Hi Ron - You might want to download and run the free or trial version of A2 Personal, here:
Directions for a Clean Boot and Show Hidden Files in my Blog, addy in Signature.
Hi Ron - You might want to download and run the free or trial version of A2 Personal, here:
Directions for a Clean Boot and Show Hidden Files in my Blog, addy in Signature.
Hi Ron - A2 is designed specifically to detect Trojans. The only _virus_ scanner I'm aware of that offers comparable _Trojan_ detection is SysClean. From my Blog:
Boot to Safe mode with Network Support (HowTo here:
Download sysclean.com , from Trend Micro, here:
An alternative automatic updater which adds some capabilities to Art's updater, such as restarting in Safe mode to run, etc., SYSCLEAN_FE , is available here:
NOTE: You can get a somewhat more current interim pattern file, the Controlled Pattern Release, here and manually unzip it to your SysClean folder:
Place them in a dedicated folder after appropriate unzipping.
Show hidden and system files (HowTo here:
Read tscreadme.txt carefully, then do a complete scan of your system and clean or delete anything it finds. Reboot and re-run SysClean and continue this procedure until you get a clean scan or nothing further can be cleaned/removed.
Now reboot to normal mode and re-run the scan again.
This scan may take a long time, as Sysclean is VERY extensive and thorough. For example, one user reported that Sysclean found 69 hits that an immediately prior Norton AV v. 11.0.2.4 run had missed.
indications
New malware can download and use old malware. Just a shot in the dark, what else do you have with that date?
Possible. Or it could be a false positive. Without the evidence we can't know.
Also possible.
Without analysing the file "NULL", and or finding other malware files to analyse - it is anybody's guess.
This may be paranoia at work here, but new malware could download many things undetected at present and throw you a bone (like an old trojan) to make you think your defenses are adequate and have protected you. Maybe other things have been date altered to 5/5/5 as well - or looking at 5/5/5 dated files will jar your memory about what "NULL" is (or was).
It's the file C:\\NULL
Suddenly shortly after cold boot my fully updated(WinUp) and patched W98se PC reported the above noted infection. It's Grisoft free AVG with the latest updates. This PC is also protected by ZoneAlarm, Belkin WiFi router with firewall, SpyBot(resident). A normal Shutdown was done 12 hours earlier with no indication of any problems. There are still no indications of any problems EXCEPT that AVG claims it's found this trojan. There have been no floppy operations/mounts, no CD operations/mounts and no downloads and installs of anything since an hour before shutdown last night and now.
From the DOS prompt I can see a file C:\\NULL that has a 5/5/05 date. Since
5/5 both a full manual AVG and Trend HouseCall 6 run have been done on this PC finding nothing.So where and how did this file C:\\NULL that AVG claims is Trojan horse Downloader.Generic.ML appear from? Was it really there since 5/5 but went unnoticed by both AVG and Trend HouseCall 6 and then this morning AVG suddenly downloaded a new definition file which started seeing this trojan? OR did something penetrate all the firewalls and suddenly spawn this file which AVG quickly recognized?
What likely happened here?
The operation I was in the middle of when AVG popped up was reading a text only no attachment NG message in OE 6.00.2800.1123.
NO, I'm not doubting AVG at all. The file c:\\null didn't belong there and came from some unknown source and I assume that in fact is a trojan. What I can't understand is how and when it got there unnoticed until this AM?? I thought I'd taken all the extra precautions and kept very current and then all of the sudden from left field this AVG warning appears at a time and circumstance that does NOT correspond to when I'd expect such a thing to have happened.
FURTHER I was under the impression that most all the current virus checker companies were really on top of things and got out protection(new def files) within hours or at most a day from when something new was found in the wild. I find it highly unlikely that I'm some special case that got this infection only or long before anyone else. If one believes the 5/5/05 date on c:\\null then that suggests that this thing has been out in the wild for over a month when AVG just this AM suddenly updated the def file to include its detection. Also Trend Housecall 6 didn't find it if you believe the 5/5/05 date.
How did this all come to pass. Do I have some misconceptions somewhere regarding these issues? I thought I had all my bases covered and then this. What should I start doing differently? Are virus/trojan files ever put of folks HD and then change their own dates back in time; has that ever been seen?
AVG zapped it already.
Google web/groups doesn't show any hits on "downloader.generic.ml" so this may be something really NEW!
indications
Yep, the very latest and fully patched/WinUp-ed version.
Are you saying that AVG's resident and SpyBots resident(watching reg updates) wouldn't have caught it at the time of infection?
That c:\\null IS a bogus file from an unknown source suggests that there was no false detection.
Yep and other than the possibility that you are a FireFox drum beater, the use of a fully updated IE generally does NOT expose one to such when a fully functional firewall, virus checker and spyware checker are in place.
Right but 5/5/05 is over 30 days old...am I some special case alpha infection point?
After one noticed it. I don't inspect c:\\ or c:\\win or c:\\win\\system[32] hourly to spot undesirable files. That's what I got AVG etc. for.
I was under the impression that there weren't any of these that have resulted in actual infections any time recently. Lots of new vulnerabilities keep being found and reported and fixed. And that's all before there is any infections/penetrations using them and that's what I've been hearing for over a year.
NOPE! I assume that the NG message reading had nothing to do with it but then what did??
