Trojan horse Downloader.Generic.ML

Yes, in the middle of all this I read that thread about the Dell files and AVG did detect several Dell files on this system. ALSO Trend Housecall 6.0 also detected one such Dell file here.

Back to my original issue, why would AVG be detecting c:\\null at that moment. What could have caused AVG resident to detect a file in c:\\ at that moment EXCEPT watching/checking some file I/O to that file at that moment?

Correction: below in my prior post where I say 'extract as' should read 'restore as'.

UPDATE: 'restore as' in AVG continues to hang. 'restore' works. So I got c:\\null back and after some fussing around I got it on a floppy. Then I had

have a look at it and about half identified it and the other half did NOT(included after these comments). At the AVG was the day's before AVG version(6/14/05) and it did NOT find it so the theory that a sudden identification of c:\\null was due to the fact that AVG's 6/15/05 def-s had just been downloaded seems more probable. After getting auto updates from AVG does AVG automatically and immediately go out and check the root(c:\\) for virus files? I still don't understand exactly why the identification occurred at the moment it did OTHER THAN actual file I/O to c:\\null at that moment?

Following the above mentioned steps involving using a DOS boot floppy to copy to c:\\null to another floppy, I've now have booted back to W98SE and c:\\null still sits there and AVG has NOT noticed it yet?? Of course there's been no new AVG download/update in the last hour.

Is there anything special about the filename 'null' that would stifle registry searches etc. for it? In DOS the filename 'nul' IS special. There seems to be nothing in the registry relevant to a filename 'null'.

This is a report processed by VirusTotal on 06/17/2005 at 09:16:56 (CET) after scanning the file "Null" file. Antivirus Version Update Result AntiVir 6.31.0.7 06.16.2005 TR/Dldr.QDown.S AVG 718 06.14.2005 no virus found Avira 6.31.0.7 06.16.2005 TR/Dldr.QDown.S BitDefender 7.0 06.17.2005 Trojan.Downloader.Qdown.S ClamAV devel-20050501 06.16.2005 Trojan.Downloader.Delf-94 DrWeb 4.32b 06.17.2005 Trojan.DownLoader.2632 eTrust-Iris 7.1.194.0 06.16.2005 no virus found eTrust-Vet 11.9.1.0 06.16.2005 no virus found Fortinet 2.35.0.0 06.17.2005 W32/QDown.S-tr Ikarus 2.32 06.16.2005 no virus found Kaspersky 4.0.2.24 06.17.2005 Trojan-Downloader.Win32.QDown.s McAfee 4515 06.16.2005 no virus found NOD32v2 1.1143 06.16.2005 Win32/TrojanDownloader.QDown.S Norman 5.70.10 06.15.2005 no virus found Panda 8.02.00 06.16.2005 Spyware/ISTbar Sybari 7.5.1314 06.17.2005 Trojan-Downloader.Win32.QDown.s Symantec 8.0 06.16.2005 no virus found TheHacker 5.8-3.0 06.17.2005 no virus found VBA32 3.10.3 06.16.2005 Trojan-Downloader.Win32.QDown.s

OK, Ron - If you got that from A2 then I would believe a real infection which, when you're ready, you can have A2 try and clean. I would recommend two additional steps at this point if you wish to continue to investigate.

First, download and run Mark Russinovich's rootkitrevealer from

Then, I would also download and run HiJackThis and post your results to one of the forums. There are experts there who can help you considerably with this:

Download HijackThis, free, here:

http://209.133.47.200/~merijn/files/HijackThis.exe (Always download a new fresh copy of HijackThis [and CWShredder also] - It's UPDATED frequently.)

You may also get it here if that link is blocked:

here: here: There's a good "How-to-Use" tutorial here: In Windows Explorer, click on Tools|Folder Options|View and check "Show hidden files and folders" and uncheck "Hide protected operating system files". (You may want to restore these when you're all finished with HijackThis.)

Place HijackThis.exe or unzip HijackThis.zip into its own dedicated folder at the root level such as C:\\HijackThis (NOT in a Temp folder or on your Desktop), reboot to Safe mode, start HT (have ONLY HT running - IE MUST be closed) then press Scan. Click on SaveLog when it's finished which will create hijackthis.log. Now click the Config button, then Misc Tools and click on Generate StartupList.log which will create Startuplist.txt.

