Re: Trojan horse Downloader.Generic.ML

• Previous message: Chris Salter: "Re: Trojan horse Downloader.Generic.ML"
• In reply to: Ron Reaugh: "Re: Trojan horse Downloader.Generic.ML"
• Next in thread: kurt wismer: "Re: Trojan horse Downloader.Generic.ML"
• Reply: kurt wismer: "Re: Trojan horse Downloader.Generic.ML"
• Reply: Ron Reaugh: "Re: Trojan horse Downloader.Generic.ML"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

Date: Thu, 16 Jun 2005 10:19:37 +0100

"Ron Reaugh" <ron-reaugh@worldnet.att.net> wrote in message
news:G23se.965445$w62.820769@bgtnsc05-news.ops.worldnet.att.net...
>
> "Jason Edwards" <none1@invalid.invalid> wrote in message
> news:3hbf5hFg0qm4U1@individual.net...
> > "Ron Reaugh" <ron-reaugh@worldnet.att.net> wrote in message
> > news:qW_re.324813$cg1.141727@bgtnsc04-news.ops.worldnet.att.net...
> > >
> > > "Jason Edwards" <none1@invalid.invalid> wrote in message
> > > news:3hbbasFg5jjsU1@individual.net...
> > > > "Ron Reaugh" <ron-reaugh@worldnet.att.net> wrote in message
> > > > news:EKYre.963481$w62.31381@bgtnsc05-news.ops.worldnet.att.net...
> > > > > It's the file C:\NULL
> > > > >
> > > > > Suddenly shortly after cold boot my fully updated(WinUp) and
patched
> > > W98se
> > > > > PC reported the above noted infection. It's Grisoft free AVG with
> the
> > > > > latest updates. This PC is also protected by ZoneAlarm, Belkin
> WiFi
> > > > router
> > > > > with firewall, SpyBot(resident).
> > > >
> > > > And do you use Internet Explorer?
> > >
> > > Yep, the very latest and fully patched/WinUp-ed version.
> >
> > Ok, so it's probably only got approximately n+100 vulnerabilities left
to
> be
> > patched.
>
> Maybe but do you have any evidence that any of these has been actually
used
> in a penetration recently? OR are they all just potential?

Sure. Some time ago I was curious about strange messages with links
appearing in newsgroups, so I set up an isolated PC with its own broadband
connection running Windows 98 with ALL updates and clicked one of the links.
This took me to a website offering adult material. I can't remember the
details but it had some clever way of getting me to scroll down and click. A
quick run of hijackthis then discovered that a trojan had been planted in
the startup folder and was waiting to run on the next startup.
The computer was then wiped and restored from a clean image.
I got rid of the trojan file about a week later, it was kept only to verify
that two popular virus scanners were still pronouncing it clean after a
week.

>
> > >
> > > > > A normal Shutdown was done 12 hours
> > > > > earlier with no indication of any problems.
> > > >
> > > > There wouldn't be.
> > > > If something did sneak in via an IE or some other vulnerability then
> it
> > > > would most likely not run until the next startup.
> > >
> > > Are you saying that AVG's resident and SpyBots resident(watching reg
> > > updates) wouldn't have caught it at the time of infection?
> >
> > Yes
>
> Why? If that's not what they're lookin for then what are they lookin for?

I thought I'd already explained that no matter how hard they look they can't
be expected to include all malware the same day it's written. Some may only
be included months later, or perhaps never.

>
> > > > > There are still no indications
> > > > > of any problems EXCEPT that AVG claims it's found this trojan.
> > > >
> > > > Sounds like an indication of a problem to me.
> > > > A false detection is a possibility but there is no way for me to be
> > > certain.
> > >
> > > That c:\null IS a bogus file from an unknown source suggests that
there
> > was
> > > no false detection.
> >
> > It does, if you are sure that C:\NULL is not part of anything legitimate
> or
> > anything you have done yourself.
>
> I'm sure. You ever heard of c:\null?

Nope.

>
> > > > > There have
> > > > > been no floppy operations/mounts, no CD operations/mounts and no
> > > downloads
> > > > > and installs of anything since an hour before shutdown last night
> and
> > > now.
> > > >
> > > > But you did surf with Internet Explorer?
> > >
> > > Yep and other than the possibility that you are a FireFox drum beater,
> > the
> > > use of a fully updated IE generally does NOT expose one to such when a
> > fully
> > > functional firewall, virus checker and spyware checker are in place.
> >
> > I don't wish to upset you but it took me a while to stop laughing after
> > reading that.
>
> Provide some references that suggest that is not the usual and EFFECTIVE
> model?

Sure it's the usual model for a home Windows user but it is not effective
for the reasons you have discovered for yourself. Personal software
firewalls are useless because there are many ways for malware to bypass
them. Malware might ride on another application such as Internet Explorer,
it might answer the firewall's popup questions itself, it might shut the
firewall down completely, it might prevent the firewall from getting
updates, etc.
Virus scanners are useless for exactly the reason that you are
understandably upset about discovering for yourself. You thought you were
doing everything possible but you still got a trojan.

