worm ( win32:malware-gen )

Discussion/announcements about test/beta releases of UBCD will be posted here.

Moderators: Icecube, StopSpazzing

Post Reply
Message
Author
jfcc
Posts: 1
Joined: Tue Jan 26, 2010 1:28 pm

worm ( win32:malware-gen )

#1 Post by jfcc » Tue Jan 26, 2010 1:41 pm

Hello, a worm ( win32:malware-gen )
is detecté by avast anti virus in the file \ubcd\dosapps\astra.cab
on the ubcd CD V50RC1
It is normal?

RogueSpear
Posts: 3
Joined: Wed Nov 11, 2009 10:35 am
Location: Buffalo, NY

#2 Post by RogueSpear » Wed Jan 27, 2010 7:50 am

You can always submit files to VirusTotal to see..

http://www.virustotal.com/analisis/63a1 ... 1264115153

kcarney
Posts: 52
Joined: Tue Nov 24, 2009 9:22 am

#3 Post by kcarney » Wed Jan 27, 2010 1:21 pm

McAfee has been doing the same for about a month now, I haven't found away to alert them of a possible false-positive

Icecube
Posts: 1278
Joined: Fri Jan 11, 2008 2:52 pm
Contact:

#4 Post by Icecube » Wed Jan 27, 2010 2:31 pm

Some files inside the cab file are probably compressed with UPX or another compressor. Virus makers use UPX and other compressors to make it more difficult for virus scanners to see what a program does (needs to be unpacked first). But UPX compression isn't dangerous on its own.
Download Ultimate Boot CD v5.0: http://www.ultimatebootcd.com/download.html
Use Parted Magic for handling all partitioning task: http://partedmagic.com/

kcarney
Posts: 52
Joined: Tue Nov 24, 2009 9:22 am

#5 Post by kcarney » Thu Jan 28, 2010 9:56 am

UPX compression might not be the problem, I'm not sure if the CAB is compressed with it or the files contained in the CAB. I extracted the astra.cab on an anti-virus free machine and copied single files to a protected machine and the only file McAfee still has a problem with is the ASTRA.PRG file.

kcarney
Posts: 52
Joined: Tue Nov 24, 2009 9:22 am

#6 Post by kcarney » Fri Apr 09, 2010 6:19 am

I got tired of this anti-virus issue so I decided to rebuild the astra.cab myself, here's how;

1) Grab the latest version of Astra from http://www.sysinfolab.com/
2) Extract contents to a folder eg. C:\dosapps\astra
3) Find a copy of MS's cabarc.exe, it might be in a resource kit not sure
EDIT: Get it here: http://support.microsoft.com/kb/310618
4) Place cabarc.exe in c:\dosapps
5) Create a blank text file in c:\dosapps and rename to makecab.bat
6) Edit file and paste this line @cabarc -m LZX:21 -p -r -P astra\ n astra.cab astra\*.* save file and double click it

You should now have a new astra.cab in c:\dosapps, move it to your dosapps folder within UBCD and recreate your ISO

This was tested with ASTRA 5.45, there are no AV issues with it.

StopSpazzing
Posts: 462
Joined: Tue Sep 09, 2008 4:37 pm
Location: California, USA
Contact:

#7 Post by StopSpazzing » Sat Apr 10, 2010 7:09 am

kcarney wrote:McAfee has been doing the same for about a month now, I haven't found away to alert them of a possible false-positive
Use their forums, and ask...or check their "contact us" tab on their website. All antivirus companies should have a way to report false positives..and if they don't, then they are too cheap to care about their customers and I would recommend moving to another AV. I personally use Avira AntiVir Personal, which is free and does not detect that cab as dangerous.
~Just StopSpazzing~

Visit the UBCD Wiki: http://wiki.ultimatebootcd.com
Please check your UBCD ISO MD5 Hash Sum; May prevent issues later on by not having an exact copy.

Currently Working on Common Issues and Repair Tips on the Wiki.

kcarney
Posts: 52
Joined: Tue Nov 24, 2009 9:22 am

#8 Post by kcarney » Mon Apr 12, 2010 5:07 am

There's nothing like that at all on their website, I searched for what seemed like weeks. One spot I found seemed to be what I was looking for but all it did was upload the file to them so THEY can tell me again that the file might be suspect.

I'll stick with my fix of updating the astra software over redeploying a new AV product to over 400 computers any day. As much as I don't like it the licensing was just renewed for three more years.

Post Reply