Then go to one of the following forums:

Spyware and Hijackware Removal Support, here: http://216.180.233.162/~swicom/forums/ or Net-Integration here:

or Tom Coyote here: or Jim Eshelman's site here: or Bleepingcomputer here:

Register if necessary, then sign in and READ THE DIRECTIONS at the beginning of the particular sites HiJackThis forum, then copy and paste both files into a message asking for assistance, Someone will answer with detailed instructions for the removal of your parasite(s). Be sure you include at the beginning of your post "What problem(s) you're trying to solve" and "What steps you've already taken."

So I ran A2 and it found ~130 things....mostly cookies which don't really count as everything finds cookies. It also found my same old c:\\null(Trojan-Downloader.Win32.QDown.s) and two dialers plus (TrojanSpy.Win32.KeyLogger.t). I gonna leave c:\\null there awhile and try to determine the circumstances that it's detected next time.

Yes it had a virus checker with all updates. Yes it had all Windows updates. If by firewall you mean personal firewall software then no it didn't because this would have made no difference. Personal firewalls do not stop Internet Explorer downloading whatever the user requests as far as I'm aware. They also do not stop Internet Explorer downloading something the user didn't request. The only way to keep addware off Windows 98 is to stop it reaching the PC.

As already stated the fully updated scanners were not finding anything wrong with the file after a week. I then decided to get rid of the file in case it was detected and frightened anyone in the future. I'm not in the business of collecting malware. It would surprise me if current virus scanners don't detect it but there is no way for me to find out.

Using the current model of anti-virus software I don't see how any virus scanner vendor can be expected to get an update done and distributed to users before malware has executed on their PC. This is simply not possible unless they turn their efforts to time travel instead of malware detection. I cannot recall a virus I came across this year which hadn't executed and done damage to a user's PC BEFORE their virus scanner was updated to detect it. The last one was due to a 12 year old using MSN messenger in an XP administrator account. This left the user helpless because task manager wouldn't run and IE wouldn't go to any anti-virus sites. AVG took more than

24 hours to start detecting it and I don't see how they could have done it any faster. Is it only me who thinks that there may be something wrong with this model?

There are no secrets. Ask yourself why businesses of any size don't use (or shouldn't be using) the current home user model. Ask yourself why users in these businesses who have email and web browsing access think that they have full Internet access and don't notice any difference between Internet access at work and Internet access at home. A few of these users may wonder why they never get any viruses at work but can't keep viruses off their home PC.

Why does it make a difference? All Windows and anti-virus updates were in place at the time.

Filter it out before it reaches the PC.

There are various reasons why the current home user model is not likely to change any time soon. I'll list a few of the reasons I can think of, there may be many others.

1. Cost. Proper external firewall/proxy boxes start at three figures.
2. Time and effort. Good external boxes can be made out of free software and an old PC, but time and effort is required to set it up. A certain level of knowledge is also required for successful configuration whether you use a ready made solution or a free software one. You can pay someone to do it for you but then we're back to cost.
3. Knowledge. Windows 98 is not likely to be possible to secure for the average home Windows user if connected directly to broadband. Later versions of Windows are better but cannot be used in a secure manner because this breaks too many existing applications. Windows applications are still being written which require access to more than they should be able to access if they are to work properly. I won't bother stating that you could use an operating system other than Windows because I've met people who think that Windows and computers are the same thing.

Jason

What was the file size? I suppose you didn't view the file with a text editor (e.g. Notepad). You would risk nothing by viewing the file as it didn't have an executable extension (unless it was a PIF file, which wouldn't show in Explorer, but you could know that from the file's icon - 'pif' have the MS-DOS icon, by default). If you had viewed the file then you may have discovered the reason for which AVG flagged it as a Trojan.

My guess is that the "NULL" file was the product of a piping command that was misspelled 'null' instead of NUL (e.g. "whatever > nul"). This technique is often used in scripts to not display pointless DOS screens. Misspelling the NUL device as NULL is rather common.

There is no proof that the NULL file contained virus/Trojan code. The fact that AVG found some Trojan in it proves nothing (FWIW, AVG fared rather bad in false positives susceptibility that I conducted (see message in this group - about 40% of false positives in that particular test).

Just a false positive. Besides, what for is the AVG *on-access* waste time and resources on checking an non-executable file like NULL?

Doesn't seem connected.

Regards, Zvi

-- NetZ Computing Ltd. ISRAEL

(Hebrew) InVircible Virus Defense Solutions, ResQ and Data Recovery Utilities

Hi Ron - No, if you've already let A2 clean things (except c:\\null?), then that's OK, although I'd at least run it again and be sure it's still clean in Safe or Clean Boot, then again after a normal boot (if you didn't already do this). These things can often re-infect themselves.