>
> > > > > From the DOS prompt I can see a file C:\NULL that has a 5/5/05
date.
> > > > Since
> > > > > 5/5 both a full manual AVG and Trend HouseCall 6 run have been
done
> on
> > > > this
> > > > > PC finding nothing.
> > > > >
> > > > > So where and how did this file C:\NULL that AVG claims is Trojan
> horse
> > > > > Downloader.Generic.ML appear from? Was it really there since 5/5
> but
> > > went
> > > > > unnoticed by both AVG and Trend HouseCall 6 and then this morning
> AVG
> > > > > suddenly downloaded a new definition file which started seeing
this
> > > > trojan?
> > > >
> > > > Virus scanners don't have any magical ability to detect trojans,
they
> > have
> > > > to be told what is a trojan and what isn't via the updates.
> > >
> > > Right but 5/5/05 is over 30 days old...am I some special case alpha
> > > infection point?
> >
> > Nope, you're just an average Windows user who got the trojan that wasn't
> > widespread enough to be noticed immediately.
>
> I find that unlikely but barely possible.

Barely possible would be more than enough for me. I'd rather make it
impossible. To do that you arrange to prevent any executable code getting
where you don't want it. This is likely to be impossible with a Windows 98
PC connected directly to a broadband connection where everything has
complete access to everything else.
Consider an external firewall box which stops it getting to the PC in the
first place.

>
> > > > An anti-virus
> > > > vendor may manage to do an update in less that a day if the
> virus/trojan
> > > is
> > > > all over the news but it may otherwise take longer. Trojan writers
are
> > not
> > > > under any obligation to send copies of their trojans to anti-virus
> > > vendors.
> > > >
> > > > > OR did something penetrate all the firewalls and suddenly spawn
this
> > > file
> > > > > which AVG quickly recognized?
> > > >
> > > > I have no idea where C:\NULL came from but if it were on my PC I
would
> > > want
> > > > to know what it was.
> > > > If I was sitting at the PC which had C:\NULL on it then I'd look in
> > > C:\NULL
> > > > to see what was there.
> > >
> > > After one noticed it. I don't inspect c:\ or c:\win or
> c:\win\system[32]
> > > hourly to spot undesirable files. That's what I got AVG etc. for.
> >
> > I don't either, but I don't allow additional executable files on to the
> > system in the first place, so I don't have to go file spotting very
often
> on
> > my own machines. I also don't need AVG.
> >
> > >
> > > > I'd also find out whether anything in there was referenced during
> > startup.
> > > > For that I'd need spybot S&D in advanced mode or
> > http://www.hijackthis.de/
> > > > or just regedit.
> > > >
> > > > >
> > > > > What likely happened here?
> > > >
> > > > Impossible to say. One possibility is that you got something via an
> > > > unpatched IE vulnerability.
> > >
> > > I was under the impression that there weren't any of these that have
> > > resulted in actual infections any time recently. Lots of new
> > > vulnerabilities keep being found and reported and fixed. And that's
all
> > > before there is any infections/penetrations using them and that's what
> > I've
> > > been hearing for over a year.
> >
> > Who have you been hearing this from?
>
> Where have you been hearing the other from?
>
> > Ask yourself why there is a cumulative update every month.
>
> YES, please do so. Have you been reading about the intense preemptive
work
> going on to find the holes before the hackers. From what I've heard
that's
> been effective down to with a day or two for the last year or two.
> References otherwise?

How about the experiment I did with the isolated windows 98 PC described
above.
It may be that this hole has since been patched but it makes no difference
to me, I will continue to trust no executable code unless I'm very sure
about where it came from and what it's going to do to my system.
You may say that it's difficult or impossible to keep addware off a Windows
PC. But this is not the same as asking whether or not it can be done.

>
> > > > Another is that AVG is/was giving a false
> > > > detection. Another is that I don't have a clue what happened.
> > > >
> > > > >
> > > > > The operation I was in the middle of when AVG popped up was
reading
> a
> > > text
> > > > > only no attachment NG message in OE 6.00.2800.1123.
> > > >
> > > > Did this message contain a link/url that you happened to click on?
> > >
> > > NOPE! I assume that the NG message reading had nothing to do with it
> but
> > > then what did??
> >
> > It is not possible for me to say for certain what did.
> >
> > If I were you I'd wipe the drive and reinstall the operating system.
>
> Clueless!

There was a Microsoft technet article giving just this advice but I can't
find it, maybe someone else can unless it's gone.

>
> > There is no other way to be sure that your system isn't compromised.
>
> Now you've established your credentials.

No. What I have established is that you are understandably upset about the
fact that you did everything you thought you had to do (virus scanner,
personal firewall, spyware remover) but you STILL got a trojan.
It's not my fault if you would rather attack the person giving you this
information instead of asking yourself why the methods you've applied so far
 are not working.

Jason

>
>

• Previous message: Chris Salter: "Re: Trojan horse Downloader.Generic.ML"
• In reply to: Ron Reaugh: "Re: Trojan horse Downloader.Generic.ML"
• Next in thread: kurt wismer: "Re: Trojan horse Downloader.Generic.ML"
• Reply: kurt wismer: "Re: Trojan horse Downloader.Generic.ML"
• Reply: Ron Reaugh: "Re: Trojan horse Downloader.Generic.ML"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]