Page 1 of 1

worm ( win32:malware-gen )

Posted: Tue Jan 26, 2010 1:41 pm
by jfcc
Hello, a worm ( win32:malware-gen )
is detecté by avast anti virus in the file \ubcd\dosapps\astra.cab
on the ubcd CD V50RC1
It is normal?

Posted: Wed Jan 27, 2010 7:50 am
by RogueSpear
You can always submit files to VirusTotal to see..

http://www.virustotal.com/analisis/63a1 ... 1264115153

Posted: Wed Jan 27, 2010 1:21 pm
by kcarney
McAfee has been doing the same for about a month now, I haven't found away to alert them of a possible false-positive

Posted: Wed Jan 27, 2010 2:31 pm
by Icecube
Some files inside the cab file are probably compressed with UPX or another compressor. Virus makers use UPX and other compressors to make it more difficult for virus scanners to see what a program does (needs to be unpacked first). But UPX compression isn't dangerous on its own.

Posted: Thu Jan 28, 2010 9:56 am
by kcarney
UPX compression might not be the problem, I'm not sure if the CAB is compressed with it or the files contained in the CAB. I extracted the astra.cab on an anti-virus free machine and copied single files to a protected machine and the only file McAfee still has a problem with is the ASTRA.PRG file.

Posted: Fri Apr 09, 2010 6:19 am
by kcarney
I got tired of this anti-virus issue so I decided to rebuild the astra.cab myself, here's how;

1) Grab the latest version of Astra from http://www.sysinfolab.com/
2) Extract contents to a folder eg. C:\dosapps\astra
3) Find a copy of MS's cabarc.exe, it might be in a resource kit not sure
EDIT: Get it here: http://support.microsoft.com/kb/310618
4) Place cabarc.exe in c:\dosapps
5) Create a blank text file in c:\dosapps and rename to makecab.bat
6) Edit file and paste this line @cabarc -m LZX:21 -p -r -P astra\ n astra.cab astra\*.* save file and double click it

You should now have a new astra.cab in c:\dosapps, move it to your dosapps folder within UBCD and recreate your ISO

This was tested with ASTRA 5.45, there are no AV issues with it.

Posted: Sat Apr 10, 2010 7:09 am
by StopSpazzing
kcarney wrote:McAfee has been doing the same for about a month now, I haven't found away to alert them of a possible false-positive
Use their forums, and ask...or check their "contact us" tab on their website. All antivirus companies should have a way to report false positives..and if they don't, then they are too cheap to care about their customers and I would recommend moving to another AV. I personally use Avira AntiVir Personal, which is free and does not detect that cab as dangerous.

Posted: Mon Apr 12, 2010 5:07 am
by kcarney
There's nothing like that at all on their website, I searched for what seemed like weeks. One spot I found seemed to be what I was looking for but all it did was upload the file to them so THEY can tell me again that the file might be suspect.

I'll stick with my fix of updating the astra software over redeploying a new AV product to over 400 computers any day. As much as I don't like it the licensing was just renewed for three more years.