[tomdkat]

So, I installed the latest free version of Avast! on a XP machine I have laying around. On this machine, I've got AVG free edition, Ad-Aware, Spybot S&D, AVG anti-spyware, Windows Defender, and ZoneAlarm installed and running. This machine hardly gets used so the concern over it getting infected with something is low.

I installed Avast! to check it out. It scanned the hard drive and found a "Bookworm" file had been infected with a "Win32:Inject" trojan horse. AVG and none of the other above mentioned apps (excluding the firewall, of course) reported anything about this infected file.

So, I went to the free supoort forum for AVG free edition and read the sticky thread on what to do if you have a file you think is infected. In that thread, it says to scan the file using Jotti's malware scanner. If it's infected, e-mail the file to AVG and they will analyze it. Cool.

So, I upload the file to Jotti's scanner and it scans the file using a plethora of anti-virus scanners, a few of which are frequently mentioned and recommended here (e.g. AVG, Avast!, Kaspersky, NOD32, etc). The scan results from Jotti indicate Avast! and Sophos both detected a trojan horse while NONE of the other scanners detected anything.

When I first scanned the system using Avast! and it found the trojan horse, I thought" "cool, Avast really is as good as people say." After seeing the results above, I'm wondering if that was the case or if I'm dealing with a false positive.

My questions:

1. How does one go about verifying if any reported infection is an actual infection or a false positive?
2. Is it odd that 2 out of 20 anti-virus products would identify a trojan? At first, I thought "Ok, maybe it's something new." So, I did a Google search on "Win32:Inject" and found discussion going back to 2007 and one page claims a variant was detected back in 2006. Given how long it's been around, I began to wonder why only 2 anti-virus scanners would detect it given how long it's possibly been around.

Your thoughts?

Peace...

[Elvandil]

Where is this supposed infection?

[tomdkat]

The actual trojan identified by Avast! is Win32:Inject-EC. The infected file is C:\Program Files\iWin.com\Bookworm Deluxe\Bookworm.ifm. That is the file I uploaded to Jotti's scanner site.

I chose NOT to move it to a quarantine or anything to keep it around where other A/V apps I might install could find it.

Peace...

[lunarlander]

To see if it is a false positive, deinstall and reinstall 'bookworm' and see if a good 'bookworm.ifm' will trigger Avast.

[tomdkat]

Great idea! I'll give that a whirl.

Peace...

[Elvandil]

Often, unusual file endings are used by programs to store configuration information, game scores, etc. If it's not too large, try opening it with Notepad. If it's just a text file, then it's harmless.

[tomdkat]

Another great idea! I'll do that in the morning.

Getting back to one of the original questions, what's a good way (if any) to determine if a reported infection is, in fact, a false positive or not?

Peace...

[Elvandil]

I'm satisfied that it is a false positive if one other up-to-date scanner finds no virus.