Re: Trojan horse Downloader.Generic.ML

From: Zvi Netiv (support_at_replace_with_domain.com)
Date: 06/17/05

  • Next message: Jason Edwards: "Re: Trojan horse Downloader.Generic.ML"
    Date: Fri, 17 Jun 2005 12:39:44 +0300
    
    

    "Ron Reaugh" <ron-reaugh@worldnet.att.net> wrote:

    > It's the file C:\NULL
    >
    > Suddenly shortly after cold boot my fully updated(WinUp) and patched W98se
    > PC reported the above noted infection. It's Grisoft free AVG with the
    > latest updates. This PC is also protected by ZoneAlarm, Belkin WiFi router
    > with firewall, SpyBot(resident). A normal Shutdown was done 12 hours
    > earlier with no indication of any problems. There are still no indications
    > of any problems EXCEPT that AVG claims it's found this trojan. There have
    > been no floppy operations/mounts, no CD operations/mounts and no downloads
    > and installs of anything since an hour before shutdown last night and now.
    >
    > From the DOS prompt I can see a file C:\NULL that has a 5/5/05 date. Since
    > 5/5 both a full manual AVG and Trend HouseCall 6 run have been done on this
    > PC finding nothing.

    What was the file size? I suppose you didn't view the file with a text editor
    (e.g. Notepad). You would risk nothing by viewing the file as it didn't have an
    executable extension (unless it was a PIF file, which wouldn't show in Explorer,
    but you could know that from the file's icon - 'pif' have the MS-DOS icon, by
    default). If you had viewed the file then you may have discovered the reason
    for which AVG flagged it as a Trojan.

    My guess is that the "NULL" file was the product of a piping command that was
    misspelled 'null' instead of NUL (e.g. "whatever > nul"). This technique is
    often used in scripts to not display pointless DOS screens. Misspelling the NUL
    device as NULL is rather common.
     
    > So where and how did this file C:\NULL that AVG claims is Trojan horse
    > Downloader.Generic.ML appear from? Was it really there since 5/5 but went
    > unnoticed by both AVG and Trend HouseCall 6 and then this morning AVG
    > suddenly downloaded a new definition file which started seeing this trojan?
    > OR did something penetrate all the firewalls and suddenly spawn this file
    > which AVG quickly recognized?

    There is no proof that the NULL file contained virus/Trojan code. The fact that
    AVG found some Trojan in it proves nothing (FWIW, AVG fared rather bad in false
    positives susceptibility that I conducted (see message
    <lt83b1pactuesdcuercefjd4pm9h4kpkd0@4ax.com> in this group - about 40% of false
    positives in that particular test).
     
    > What likely happened here?

    Just a false positive. Besides, what for is the AVG *on-access* waste time and
    resources on checking an non-executable file like NULL?
     
    > The operation I was in the middle of when AVG popped up was reading a text
    > only no attachment NG message in OE 6.00.2800.1123.

    Doesn't seem connected.

    Regards, Zvi

    --
    NetZ Computing Ltd. ISRAEL www.invircible.com www.ivi.co.il (Hebrew)
    InVircible Virus Defense Solutions, ResQ and Data Recovery Utilities
    

  • Next message: Jason Edwards: "Re: Trojan horse Downloader.Generic.ML"

    Relevant Pages

    • Re: Trojan horse Downloader.Generic.ML
      ... > of any problems EXCEPT that AVG claims it's found this trojan. ... to be told what is a trojan and what isn't via the updates. ... under any obligation to send copies of their trojans to anti-virus vendors. ...
      (comp.security.firewalls)
    • Re: Trojan horse Downloader.Generic.ML
      ... > of any problems EXCEPT that AVG claims it's found this trojan. ... to be told what is a trojan and what isn't via the updates. ... under any obligation to send copies of their trojans to anti-virus vendors. ...
      (alt.computer.security)
    • Re: Trojan horse Downloader.Generic.ML
      ... >> PC reported the above noted infection. ... updates) wouldn't have caught it at the time of infection? ... >> of any problems EXCEPT that AVG claims it's found this trojan. ...
      (comp.security.firewalls)
    • Re: Trojan horse Downloader.Generic.ML
      ... >> PC reported the above noted infection. ... updates) wouldn't have caught it at the time of infection? ... >> of any problems EXCEPT that AVG claims it's found this trojan. ...
      (alt.computer.security)
    • Re: Firewall or Anti Trojan Program
      ... Would I still need a real firewall program ... > Sygate or maybe install an anti Trojan program. ... use) is not the best at detecting trojans.So if you are gonna stick with AVG ... which has excellent trojan detection too.Probably the best trojan scanner is ...
      (comp.security.firewalls)