Re: Protected folders
From: Roger Fink (fink_at_*****.net)
Date: 08/30/05
- Previous message: David H. Lipman: "Re: Protected folders"
- In reply to: David H. Lipman: "Re: Protected folders"
- Next in thread: David H. Lipman: "Re: Protected folders"
- Reply: David H. Lipman: "Re: Protected folders"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Date: Tue, 30 Aug 2005 00:13:41 -0400
David H. Lipman wrote:
> From: "Roger Fink" <fink@*****.net>
>
>
>>
>> David - you're here too - what a shocker!
>>
>> OK, I'm probably not going to describe this 100% accurately, but
>> here's my
>> best shot. I recently was infected with VBS:REDLOF. The infected
>> file that
>> was picked up on the virus scan was unfortunately sysclean.exezz,
>> which was
>> created when sysclean.exe was launched earlier, I believe in
>> response to
>> something else. The file had been on the hard drive for awhile . The
>> several
>> other files that normally are created in the same folder when
>> SysClean is
>> launched all had zz added to their extensions, such as .logzz and
>> .dllzz,
>> although they didn't scan "positive". The pattern file to all
>> appearances
>> remained unchanged.
>>
>> What prompted the question is that I wanted to save myself a 3.5mb
>> download
>> by keeping the file on the computer. (I realize this part of the
>> program
>> does get modified from time to time and would need to check that).
>> It's
>> downloaded as an executable but I've currently got it stored as a
>> zip, if
>> that makes any difference. And yes, I agree in advance of your
>> suggesting it
>> that it's not the end of the world to download it only on an
>> as-needed
>> basis.
>>
>> I've done my reading and my housekeeping, and I think my system is
>> free and
>> clear at the moment.
>>
>> BTW, Trend Micro describes VBS:REDLOF and its variants as highly
>> destructive. It's more than an annoyance.
>>
>
> It shouldn't be a surprise you'd find me here. I monitor many virus
> and security related News Groups. I'm out to learn as much as I can
> and assist the affected/infected as much a I can.
>
> Well for one Avast falsely declares SYSCLEAN.COM [ Sysclean is a
> Trend Micro utility ] as having the VBS/Redlof. Do you have Avast ?
> This is an old problem and one would think this False Positive
> declaration would have been corrected by now. SYSCLEAN.COM is a
> self-extracting executable and when it is executed the actual AV
> scanner engine is extracted.
>
> Getting back to your original question, a virus or Trojan can be
> written to change the attributes of a file or folder such that it
> goes from Read-Only to Read-Write..
Actually I was just kidding - I gather from your posts in the 98 group that
security is a special area of interest and expertise.
Yes I use Avast - but why is it a false positive if I can see that the file
extensions in the T-M SysClean folder, including the sysclean executable
itself, have beeen changed? Note that just to make sure that the same
problem would not recur, after the Avast scanner removed sysclean.exezz I
deleted the entire folder, downloaded new components, and ran SysClean again
from a new temporary folder. All the file extensions were normal.
- Previous message: David H. Lipman: "Re: Protected folders"
- In reply to: David H. Lipman: "Re: Protected folders"
- Next in thread: David H. Lipman: "Re: Protected folders"
- Reply: David H. Lipman: "Re: Protected folders"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Relevant Pages
|
