Re: IMI.1536.A "Dropper" - Different results and findings?

From: siljaline (siljaline_at_invalid.com)
Date: 09/07/03


Date: Sat, 6 Sep 2003 19:20:45 -0400


"LuckyStrike" <LS@smokedamagedfurniture.youcandriveitawaytoday.com> wrote in message
news:eADweaDdDHA.2368@TK2MSFTNGP09.phx.gbl...
> I was performing a series of scans of my machine with various utilities, and
> an item was detected by Pest Patrol as being a "dropper". The name of the
> suspect entry was IMI.1536.A. I found that this is said to affect .EXE
> files. Specifically an Extract.exe file.
>
> Looking by Find F & F, I see that there are three Extract.exe's in
> C:\Windows.One is located in Windows\Command, the second is in Options\Cabs,
> and the third is in Windows\System. I scanned these (and the entire system
> as well) with AVG AV, Trend Micro AV, and Freedom Online AV - Nothing was
> detected. Spybot didn't find it either; not that I was expecting it to.
>
> Pest Patrol was the only program that detected this "dropper".
>
> Presently, I have "quarantined" this item, and have been doing some
> research. On the one hand, the "dropper" has a bad connotation. First it is
> *present* and detected for the first time ever; Second, it is attributed
> with "...In viruses and trojans, the dropper is the part of the program that
> installs the hostile code onto the system." That sounds quite unsettling.
>
> Symantec site stated Detected as: IMI.1536.A. Characteristics: Memory
> Resident, Triggered. Area of Infection: .EXE Files.
>
> OTOH, another site stated "These are not dangerous memory resident parasitic
> viruses. They hook INT 21h and write themselves to the end of COM and EXE
> files that are executed. "Imi.1536.a" infects EXE files only."
> "Imi.1536.a":
>
> "Hello! This is IMI 1.0b.When you see these words,
> you have been infected the IMI 1.0b virus.This is just
> for experiment.Please contact me immediately for cure.
> Fu-Jen U. E.E. Wilbur Dam.1993.4.8."
>
> I've not gotten this message as yet, but I've no desire to get it.
>
> So, can I safely rid my PC of this thing without affecting these Extract.exe
> programs?
> --
> LuckyStrike
> LS@smokedamagedfurniture.youcandriveitawaytoday.com

Lucky,
Comments, as requested -

Software based A-V's, Norton, et al *should* be left alone to scan for viruses.
Norton A-V should have flagged IMI.1536.A and variants, definitions up to date?

Spyware scanners can and do flag some virus exploits but conversely, should be
left alone to flag Spyware threats. Trojan-like behavior is targeted by SpyBot but
I believe that detection of those is in its infancy.

Online A-V scans do not scan compressed files, AFAIK, Norton online does not.
Therefore, online A-V scans are good for - selling you something, perhaps not much
more. Pest Patrol, to my knowledge, false-flags fairly often, perhaps you should consider
opt out of Pest Patrol and leave the Spyware scans to "true" scanners, Ad-aware and
SpyBot...

Hope I've addressed all ;)

Regards,

-- 
siljaline
"Arguing with anonymous strangers on the Internet is a sucker's game
because they almost always turn out to be -- or to be indistinguishable from
-- self-righteous sixteen-year-olds possessing infinite amounts of free time."
- Neil Stephenson, _Cryptonomicon_


Relevant Pages

  • Re: This Day In History - August 24
    ... XP is certainly an efficient vector for viruses. ... >> Viruses on XP aren't that big of a deal, install norton once in a while, ... >> run it once a week, it removes viruses and spyware, big deal. ... > week just to keep XP virus free. ...
    (comp.sys.mac.advocacy)
  • Re: several viruses
    ... > they were picked up by norton as viruses but spyware has been detected too ... >> Ted Zieglar ...
    (microsoft.public.security)
  • Re: Opinions Please on Norton
    ... > | the moment and thought he was doing me a favour by putting Norton 2005 ... how much spyware or viruses we will find. ... cleaning......we left the shop after 52 instances of viruses were ...
    (alt.comp.anti-virus)
  • Re: Opinions Please on Norton
    ... > And I will perhaps ask him to give me a copy of the Norton CD only because ... > how much spyware or viruses we will find. ... > cleaning......we left the shop after 52 instances of viruses were ...
    (alt.comp.anti-virus)