Have a read here:
http://forum.sysinternals.com/forum_posts.asp?TID=21226
Sigh ...



I suppose new heuristics will produce false positive until worked on but Avira I've found always generate a lot - but as long as they're catching they have good scores eh.
Originally posted by ntunldr

Smallest trojan :)

So called "heuristics" checks Import table and if LdrLoadDll || LdrGetProcedureAddress found then -> TR/Dropper.Generic found!

And another funny detection DR/Delphi.Gen [dropper]


var
dll: THANDLE;
p1: pointer;
begin
dll := LoadLibraryW('wininet.dll');
if (dll <> 0) then
begin
p1 := GetProcAddress(dll, 'InternetSilentTrojanDownloadW');
if (p1 <> nil) then;
DbgPrint('RUSTOCK');
LdrUnloadDll(dll);
end;
end.


Lol

Friday I cleaned up my PC so avira isn't running here anymore. :D

Instead I've set up a dual boot (Windows 7 v.s Ubuntu 9.10). I can now try some cross-platform development. :)

Combine this with the actual "virus" found in Delphi and now everyone is going to be paranoid :(. As it is you have to look at the actual exe signature/disasm in many cases. Every day people just don't have that knowledge/time/commitment, instead they just move on to the next product till they find something that works.

Personally, I look for opensource and corssplatform in an application. Not only because I have multiple environments to run it on, but also because I've never seen a virus in one of these (not to say it doesn't exist, just that I haven't seen it).

- Jeremy