Re: Trojan horse Downloader.Generic.ML

From: Ron Reaugh (ron-reaugh_at_worldnet.att.net)
Date: 06/15/05 

Date: Wed, 15 Jun 2005 19:01:42 GMT

"Jason Edwards" <none1@invalid.invalid> wrote in message
news:3hbbasFg5jjsU1@individual.net...
> "Ron Reaugh" <ron-reaugh@worldnet.att.net> wrote in message
> news:EKYre.963481$w62.31381@bgtnsc05-news.ops.worldnet.att.net...
> > It's the file C:\NULL
> >
> > Suddenly shortly after cold boot my fully updated(WinUp) and patched
W98se
> > PC reported the above noted infection. It's Grisoft free AVG with the
> > latest updates. This PC is also protected by ZoneAlarm, Belkin WiFi
> router
> > with firewall, SpyBot(resident).
>
> And do you use Internet Explorer?

Yep, the very latest and fully patched/WinUp-ed version.

> > A normal Shutdown was done 12 hours
> > earlier with no indication of any problems.
>
> There wouldn't be.
> If something did sneak in via an IE or some other vulnerability then it
> would most likely not run until the next startup.

Are you saying that AVG's resident and SpyBots resident(watching reg
updates) wouldn't have caught it at the time of infection?

> > There are still no indications
> > of any problems EXCEPT that AVG claims it's found this trojan.
>
> Sounds like an indication of a problem to me.
> A false detection is a possibility but there is no way for me to be
certain.

That c:\null IS a bogus file from an unknown source suggests that there was
no false detection.

> > There have
> > been no floppy operations/mounts, no CD operations/mounts and no
downloads
> > and installs of anything since an hour before shutdown last night and
now.
>
> But you did surf with Internet Explorer?

Yep and other than the possibility that you are a FireFox drum beater, the
use of a fully updated IE generally does NOT expose one to such when a fully
functional firewall, virus checker and spyware checker are in place.

> > From the DOS prompt I can see a file C:\NULL that has a 5/5/05 date.
> Since
> > 5/5 both a full manual AVG and Trend HouseCall 6 run have been done on
> this
> > PC finding nothing.
> >
> > So where and how did this file C:\NULL that AVG claims is Trojan horse
> > Downloader.Generic.ML appear from? Was it really there since 5/5 but
went
> > unnoticed by both AVG and Trend HouseCall 6 and then this morning AVG
> > suddenly downloaded a new definition file which started seeing this
> trojan?
>
> Virus scanners don't have any magical ability to detect trojans, they have
> to be told what is a trojan and what isn't via the updates.

Right but 5/5/05 is over 30 days old...am I some special case alpha
infection point?

> An anti-virus
> vendor may manage to do an update in less that a day if the virus/trojan
is
> all over the news but it may otherwise take longer. Trojan writers are not
> under any obligation to send copies of their trojans to anti-virus
vendors.
>
> > OR did something penetrate all the firewalls and suddenly spawn this
file
> > which AVG quickly recognized?
>
> I have no idea where C:\NULL came from but if it were on my PC I would
want
> to know what it was.
> If I was sitting at the PC which had C:\NULL on it then I'd look in
C:\NULL
> to see what was there.

After one noticed it. I don't inspect c:\ or c:\win or c:\win\system[32]
hourly to spot undesirable files. That's what I got AVG etc. for.

> I'd also find out whether anything in there was referenced during startup.
> For that I'd need spybot S&D in advanced mode or http://www.hijackthis.de/
> or just regedit.
>
> >
> > What likely happened here?
>
> Impossible to say. One possibility is that you got something via an
> unpatched IE vulnerability.

I was under the impression that there weren't any of these that have
resulted in actual infections any time recently. Lots of new
vulnerabilities keep being found and reported and fixed. And that's all
before there is any infections/penetrations using them and that's what I've
been hearing for over a year.

> Another is that AVG is/was giving a false
> detection. Another is that I don't have a clue what happened.
>
> >
> > The operation I was in the middle of when AVG popped up was reading a
text
> > only no attachment NG message in OE 6.00.2800.1123.
>
> Did this message contain a link/url that you happened to click on?

NOPE! I assume that the NG message reading had nothing to do with it but
then what did??

> Jason

Relevant Pages

  • Re: Trojan horse Downloader.Generic.ML
    ... >> PC reported the above noted infection. ... updates) wouldn't have caught it at the time of infection? ... >> of any problems EXCEPT that AVG claims it's found this trojan. ...
    (alt.computer.security)
  • Trojan startpage.16.m
    ... (so it seems, according to AVG) ... with the Trojan startpage.16.m and no matter ... how many times AVG finds and heals the offending file - se.dll - the ... infection reappears on every reboot. ...
    (microsoft.public.security.virus)
  • Re: Trojan horse Downloader.Generic.ML
    ... > of any problems EXCEPT that AVG claims it's found this trojan. ... to be told what is a trojan and what isn't via the updates. ... under any obligation to send copies of their trojans to anti-virus vendors. ...
    (comp.security.firewalls)
  • Re: Trojan horse Downloader.Generic.ML
    ... > of any problems EXCEPT that AVG claims it's found this trojan. ... to be told what is a trojan and what isn't via the updates. ... under any obligation to send copies of their trojans to anti-virus vendors. ...
    (alt.computer.security)
  • PSW.OnlineGames.FIY
    ... Using AVG free and recently it has been saying some of my files are infected ... with this trojan. ... Kaspersky and Trend Micro and they don't show any infection. ...
    (alt.comp.anti-virus)
Loading