As a follow-up to to my blog post about g-archiver, I submitted g-archiver to Avira Labs (makers of Anti-Vir) for analysis so it can be added to their database. Their web form didn’t have anywhere to add additional information, so I submitted by email instead with a link to the dissection of the code.
Despite being handed it on a plate, they failed to identify the threat:
This demonstrates exactly why you can’t trust anyone when it comes to computer security, even the good guys. g-archiver is a trojan, stealing your login details, but anyone using Anti-Vir or in fact any other AV program wouldn’t know just by scanning it. A test of 32 different AV programs showed they all passed it.
I will submit the file and the analysis to other AV vendors, hopefully eventually some of them will figure it out. I’m more hopeful open source and freeware software like ClamAV and Spybot will take notice.