Re: Trojan horse Downloader.Generic.ML

• Previous message: Ron Reaugh: "Re: Trojan horse Downloader.Generic.ML"
• In reply to: Ron Reaugh: "Trojan horse Downloader.Generic.ML"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

Date: Fri, 17 Jun 2005 12:39:44 +0300

"Ron Reaugh" <ron-reaugh@worldnet.att.net> wrote:

> It's the file C:\NULL
>
> Suddenly shortly after cold boot my fully updated(WinUp) and patched W98se
> PC reported the above noted infection. It's Grisoft free AVG with the
> latest updates. This PC is also protected by ZoneAlarm, Belkin WiFi router
> with firewall, SpyBot(resident). A normal Shutdown was done 12 hours
> earlier with no indication of any problems. There are still no indications
> of any problems EXCEPT that AVG claims it's found this trojan. There have
> been no floppy operations/mounts, no CD operations/mounts and no downloads
> and installs of anything since an hour before shutdown last night and now.
>
> From the DOS prompt I can see a file C:\NULL that has a 5/5/05 date. Since
> 5/5 both a full manual AVG and Trend HouseCall 6 run have been done on this
> PC finding nothing.

What was the file size? I suppose you didn't view the file with a text editor
(e.g. Notepad). You would risk nothing by viewing the file as it didn't have an
executable extension (unless it was a PIF file, which wouldn't show in Explorer,
but you could know that from the file's icon - 'pif' have the MS-DOS icon, by
default). If you had viewed the file then you may have discovered the reason
for which AVG flagged it as a Trojan.

My guess is that the "NULL" file was the product of a piping command that was
misspelled 'null' instead of NUL (e.g. "whatever > nul"). This technique is
often used in scripts to not display pointless DOS screens. Misspelling the NUL
device as NULL is rather common.
 
> So where and how did this file C:\NULL that AVG claims is Trojan horse
> Downloader.Generic.ML appear from? Was it really there since 5/5 but went
> unnoticed by both AVG and Trend HouseCall 6 and then this morning AVG
> suddenly downloaded a new definition file which started seeing this trojan?
> OR did something penetrate all the firewalls and suddenly spawn this file
> which AVG quickly recognized?

There is no proof that the NULL file contained virus/Trojan code. The fact that
AVG found some Trojan in it proves nothing (FWIW, AVG fared rather bad in false
positives susceptibility that I conducted (see message
<lt83b1pactuesdcuercefjd4pm9h4kpkd0@4ax.com> in this group - about 40% of false
positives in that particular test).
 
> What likely happened here?

Just a false positive. Besides, what for is the AVG *on-access* waste time and
resources on checking an non-executable file like NULL?
 
> The operation I was in the middle of when AVG popped up was reading a text
> only no attachment NG message in OE 6.00.2800.1123.

Doesn't seem connected.

Regards, Zvi

--
NetZ Computing Ltd. ISRAEL www.invircible.com www.ivi.co.il (Hebrew)
InVircible Virus Defense Solutions, ResQ and Data Recovery Utilities

• Previous message: Ron Reaugh: "Re: Trojan horse Downloader.Generic.ML"
• In reply to: Ron Reaugh: "Trojan horse Downloader.Generic.ML"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]