Re: Trojan horse Downloader.Generic.ML
From: Zvi Netiv (support_at_replace_with_domain.com)
Date: Fri, 17 Jun 2005 12:39:44 +0300
"Ron Reaugh" <email@example.com> wrote:
> It's the file C:\NULL
> Suddenly shortly after cold boot my fully updated(WinUp) and patched W98se
> PC reported the above noted infection. It's Grisoft free AVG with the
> latest updates. This PC is also protected by ZoneAlarm, Belkin WiFi router
> with firewall, SpyBot(resident). A normal Shutdown was done 12 hours
> earlier with no indication of any problems. There are still no indications
> of any problems EXCEPT that AVG claims it's found this trojan. There have
> been no floppy operations/mounts, no CD operations/mounts and no downloads
> and installs of anything since an hour before shutdown last night and now.
> From the DOS prompt I can see a file C:\NULL that has a 5/5/05 date. Since
> 5/5 both a full manual AVG and Trend HouseCall 6 run have been done on this
> PC finding nothing.
What was the file size? I suppose you didn't view the file with a text editor
(e.g. Notepad). You would risk nothing by viewing the file as it didn't have an
executable extension (unless it was a PIF file, which wouldn't show in Explorer,
but you could know that from the file's icon - 'pif' have the MS-DOS icon, by
default). If you had viewed the file then you may have discovered the reason
for which AVG flagged it as a Trojan.
My guess is that the "NULL" file was the product of a piping command that was
misspelled 'null' instead of NUL (e.g. "whatever > nul"). This technique is
often used in scripts to not display pointless DOS screens. Misspelling the NUL
device as NULL is rather common.
> So where and how did this file C:\NULL that AVG claims is Trojan horse
> Downloader.Generic.ML appear from? Was it really there since 5/5 but went
> unnoticed by both AVG and Trend HouseCall 6 and then this morning AVG
> suddenly downloaded a new definition file which started seeing this trojan?
> OR did something penetrate all the firewalls and suddenly spawn this file
> which AVG quickly recognized?
There is no proof that the NULL file contained virus/Trojan code. The fact that
AVG found some Trojan in it proves nothing (FWIW, AVG fared rather bad in false
positives susceptibility that I conducted (see message
<firstname.lastname@example.org> in this group - about 40% of false
positives in that particular test).
> What likely happened here?
Just a false positive. Besides, what for is the AVG *on-access* waste time and
resources on checking an non-executable file like NULL?
> The operation I was in the middle of when AVG popped up was reading a text
> only no attachment NG message in OE 6.00.2800.1123.
Doesn't seem connected.
-- NetZ Computing Ltd. ISRAEL www.invircible.com www.ivi.co.il (Hebrew) InVircible Virus Defense Solutions, ResQ and Data Recovery Utilities