As to rootkitresponder - it would be good IMO to increase your confidence that this (a rootkit) hasn't happened, given the atypical circumstances of your infection. But of course running this and using the HiJackThis approach are entirely your choice. Those were just my recommendations, since in my experience multiple tools can give more complete confidence in a clean system, particularly when starting from an unknown infection point. (For well know infections there often exist specific tools which are very efficient in clean up that specifc malware.)

What is the file size? Since it doesn't have an executable extension then it would be safe to handle. View it with a text editor and tell us what it contains. I suspect that it has script like text inside.

Would you mind sending it to my e-mail address (see my signature) for analysis? Preferably in ZIP encapsulation, no need for password encryption. You may need to disable your AV momentarily in order to send the file.

Unsurprisingly, the scanners that "found" the Trojan in your upload to VirusTotal, are the same that showed more susceptible than others to false positives, in my tests.

Since this behavior is systematic, and is detected by AVG's on-access, then the logical explanation would be that piping to the "NULL" file is caused by what you were doing.

I suppose you haven't tried "NOTEPAD C:\\NULL." (note the dot after NULL) from your desktop "run". I am pretty sure it will trigger AVP. ;-)

On a side note I would add that if you had InVircible installed, then you could know exactly, in seconds, what is the application that generates the piping, or accesses the file. But this is an entirely different discussion.

There is nothing special nor magic in the filename, except that it is a common misspelling of the NUL device name, often used to redirect commands that need to execute in the command/CMD shell.

An informed interpretation of the VirusTotal report suggests that you are dealing with a false positive. For the readers' convenience, I have reorganized the scanners in the report below into two groups: Those that false alarmed on the NULL sample, and those that didn't. As to AVG, you may add it to the first group as it eventually alarmed on that sample, which concurs with my tests (AVG had about 40% susceptibility, with ClamAV being the worst - 100% susceptibility to my samples).

Trojan-Downloader.Win32.QDown.s

The critical question to ask in the above example is: Why wasn't the sample detected by ALL scanners, given that those that detect it have it in their database (Downloader.S is roughly one year old!).

I'll repeat something I said in a previous post and thread, about susceptibility to FP: It tells a lot about the design internals of the product.

Regards, Zvi

-- NetZ Computing Ltd. ISRAEL

(Hebrew) InVircible Virus Defense Solutions, ResQ and Data Recovery Utilities

How do you figure that?

It takes time for users to report their experiences to the fighters (and submit samples of the malware) - and further time for the fighters to analyse the software threat and create a suitable detection definition.

Some do to some extent - Norman's Sandbox does IIRC. Zvi Netiv's site at Net-Z Computing gives good information on some alternatives to using only signature based scanning.

Many software firewalls have gone beyond what they used to do (port control) and it could be that ZA does do something about your system configuration settings - I don't know about that because I don't use it.

scrutiny.:(

Isn't there a restore option in AVG's console?

BTW - did you search for other files with that creation date for clues to see if it was something you forgot that you had installed? Someone else has mentioned an ATA card or something, but just because you don't have what he mentioned doesn't mean that you didn't install something else that used the same installer (that apparently leaves remnants).

Security experts, generally.

reliably??

No, but they can only correct what they know how to correct - and as a prerequisite you have to have a known malware to have them correct. As your problem is an unknown you must have a lowered confidence in the state of your security. Sure, it is relatively easy to remove a PE infector that only infects PE files in the working directory - replace all files detected as infected with known good backups. A worm that installs a backdoor and announces through IRC "open house" at IP address xxx.xxx.xxx.xxx can be removed and you can still be confident to some extent that little time was available for any further actual intrusion. But a trojan downloader detection that doesn't tell you what was downloaded and executed leaves a larger unknown element to the effectiveness of your cleanup. "What ifs" become more important - like 'what if' the downloaded and executed program retrograded your patch level by installing an older, broken ,version of a dll (with the new version number to fool dumb baseline security checkers) so that even after removing any active trojans you still have a trapdoor that allows a cracker to run code and install something newer and maybe not known to your scanners?.

Integrity checkers are also a good tool, unfortunately some malware can pad out the file to achieve a good CRC after it has done the modification - not very common though

No, but sometimes it is the "only" option that works.

Why do you say that? Sure, if you have been compromised long enough that the backups are also affected, but a good backup regimen makes this very unlikely.

reliably

I would define a compromised system as one that has an ongoing or repeatable security breach. Ongoing as in an active trojan, and repeatable as in a trapdoor that allows the attacker to re-enter the system after you thought you had secured it.

