Re: IMI.1536.A "Dropper" - Different results and findings?
From: siljaline (siljaline_at_invalid.com)
Date: 09/07/03
- Next message: Joao S Veiga: "Possible information leakage from DNS quirks"
- Previous message: jeffar49_at_hotmail.com: "pop ups"
- In reply to: LuckyStrike: "IMI.1536.A "Dropper" - Different results and findings?"
- Next in thread: LuckyStrike: "Re: IMI.1536.A "Dropper" - Different results and findings?"
- Reply: LuckyStrike: "Re: IMI.1536.A "Dropper" - Different results and findings?"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Date: Sat, 6 Sep 2003 19:20:45 -0400
"LuckyStrike" <LS@smokedamagedfurniture.youcandriveitawaytoday.com> wrote in message
news:eADweaDdDHA.2368@TK2MSFTNGP09.phx.gbl...
> I was performing a series of scans of my machine with various utilities, and
> an item was detected by Pest Patrol as being a "dropper". The name of the
> suspect entry was IMI.1536.A. I found that this is said to affect .EXE
> files. Specifically an Extract.exe file.
>
> Looking by Find F & F, I see that there are three Extract.exe's in
> C:\Windows.One is located in Windows\Command, the second is in Options\Cabs,
> and the third is in Windows\System. I scanned these (and the entire system
> as well) with AVG AV, Trend Micro AV, and Freedom Online AV - Nothing was
> detected. Spybot didn't find it either; not that I was expecting it to.
>
> Pest Patrol was the only program that detected this "dropper".
>
> Presently, I have "quarantined" this item, and have been doing some
> research. On the one hand, the "dropper" has a bad connotation. First it is
> *present* and detected for the first time ever; Second, it is attributed
> with "...In viruses and trojans, the dropper is the part of the program that
> installs the hostile code onto the system." That sounds quite unsettling.
>
> Symantec site stated Detected as: IMI.1536.A. Characteristics: Memory
> Resident, Triggered. Area of Infection: .EXE Files.
>
> OTOH, another site stated "These are not dangerous memory resident parasitic
> viruses. They hook INT 21h and write themselves to the end of COM and EXE
> files that are executed. "Imi.1536.a" infects EXE files only."
> "Imi.1536.a":
>
> "Hello! This is IMI 1.0b.When you see these words,
> you have been infected the IMI 1.0b virus.This is just
> for experiment.Please contact me immediately for cure.
> Fu-Jen U. E.E. Wilbur Dam.1993.4.8."
>
> I've not gotten this message as yet, but I've no desire to get it.
>
> So, can I safely rid my PC of this thing without affecting these Extract.exe
> programs?
> --
> LuckyStrike
> LS@smokedamagedfurniture.youcandriveitawaytoday.com
Lucky,
Comments, as requested -
Software based A-V's, Norton, et al *should* be left alone to scan for viruses.
Norton A-V should have flagged IMI.1536.A and variants, definitions up to date?
Spyware scanners can and do flag some virus exploits but conversely, should be
left alone to flag Spyware threats. Trojan-like behavior is targeted by SpyBot but
I believe that detection of those is in its infancy.
Online A-V scans do not scan compressed files, AFAIK, Norton online does not.
Therefore, online A-V scans are good for - selling you something, perhaps not much
more. Pest Patrol, to my knowledge, false-flags fairly often, perhaps you should consider
opt out of Pest Patrol and leave the Spyware scans to "true" scanners, Ad-aware and
SpyBot...
Hope I've addressed all ;)
Regards,
-- siljaline "Arguing with anonymous strangers on the Internet is a sucker's game because they almost always turn out to be -- or to be indistinguishable from -- self-righteous sixteen-year-olds possessing infinite amounts of free time." - Neil Stephenson, _Cryptonomicon_
- Next message: Joao S Veiga: "Possible information leakage from DNS quirks"
- Previous message: jeffar49_at_hotmail.com: "pop ups"
- In reply to: LuckyStrike: "IMI.1536.A "Dropper" - Different results and findings?"
- Next in thread: LuckyStrike: "Re: IMI.1536.A "Dropper" - Different results and findings?"
- Reply: LuckyStrike: "Re: IMI.1536.A "Dropper" - Different results and findings?"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Relevant Pages
|
