Re: Trojan horse Downloader.Generic.ML

From: Jason Edwards (none1_at_invalid.invalid)
Date: 06/15/05


Date: Wed, 15 Jun 2005 19:45:43 +0100


"Ron Reaugh" <ron-reaugh@worldnet.att.net> wrote in message
news:EKYre.963481$w62.31381@bgtnsc05-news.ops.worldnet.att.net...
> It's the file C:\NULL
>
> Suddenly shortly after cold boot my fully updated(WinUp) and patched W98se
> PC reported the above noted infection. It's Grisoft free AVG with the
> latest updates. This PC is also protected by ZoneAlarm, Belkin WiFi
router
> with firewall, SpyBot(resident).

And do you use Internet Explorer?

> A normal Shutdown was done 12 hours
> earlier with no indication of any problems.

There wouldn't be.
If something did sneak in via an IE or some other vulnerability then it
would most likely not run until the next startup.

> There are still no indications
> of any problems EXCEPT that AVG claims it's found this trojan.

Sounds like an indication of a problem to me.
A false detection is a possibility but there is no way for me to be certain.

> There have
> been no floppy operations/mounts, no CD operations/mounts and no downloads
> and installs of anything since an hour before shutdown last night and now.

But you did surf with Internet Explorer?

>
> From the DOS prompt I can see a file C:\NULL that has a 5/5/05 date.
Since
> 5/5 both a full manual AVG and Trend HouseCall 6 run have been done on
this
> PC finding nothing.
>
> So where and how did this file C:\NULL that AVG claims is Trojan horse
> Downloader.Generic.ML appear from? Was it really there since 5/5 but went
> unnoticed by both AVG and Trend HouseCall 6 and then this morning AVG
> suddenly downloaded a new definition file which started seeing this
trojan?

Virus scanners don't have any magical ability to detect trojans, they have
to be told what is a trojan and what isn't via the updates. An anti-virus
vendor may manage to do an update in less that a day if the virus/trojan is
all over the news but it may otherwise take longer. Trojan writers are not
under any obligation to send copies of their trojans to anti-virus vendors.

> OR did something penetrate all the firewalls and suddenly spawn this file
> which AVG quickly recognized?

I have no idea where C:\NULL came from but if it were on my PC I would want
to know what it was.
If I was sitting at the PC which had C:\NULL on it then I'd look in C:\NULL
to see what was there.
I'd also find out whether anything in there was referenced during startup.
For that I'd need spybot S&D in advanced mode or http://www.hijackthis.de/
or just regedit.

>
> What likely happened here?

Impossible to say. One possibility is that you got something via an
unpatched IE vulnerability. Another is that AVG is/was giving a false
detection. Another is that I don't have a clue what happened.

>
> The operation I was in the middle of when AVG popped up was reading a text
> only no attachment NG message in OE 6.00.2800.1123.

Did this message contain a link/url that you happened to click on?

Jason

>
>



Relevant Pages

  • Re: Trojan horse Downloader.Generic.ML
    ... > of any problems EXCEPT that AVG claims it's found this trojan. ... to be told what is a trojan and what isn't via the updates. ... under any obligation to send copies of their trojans to anti-virus vendors. ...
    (alt.computer.security)
  • Re: Trojan horse Downloader.Generic.ML
    ... >> PC reported the above noted infection. ... updates) wouldn't have caught it at the time of infection? ... >> of any problems EXCEPT that AVG claims it's found this trojan. ...
    (alt.computer.security)
  • Re: Trojan horse Downloader.Generic.ML
    ... >> PC reported the above noted infection. ... updates) wouldn't have caught it at the time of infection? ... >> of any problems EXCEPT that AVG claims it's found this trojan. ...
    (comp.security.firewalls)
  • Re: Firewall or Anti Trojan Program
    ... Would I still need a real firewall program ... > Sygate or maybe install an anti Trojan program. ... use) is not the best at detecting trojans.So if you are gonna stick with AVG ... which has excellent trojan detection too.Probably the best trojan scanner is ...
    (comp.security.firewalls)
  • RE: Oh Dear, Where to start?!
    ... AVG 6.0 Free Edition is available in English language only. ... >>updates, driver updates, and recommended updates. ... >The Gartner Group just put Neoteris in the top of its Magic Quadrant, ...
    (Security-Basics)