HEUR: Trojan.Win32.Generic – What is it and how to get rid of it? (Kaspersky detection)
// January 5th, 2008 // 28 Comments » // Custom descriptions of malware
HEUR: Trojan.Win32.Generic- What is it?
If you are using Kaspersky Anti Virus 7, or Kaspersky Internet Security 7, you may have come across the detection “Heur: Trojan.win32.Generic”, “Heur: Trojan.Win32.Downloader”, “Heur: Trojan.Script.Iframer” or similar. Kaspersky’s viruslist currently does not have a description for this detection.
Heur.Trojan.Generic, Heur.Downloader, and other detections given by Kaspersky that begin with Heur. are files that are being flagged by the new heuristics engine that has been introduced in Version 7 of Kaspersky’s home user products. These detections encompass a wide range of malware, using special techniques developed by the engineers and virus analysts at Kaspersky Lab to flag suspicious files.
A file flagged by Kaspersky as “Heur.Trojan.Generic” is a file that is deemed to have the characteristics of malware after being analysed by the Heuristics engine, but one that has not yet been specifically analysed by the Kaspersky Viruslab.
This means three things:
1) When you recieve such a detection, care should be taken not to open or launch the file in question, as it may be malicious.
2) Because this is a “generic” (so to speak) detection, the file has not been 100% confirmed to be malware by the virus analysts (e.g. it has not yet been given a name), so there is a chance that the file is being mistakenly detected and it is not actually malicious.
3) The correct course of action would be to isolate the file and send it to the Kaspersky viruslab for analysis, as detailed below.
How to get rid of Heur.Trojan.Generic
When you first get the alert that Heur.Trojan.Generic has been detected, read the alert carefully to determine which file is being detected. If it is a website URL, send the URL to be checked by the viruslab by using, the online submission webform located here: http://support.kaspersky.ru/virlab/helpdesk.html?LANG=en
If it is an actual file, do the same thing and upload the file for checking via the web form.
Alternatively, follow the instructions below to send it from quarantine (note: you must have a mail client installed for this to work):
Look at the alert and see if there is an option to quarantine the file. Press “quarantine” if the option is given. The file will then be moved into a secure area where it can not do any damage.
If the “quarantine” option is not given, take a note of the location of the detected file, and “skip” the alert. Because you skipped the alert, you will have to manually add the file to quarantine. To do this, open Kaspersky, and click on the “Reports and data files” tab, then “Quarantine.
Once you have clicked on “quarantine”, a new window will open. At the bottom of this window click “add” and browse to the file which is being detected.
Once the file has been added, right click on the corresponding file in the quarantine window, and choose the option “send”
Your mail client should now open, and a message auto composed by Kaspersky to the Kaspersky Viruslab. All you have to do is send it off, and you should soon get an email response from one of the virus analysts to confirm wether or not the file is indeed malicious.
If they confirm it is malicious/infected, you can head back over to the quarantine tab and delete the file (right click it and delete). If they confirm that the file is clean, then they should fix the false detection and you can safely restore the file from the quarantine, by right clicking it and selecting “restore”