Backups made before any malware could have had access to it or from a read only media so that malware couldn't have had such access. An install CD with slipstreamed patches and copies of the original application software could qualify - but this is highly subjective because 'known good" isn't always good in practice.

Maybe now they have added detection for that which has affected tha data store.

The best tools are the ones that help you to prevent having to use recovery tools.

Exactly - no tools exist to fix unknown problems.

The virus definitions may have been updated. The date on the file may not reflect it's actual creation date.

Keep in mind that on access scanning, does not normally scan non-executable files. On demand scanning, only does so, if you specify it in the configuration settings.

As to the question, of when to format/reinstall, it's easier to describe when it isn't needed.

If you know what malware was installed, how it got installed, can be confident that that's the only malware that was installed, and that malware does not provide remote access, then it's safe to just clean it using whatever tools are most suitable.

Otherwise, you should assume all executables (including macros etc), are compromised.

You could boot from a known clean boot media, and compare every executable, to the files from the installation sources, but it's usually faster to just reinstall.

In most cases, just using an appropriate anti malware tool, to remove the infection, will be effective, but you cannot/should not count on it. If the pc is used for any financial activity (online banking, etc), failing to wipe/reinstall, and change all passwords, could be expensive. Same with failure to remove a dialler, if you have a regular modem connected to a phone line. Remote access tools can also get your account terminated for sending spam etc, or cause reputation loss, if everyone in your address book gets spammed with malware, from your computer.

Regards, Dave Hodgins

Do you really prefer to have even more "typhoid Marys" on the net, than are already existing? Better do a thorough disinfection. As Virus scanners aren't always perfect, this might even mean a surgery. (FYI: Typhus abdominalis bacteria often hide in the gall bladder)

Gabriele Neukam

snipped-for-privacy@t-online.de

Well I thought it was already cleaned...well. It wanted to delete c:\\null but I said no for now. I did let it delete all the other stuff. Is there some whole other step that I'm missing? I will say that after the A2 run and deletions that something is different....BETTER. Does it do more than advertised?

OH SHIT, you're trying to send me on a whole new career path. I was pleased as punch when Gates saved the world from NetRoom and Stacker hell....I did that career path fully. Please Billy save us all and start including a robust equivalent set of tools/fixes in SP3 or maybe that new service that's coming! This is going out of control. How can the average PC user hope to survive? Billy needs to save em all again. In the mean time the Geek Squad can't hope to handle such so they'll just have to keep payin folks like me $100/hr. to keep there PCs running. Most don't. Most don't keep running....they just buy a new PC.....I wonder if mikey is financing the malware industry?

I DON'T WANNA! But the I really didn't wanna screw with A2 either and look what happened. I have fastidiously avoided HiJackThis for several years now. I don't wanna go here. I want something to just handle it all...damnit.

or here: or here:

48,128

OK!

c:\\null is still there. Today AVG updated and nothing happened. I'm assuming therefore that in the original incident that some I/O did occur to c:\\null and that I/O was from out of left field. Nothing was supposed to be doing that.

That triggers AVG. What is the significance of the 'dot'?

Trojan-Downloader.Win32.QDown.s

Aren't the critical questions: Why is Kaspersky in the group that found it? Why did AVG suddenly start detecting it? So you seem to be saying that AVG updated its def-s to suddenly start false positive detecting a known year-old trojan? AND on the date of that new buggy update it just happens that I get from left field some file I/O to c:\\null and a false positive. I think that there is a more likely explanation than that.

Wrong question. Did some say "Now lets's make it do it better and catch those nasty lurking litte demons and exorcise them....after all I don't have launch codes on this system."

Do they? Descartes couldn't be certain of that.

definition.

Yes with worms, viruses, and mass distributed trojans which become noticeable very quickly. Not all malware will be that blatant.

[snip]

Having so many of those scanners FP on that file (if that is what is happening) is very disappointing. :(

Someone

something

Oh well - it was worth a try.

Ok, W.O.R.M media then - and I did say it was highly subjective (below). :))

[snip]

Yes I can - but that is beside the point. Heuristics still deal with what is known.

Hours or a day or two seems to be what's happening.

Billy please save us.

'restore as' hangs...'restore' works and I submitted to

.....see my other posts.

As I already posted...no other file in the system has 5/5/5...but I noticed that date at the time.....wait til next year.