Re: Trojan horse Downloader.Generic.ML

From: Zvi Netiv (support_at_replace_with_domain.com)
Date: 06/17/05

  • Next message: Jason Edwards: "Re: Trojan horse Downloader.Generic.ML"
    Date: Fri, 17 Jun 2005 12:39:44 +0300
    
    

    "Ron Reaugh" <ron-reaugh@worldnet.att.net> wrote:

    > It's the file C:\NULL
    >
    > Suddenly shortly after cold boot my fully updated(WinUp) and patched W98se
    > PC reported the above noted infection. It's Grisoft free AVG with the
    > latest updates. This PC is also protected by ZoneAlarm, Belkin WiFi router
    > with firewall, SpyBot(resident). A normal Shutdown was done 12 hours
    > earlier with no indication of any problems. There are still no indications
    > of any problems EXCEPT that AVG claims it's found this trojan. There have
    > been no floppy operations/mounts, no CD operations/mounts and no downloads
    > and installs of anything since an hour before shutdown last night and now.
    >
    > From the DOS prompt I can see a file C:\NULL that has a 5/5/05 date. Since
    > 5/5 both a full manual AVG and Trend HouseCall 6 run have been done on this
    > PC finding nothing.

    What was the file size? I suppose you didn't view the file with a text editor
    (e.g. Notepad). You would risk nothing by viewing the file as it didn't have an
    executable extension (unless it was a PIF file, which wouldn't show in Explorer,
    but you could know that from the file's icon - 'pif' have the MS-DOS icon, by
    default). If you had viewed the file then you may have discovered the reason
    for which AVG flagged it as a Trojan.

    My guess is that the "NULL" file was the product of a piping command that was
    misspelled 'null' instead of NUL (e.g. "whatever > nul"). This technique is
    often used in scripts to not display pointless DOS screens. Misspelling the NUL
    device as NULL is rather common.
     
    > So where and how did this file C:\NULL that AVG claims is Trojan horse
    > Downloader.Generic.ML appear from? Was it really there since 5/5 but went
    > unnoticed by both AVG and Trend HouseCall 6 and then this morning AVG
    > suddenly downloaded a new definition file which started seeing this trojan?
    > OR did something penetrate all the firewalls and suddenly spawn this file
    > which AVG quickly recognized?

    There is no proof that the NULL file contained virus/Trojan code. The fact that
    AVG found some Trojan in it proves nothing (FWIW, AVG fared rather bad in false
    positives susceptibility that I conducted (see message
    <lt83b1pactuesdcuercefjd4pm9h4kpkd0@4ax.com> in this group - about 40% of false
    positives in that particular test).
     
    > What likely happened here?

    Just a false positive. Besides, what for is the AVG *on-access* waste time and
    resources on checking an non-executable file like NULL?
     
    > The operation I was in the middle of when AVG popped up was reading a text
    > only no attachment NG message in OE 6.00.2800.1123.

    Doesn't seem connected.

    Regards, Zvi

    --
    NetZ Computing Ltd. ISRAEL www.invircible.com www.ivi.co.il (Hebrew)
    InVircible Virus Defense Solutions, ResQ and Data Recovery Utilities
    

  • Next message: Jason Edwards: "Re: Trojan horse Downloader.Generic.ML"