stay away from these files?
I do not get "unpack" what?

Thank you.

[igor]

The unpacking was related to the question about ".vhd file support" in avast.

Regarding the machines... normally, the virtual machine shouldn't be able to affect the real OS - so, you should be safe to run it, even if the operating system inside was infected.
Of course, there might be some exceptions: if you have some shared folders (real folders on the host, accessible from the virtual machine, a file infector running on the virtual machine would be able to infect them - of course).
Besides that, if the virtual machine has network access, it might be able to send data out (if you had some personal data on the virtual machine, I mean).
There are theoretical possibilities of some exploit (that would allow the malware in the virtual machine to get out of it)... but I wouldn't be afraid of that right now.

[babel2]

I’ve been trying to find problem cause, but I don’t find it so far.
I’ve tested infected .vhd files and the results are as following matrix.

Regular scan  Boot time scan Trend micro online scan 　　 At Host OS   Positive   Negative   Negative 　　 At Guest OS   Negative   Negative   Negative  (Regular scan was with thorough and archive enabled. Boot time scan was with archive enabled) The infection is only found at host environment on the .vhd files as above matrix. So I noticed that boot time scan is different from regular scan. I watched on the boot time scanning. I suppose boot time scan don’t check .vhd file and other huge archive files except .zip,.cab,.msi,.rar,.lzh,.lha,.exe,.dbx. The boot time scanning was only 45 minutes long, however the regular scanning was more than 24 hours long. So the boot time scanning did not find the infection and the Trend micro online scanning was also same thing, I guess. I still don’t understand why did not regular scan find infection at guest OS. Next I’ve created a new .vhd file that I’ve newly installed Win XP into the .vhd and scanned, however it was no infection found. I suppose this is not false positive. In addition, I’m wondering what is exactly difference between regular scan and boot time scan. Thank you.