Author Topic: Worm Alarm that was not there before!  (Read 4042 times)

0 Members and 1 Guest are viewing this topic.

Offline LeeG

  • Newbie
  • *
  • Posts: 7
Worm Alarm that was not there before!
« on: September 29, 2008, 09:40:52 PM »
I am getting a worm alarm in the update program "UPDATE.exe" for Black Hawk Down that was not there on previous scans.  This is a genuine original cd from GSP white label.  Can anyone explain why this is so.  Is this a false alarm?

Offline LeeG

  • Newbie
  • *
  • Posts: 7
Re: Worm Alarm that was not there before!
« Reply #1 on: September 29, 2008, 10:19:37 PM »
Update.  I have done a scan of the disc with avast and spybot and it has come back negative.  Why an I getting this alert after the file has been installed but not from the initial install file?

Offline DavidR

  • Avast Überevangelist
  • Certainly Bot
  • *****
  • Posts: 82762
  • No support PMs thanks
Re: Worm Alarm that was not there before!
« Reply #2 on: September 30, 2008, 12:18:11 AM »
You don't say what the malware name was of the detection ?

Virus signatures are continually added or updated, so it is possible that something previously not detected now is.

The installation file has to unpack the files and in that state avast may not detect update.exe within the installation file, it would depend on the packing (compression/archive) method of the installation file, the type of scan you did, etc.

You could also check the offending/suspect update.exe at: VirusTotal - Multi engine on-line virus scanner and report the findings here. You can't do this with the file securely in the chest, you need to extract it to a temporary (not original) location first, see below.

Create a folder called Suspect in the C:\ drive, e.g. C:\Suspect. Now exclude that folder in the Standard Shield, Customize, Advanced, Add, type (or copy and paste) C:\Suspect\* That will stop the standard shield scanning any file you put in that folder. You should now be able to export any file in the chest to this folder and upload it to VirusTotal without avast alerting.

If it is indeed a false positive, see http://forum.avast.com/index.php?topic=34950.msg293451#msg293451, how to report it to avast! and what to do to exclude them until the problem is corrected.
WinXP ProSP3/ Core2Duo E8300/ 4GB Ram/ avast! free 18.5.2342/ Firefox ESR, uBlock Origin, uMatrix/ MailWasher Pro7.11.0/ DropMyRights/ WinPatrol+/ Drive Image 7.1/ SnagIt 10.0/ avast! mobile security
Windows 10 Home 1909 64bit/ Acer Aspire F15/ Intel Core i5 7200U 2.5GHz, 8GB DDR4 memory, 256GB SSD, 1TB HDD/ avast! free 20.2.2401 (build 20.2.5130.565) UI-1.0.502/ WinPatrol+/ Firefox, uBlock Origin, uMatrix/ MailWasher Pro

Offline LeeG

  • Newbie
  • *
  • Posts: 7
Re: Worm Alarm that was not there before!
« Reply #3 on: September 30, 2008, 12:42:18 AM »
I can not say which malware is detected because avast just states that a Virus/worm is detected with the title of Win32:Trojan-gen {Other}.  My computer started acting very slowly and I did a scan that reported that this file was infected.  The scan also found a similar threat in a couple of other locations.  I have since done a clean re-install of XP and I am in the process of installing all my applications and games.  This alert has come up again when I am trying to re-install Black Hawk Down.  The install is being interupted because of this alert and I am reluctant to ignore the alert to complete the install.  I therefore can not upload the offending file unless I install it.  I appreciate that new detections are continually being created but This file has previously been on my computer for quite a while.  If a infection is true in this case how come it has taken so long to detect it?  If I can safely install this file I will then try to upload it to Virustotal.

Offline DavidR

  • Avast Überevangelist
  • Certainly Bot
  • *****
  • Posts: 82762
  • No support PMs thanks
Re: Worm Alarm that was not there before!
« Reply #4 on: September 30, 2008, 12:59:59 AM »
You have said the malware name, it is Win32:Trojan-gen {Other}

The avast Win32:Trojan-gen is generic signature (the -gen at the end of the malware name), so that is trying to catch multiple variants of the same type of malware and is a fine balance between detecting a new variant and detecting something valid as infected.

