Re: IMI.1536.A "Dropper" - Different results and findings?
From: siljaline (siljaline_at_invalid.com)
Date: Sat, 6 Sep 2003 19:20:45 -0400
"LuckyStrike" <LS@smokedamagedfurniture.youcandriveitawaytoday.com> wrote in message
> I was performing a series of scans of my machine with various utilities, and
> an item was detected by Pest Patrol as being a "dropper". The name of the
> suspect entry was IMI.1536.A. I found that this is said to affect .EXE
> files. Specifically an Extract.exe file.
> Looking by Find F & F, I see that there are three Extract.exe's in
> C:\Windows.One is located in Windows\Command, the second is in Options\Cabs,
> and the third is in Windows\System. I scanned these (and the entire system
> as well) with AVG AV, Trend Micro AV, and Freedom Online AV - Nothing was
> detected. Spybot didn't find it either; not that I was expecting it to.
> Pest Patrol was the only program that detected this "dropper".
> Presently, I have "quarantined" this item, and have been doing some
> research. On the one hand, the "dropper" has a bad connotation. First it is
> *present* and detected for the first time ever; Second, it is attributed
> with "...In viruses and trojans, the dropper is the part of the program that
> installs the hostile code onto the system." That sounds quite unsettling.
> Symantec site stated Detected as: IMI.1536.A. Characteristics: Memory
> Resident, Triggered. Area of Infection: .EXE Files.
> OTOH, another site stated "These are not dangerous memory resident parasitic
> viruses. They hook INT 21h and write themselves to the end of COM and EXE
> files that are executed. "Imi.1536.a" infects EXE files only."
> "Hello! This is IMI 1.0b.When you see these words,
> you have been infected the IMI 1.0b virus.This is just
> for experiment.Please contact me immediately for cure.
> Fu-Jen U. E.E. Wilbur Dam.1993.4.8."
> I've not gotten this message as yet, but I've no desire to get it.
> So, can I safely rid my PC of this thing without affecting these Extract.exe
Comments, as requested -
Software based A-V's, Norton, et al *should* be left alone to scan for viruses.
Norton A-V should have flagged IMI.1536.A and variants, definitions up to date?
Spyware scanners can and do flag some virus exploits but conversely, should be
left alone to flag Spyware threats. Trojan-like behavior is targeted by SpyBot but
I believe that detection of those is in its infancy.
Online A-V scans do not scan compressed files, AFAIK, Norton online does not.
Therefore, online A-V scans are good for - selling you something, perhaps not much
more. Pest Patrol, to my knowledge, false-flags fairly often, perhaps you should consider
opt out of Pest Patrol and leave the Spyware scans to "true" scanners, Ad-aware and
Hope I've addressed all ;)
-- siljaline "Arguing with anonymous strangers on the Internet is a sucker's game because they almost always turn out to be -- or to be indistinguishable from -- self-righteous sixteen-year-olds possessing infinite amounts of free time." - Neil Stephenson, _Cryptonomicon_