Why would AVG or Trend HouseCall 6 be weak in this regard?
If you're doubting AVG, you could submit the file to
eric
eric
-- Remove the dross to contact me directly
And do you use Internet Explorer?
There wouldn't be. If something did sneak in via an IE or some other vulnerability then it would most likely not run until the next startup.
Sounds like an indication of a problem to me. A false detection is a possibility but there is no way for me to be certain.
But you did surf with Internet Explorer?
Virus scanners don't have any magical ability to detect trojans, they have to be told what is a trojan and what isn't via the updates. An anti-virus vendor may manage to do an update in less that a day if the virus/trojan is all over the news but it may otherwise take longer. Trojan writers are not under any obligation to send copies of their trojans to anti-virus vendors.
I have no idea where C:\\NULL came from but if it were on my PC I would want to know what it was. If I was sitting at the PC which had C:\\NULL on it then I'd look in C:\\NULL to see what was there. I'd also find out whether anything in there was referenced during startup. For that I'd need spybot S&D in advanced mode or
Impossible to say. One possibility is that you got something via an unpatched IE vulnerability. Another is that AVG is/was giving a false detection. Another is that I don't have a clue what happened.
Did this message contain a link/url that you happened to click on?
Jason
positive.
It would still be a false positive, albeit a welcome one. :)
Generally they have to affect a number of users before it comes to the attention of the virus fighters.
Yes, virus checkers generally don't prevent the creation of files, they only scan on-access (usually on opening the file). For instance if for some reason your system configuration allows sharing of the root directory (not a good thing), none of the measures you mention will have any affect on the creation of a file in the root directory. Only when accessed next will the AV scan it - and having no extension makes it hard to have it in any include/exclude by extension config file.
It is really too bad the file is not available for further scrutiny.:(
You are right that such a file suddenly appearing raises suspicion.
As much as I'd like to disagree with Jason about such a drastic measure, it IS the recommended procedure when a compromise has taken place.
Ok, so it's probably only got approximately n+100 vulnerabilities left to be patched.
Yes
It does, if you are sure that C:\\NULL is not part of anything legitimate or anything you have done yourself.
I don't wish to upset you but it took me a while to stop laughing after reading that.
Nope, you're just an average Windows user who got the trojan that wasn't widespread enough to be noticed immediately.
I don't either, but I don't allow additional executable files on to the system in the first place, so I don't have to go file spotting very often on my own machines. I also don't need AVG.
Who have you been hearing this from? Ask yourself why there is a cumulative update every month.
It is not possible for me to say for certain what did.
If I were you I'd wipe the drive and reinstall the operating system. There is no other way to be sure that your system isn't compromised.
Jason
Taking a moment's reflection, Ron Reaugh mused: | | NO, I'm not doubting AVG at all. The file c:\\null didn't belong | there and came from some unknown source and I assume that in fact is | a trojan. What I can't understand is how and when it got there | unnoticed until this AM??
My guess would be that when it ws put there, AVG didn't have a definition for it. Sometime between now and then, the definition was added, and now AVG can detect it. It could also be a false positive.
Maybe but do you have any evidence that any of these has been actually used in a penetration recently? OR are they all just potential?
Why? If that's not what they're lookin for then what are they lookin for?
I'm sure. You ever heard of c:\\null?
Provide some references that suggest that is not the usual and EFFECTIVE model?
I find that unlikely but barely possible.
virus/trojan
c:\\win\\system[32]
Where have you been hearing the other from?
YES, please do so. Have you been reading about the intense preemptive work going on to find the holes before the hackers. From what I've heard that's been effective down to with a day or two for the last year or two. References otherwise?
Clueless!
Now you've established your credentials.
My thinking exactly. c:\\null IS a foreign and uninvited file so it's not a false positive even if the file contains all binary zeroes.
My understanding is that actually encountering something before one's virus checker has it in the def file is a rather unusual occurence. HOWEVER also my understanding is that between a virus checker(AVG), SpyBot and ZoneAlarm that nothing should be able to arbitrarily go out and put some file named c:\\null in the root directory regardless of any def file entry. Am I missing something here?
Number of users vs time seems quite a different thing.
I thought they protected against virus like behavior.
AH, how about ZoneAlarm???
HMM, it seems to be in AVG's virus vault but the extraction (Save As..) hangs.
Recommended by who? Are you saying that all this virus checkers and cleaners/disinfectors are frauds as that can't possibly work reliably?? If so then I know how to build an app that can detect any infection...I assumed that such had already been done. Start with an app that does somekind of a fancy encrypted CRC of all the relevant files on a HD and then it keeps an encrypted database of same for later comparison...I didn't say it was pretty.
Clean install isn't a rational/reasonable option. The same logic would suggest that any backups be burned immediately....just NO.
only behaviour blockers stop so-called 'virus-like' behaviour... nobody uses behaviour blockers, though... probably because they typically ask the user far too many questions s/he doesn't have good answers for...
only if it blocks the sharing of the root directory itself...
because then they wouldn't be virus scanners, they'd be integrity checkers... there actually are products out there that do this sort of thing, but they aren't used by nearly as many people as use scanners...
Cabling-Design.com Forums website is not affiliated with any of the manufacturers or service providers discussed here. All logos and trade names are the property of their respective owners.