So there is a possibility that this could be a false positive detection, which you should confirm using virustotal as suggested in my post.

Since the file being detected is update.exe, don't let it update.

Have you got 7zip http://www.7-zip.org/ (like winzip) ?
as you can open installation files and extract update.exe (to the suspect folder as suggested) from the Black Hawk Down installation file. This would save installing to get the file.
WinXP ProSP3/ Core2Duo E8300/ 4GB Ram/ avast! free 18.5.2342/ Firefox ESR, uBlock Origin, uMatrix/ MailWasher Pro7.11.0/ DropMyRights/ WinPatrol+/ Drive Image 7.1/ SnagIt 10.0/ avast! mobile security
Windows 10 Home 1909 64bit/ Acer Aspire F15/ Intel Core i5 7200U 2.5GHz, 8GB DDR4 memory, 256GB SSD, 1TB HDD/ avast! free 20.2.2401 (build 20.2.5130.565) UI-1.0.502/ WinPatrol+/ Firefox, uBlock Origin, uMatrix/ MailWasher Pro

Offline LeeG

  • Newbie
  • *
  • Posts: 7
Re: Worm Alarm that was not there before!
« Reply #5 on: September 30, 2008, 01:08:26 AM »
Thanks for your reply. I will try what you suggest in the morning and post back with the results.  It is getting a bit late for me now. 

Offline DavidR

  • Avast Überevangelist
  • Certainly Bot
  • *****
  • Posts: 82762
  • No support PMs thanks
Re: Worm Alarm that was not there before!
« Reply #6 on: September 30, 2008, 02:32:51 AM »
You're welcome, a bit late for me too, 01:33 a.m. here.
WinXP ProSP3/ Core2Duo E8300/ 4GB Ram/ avast! free 18.5.2342/ Firefox ESR, uBlock Origin, uMatrix/ MailWasher Pro7.11.0/ DropMyRights/ WinPatrol+/ Drive Image 7.1/ SnagIt 10.0/ avast! mobile security
Windows 10 Home 1909 64bit/ Acer Aspire F15/ Intel Core i5 7200U 2.5GHz, 8GB DDR4 memory, 256GB SSD, 1TB HDD/ avast! free 20.2.2401 (build 20.2.5130.565) UI-1.0.502/ WinPatrol+/ Firefox, uBlock Origin, uMatrix/ MailWasher Pro

Offline LeeG

  • Newbie
  • *
  • Posts: 7
Re: Worm Alarm that was not there before!
« Reply #7 on: September 30, 2008, 12:38:50 PM »
Hi DavidR

I have managed to upload the file to Totalvirus.  The report said that 3 out of 36 scanners reported the trojan threat.  Avast, GData, Ikarus.
Another file (Pack.exe) was also reported as having this threat.  I have uploaded this also and the same result came back as for the update.exe file.  With only 3 showing the threat can I treat this has a false positive.

I would also like to mention that I think the slow down on my computer might not have been this detection but rather the fact that I had run cCleaner.  I think it might have deleted something that it should not have.

Lee

Offline DavidR

  • Avast Überevangelist
  • Certainly Bot
  • *****
  • Posts: 82762
  • No support PMs thanks
Re: Worm Alarm that was not there before!
« Reply #8 on: September 30, 2008, 02:55:22 PM »
GData uses two AV engines one is avast, so that is effectively one detection between them, so I would say there is a strong likelihood it is an FP that you should report and exclude as in the link I gave in my first reply.
WinXP ProSP3/ Core2Duo E8300/ 4GB Ram/ avast! free 18.5.2342/ Firefox ESR, uBlock Origin, uMatrix/ MailWasher Pro7.11.0/ DropMyRights/ WinPatrol+/ Drive Image 7.1/ SnagIt 10.0/ avast! mobile security
Windows 10 Home 1909 64bit/ Acer Aspire F15/ Intel Core i5 7200U 2.5GHz, 8GB DDR4 memory, 256GB SSD, 1TB HDD/ avast! free 20.2.2401 (build 20.2.5130.565) UI-1.0.502/ WinPatrol+/ Firefox, uBlock Origin, uMatrix/ MailWasher Pro