TechSpot

Trojan SHeur, TrendMicro, AVG

By abanerji
Sep 16, 2007
  1. First, my details :-

    Windows version : XP-pro SP2 (patched, confirmed with Secunia site inspector)
    AVG version and virus db version : 7.5.487 and 269.13.21/1010
    Other antivirus software installed : nil
    Other protection software installed : AVG anti-spyware 7.5, ZoneAlarm free 6.5.737.000, ProcessGuard free 3.405

    I had bought a Western Digital external harddisc in Feb 2007, and it came with their software WDSync. I don't use the software; instead I backup my data files to this external HD using Explorer copy function. However, before starting to use the external HD, I had copied (not installed) the WDSync.exe file to my internal harddisc as a precaution. At that time, AVG did not find any issue with this WDSync file.

    Today, I did an online scan from TrendMicro website, and TrendMicro informed that the only malware in my PC is a generic low-threat trojan, viz., avg75free_432a861.exe (which I had downloaded on 31st december 2006, before installing) ! Although TrendMicro wanted to clean it, I did not allow. I have kept a screenshot of TrendMicro's results page.

    However, while TrendMicro was scanning, AVG suddenly popped up and gave the "trojan SHeur.NFD infected file (WDSync)" message. Interestingly, TrendMicro didn't find this file to be infected.

    I have not yet been able to submit the file to jotti, since their server is continuously busy. However, I tried to upload at NormanSandbox and their server returned error (file could not be uploaded) ... this makes me even more suspicious.

    At present, I have moved the file to vault.

    Thanks.
     
  2. howard_hopkinso

    howard_hopkinso TS Rookie Posts: 24,177   +19

    It looks like you have two false positives there. One from trend and the other from AVG.

    As far as I`m aware, both the avg75free_432a861.exe and WDSync are perfectly legit files.

    Regards Howard :)
     
  3. abanerji

    abanerji TS Rookie Topic Starter Posts: 43

    Howard, your diagnosis seems absolutely right. Here's an update.

    I managed to get the file tested at virustotal (after stopping resident shield) ... the relevant parts are :-

    File WDSync.exe received on 09.16.2007 23:22:40 (CET)
    Current status: finished
    Result: 2/32 (6.25%)

    Antivirus Version Last Update Result
    AVG 7.5.0.485 2007.09.16 -
    Sunbelt 2.2.907.0 2007.09.15 VIPRE.Suspicious
    Webwasher-Gateway 6.0.1 2007.09.16 Virus.Win32.FileInfector.gen (suspicious)

    Additional information
    File size: 4347904 bytes
    MD5: d8a1b837f40c4f3e94518ee10509df66
    SHA1: abef9d752fffeb2df0c7ebde5a6ac7383af51c32
    packers: embedded
    packers: embedded
    Sunbelt info: VIPRE.Suspicious is a generic detection for potential threats that are deemed suspicious through heuristics​

    I notice from the above results that their test included AVG 7.5.0.485, which gave negative. However, my AVG is a later 7.5.487.
    I also tried testing at jotti, but the result was getting stuck at Panda. A-squared to Norman (including AVG) found nothing.

    Meanwhile, AVG technical support has said : "Unfortunately, the previous virus database might have detected the mentioned virus on some legitimate applications. We can confirm that it was a false alarm. We have immediately released a new virus update that removes the false positive detection on this file. Please update your AVG and check your files again. This file is not detected by AVG with AVG Virus Database version 269.13.21/1012".

    I shall do a complete sys-scan with the latest defs ... hopefully, all will come ok.

    I had also posted at techrepublic (http://techrepublic.com.com/5206-6230-0.html?forumID=101&threadID=237573&start=0) - there are similar cases mentioned in replies to mine.

    Thank you
     
Topic Status:
Not open for further replies.

Similar Topics

Add New Comment

You need to be a member to leave a comment. Join thousands of tech enthusiasts and participate.
TechSpot Account You may also...