Re: Trojan horse Downloader.Generic.ML

From: Jason Edwards (none1_at_invalid.invalid)
Date: 06/15/05

Date: Wed, 15 Jun 2005 19:45:43 +0100

"Ron Reaugh" <> wrote in message
> It's the file C:\NULL
> Suddenly shortly after cold boot my fully updated(WinUp) and patched W98se
> PC reported the above noted infection. It's Grisoft free AVG with the
> latest updates. This PC is also protected by ZoneAlarm, Belkin WiFi
> with firewall, SpyBot(resident).

And do you use Internet Explorer?

> A normal Shutdown was done 12 hours
> earlier with no indication of any problems.

There wouldn't be.
If something did sneak in via an IE or some other vulnerability then it
would most likely not run until the next startup.

> There are still no indications
> of any problems EXCEPT that AVG claims it's found this trojan.

Sounds like an indication of a problem to me.
A false detection is a possibility but there is no way for me to be certain.

> There have
> been no floppy operations/mounts, no CD operations/mounts and no downloads
> and installs of anything since an hour before shutdown last night and now.

But you did surf with Internet Explorer?

> From the DOS prompt I can see a file C:\NULL that has a 5/5/05 date.
> 5/5 both a full manual AVG and Trend HouseCall 6 run have been done on
> PC finding nothing.
> So where and how did this file C:\NULL that AVG claims is Trojan horse
> Downloader.Generic.ML appear from? Was it really there since 5/5 but went
> unnoticed by both AVG and Trend HouseCall 6 and then this morning AVG
> suddenly downloaded a new definition file which started seeing this

Virus scanners don't have any magical ability to detect trojans, they have
to be told what is a trojan and what isn't via the updates. An anti-virus
vendor may manage to do an update in less that a day if the virus/trojan is
all over the news but it may otherwise take longer. Trojan writers are not
under any obligation to send copies of their trojans to anti-virus vendors.

> OR did something penetrate all the firewalls and suddenly spawn this file
> which AVG quickly recognized?

I have no idea where C:\NULL came from but if it were on my PC I would want
to know what it was.
If I was sitting at the PC which had C:\NULL on it then I'd look in C:\NULL
to see what was there.
I'd also find out whether anything in there was referenced during startup.
For that I'd need spybot S&D in advanced mode or
or just regedit.

> What likely happened here?

Impossible to say. One possibility is that you got something via an
unpatched IE vulnerability. Another is that AVG is/was giving a false
detection. Another is that I don't have a clue what happened.

> The operation I was in the middle of when AVG popped up was reading a text
> only no attachment NG message in OE 6.00.2800.1123.

Did this message contain a link/url that you happened to click on?