A freeware MP3 to WAV installation file named ABLEMP3.EXE from:

http://www.all4you.dk/FreewareWorld/links.php

was found to contain a file named WU1345RD.EXE infested with
TrojanDropper.Win32.Small.gt
Actual infestation was confirmed by Kaspersky Lab virus analysis.

I ran some tests using updated av products set to scan archives and
packed files. I wanted to see which scanners could find the Trojan in
the installation SFX CAB file. Of the scanners I tried, only KAV (and
KAV scan engine products) and BitDefender found the culprit file and
alerted.

Scanners which alerted on the culprit file but not on the installation
file included:

F-Prot
McAfee
AntiVir
Clamav
NOD32

Scanners which had no detection at all included:

Trend's Sysclean
Norman Virus Control (NVC)

In this particular case, the SFX CAB installation file can be handled
by Archivers such as Power Archiver. The files "within" can be
extracted to a temp folder. Then the temp folder and its
subdirectories can be scanned with the culprit file(s) exposed for av
scanning.

A general fault of the scanners that can't handle the "containers"
(archivers and packers) is that they report "OK", giving uninitiated
users the impression that the file is safe to Run. In fact, the "files
within" a install file may be packed in a way that some scanners can't
handle. And again, you get a "OK" message. I have seen KAV give
reports such as "unknown" or "error on" and similar for some of these
situations, so apparently it's trying to be honest and let the user
know it can't scan a file. But honesty in reporting is a very rare
thing indeed


Art
http://www.epix.net/~artnpeg

(E-Mail Removed) wrote:

> A general fault of the scanners that can't handle the "containers"
> (archivers and packers) is that they report "OK", giving uninitiated
> users the impression that the file is safe to Run. In fact, the "files
> within" a install file may be packed in a way that some scanners can't
> handle. And again, you get a "OK" message. I have seen KAV give
> reports such as "unknown" or "error on" and similar for some of these
> situations, so apparently it's trying to be honest and let the user
> know it can't scan a file. But honesty in reporting is a very rare
> thing indeed

Most setup generators used by developers employ proprietary compression
methods or undocumented ways of storing the compressed data within the
setup EXE. I don't see how virus scanners could realistically be
expected to unpack and scan all these types of package. If you get an
alert as soon as the infected file hits the hard drive, that's good
enough IMO.

--
Julian Moss
Tech-Pro Limited
http://www.tech-pro.net/

On 15 Aug 2004 09:57:18 GMT, "Julian Moss" <(E-Mail Removed)>
wrote:

>(E-Mail Removed) wrote:
>
>> A general fault of the scanners that can't handle the "containers"
>> (archivers and packers) is that they report "OK", giving uninitiated
>> users the impression that the file is safe to Run. In fact, the "files
>> within" a install file may be packed in a way that some scanners can't
>> handle. And again, you get a "OK" message. I have seen KAV give
>> reports such as "unknown" or "error on" and similar for some of these
>> situations, so apparently it's trying to be honest and let the user
>> know it can't scan a file. But honesty in reporting is a very rare
>> thing indeed
>
>Most setup generators used by developers employ proprietary compression
>methods or undocumented ways of storing the compressed data within the
>setup EXE. I don't see how virus scanners could realistically be
>expected to unpack and scan all these types of package. If you get an
>alert as soon as the infected file hits the hard drive, that's good
>enough IMO.

Well, I'm talking about files that have "hit the drive" that cannot be
scanned on-demand, with no clue to users that they cannot be scanned.
And reliance on realtime av to unpack files when they are Moved,
Copied or Run isn't necesarily going to work either with packers the
av can't handle.

The problem of purposely downloaded install files is best addressed as
early as possible, via on-demand scanning. Install files that cannot
be scanned or extracted from and scanned should be deleted. That's a
part of "safe hex", and the best bet. And never d/l from questionable
sources.


Art
http://www.epix.net/~artnpeg

(E-Mail Removed) wrote:

> A freeware MP3 to WAV installation file named ABLEMP3.EXE from:
>
> http://www.all4you.dk/FreewareWorld/links.php
>
> was found to contain a file named WU1345RD.EXE infested with
> TrojanDropper.Win32.Small.gt
> Actual infestation was confirmed by Kaspersky Lab virus analysis.
>
> I ran some tests using updated av products set to scan archives and
> packed files. I wanted to see which scanners could find the Trojan in
> the installation SFX CAB file. Of the scanners I tried, only KAV (and
> KAV scan engine products) and BitDefender found the culprit file and
> alerted.
>
> Scanners which alerted on the culprit file but not on the installation
> file included:
>
> F-Prot
> McAfee
> AntiVir
> Clamav
> NOD32
>
> Scanners which had no detection at all included:
>
> Trend's Sysclean
> Norman Virus Control (NVC)
>
> In this particular case, the SFX CAB installation file can be handled
> by Archivers such as Power Archiver. The files "within" can be
> extracted to a temp folder. Then the temp folder and its
> subdirectories can be scanned with the culprit file(s) exposed for av
> scanning.
>
> A general fault of the scanners that can't handle the "containers"
> (archivers and packers) is that they report "OK", giving uninitiated
> users the impression that the file is safe to Run. In fact, the "files
> within" a install file may be packed in a way that some scanners can't
> handle. And again, you get a "OK" message. I have seen KAV give
> reports such as "unknown" or "error on" and similar for some of these
> situations, so apparently it's trying to be honest and let the user
> know it can't scan a file. But honesty in reporting is a very rare
> thing indeed
>
>
> Art
> http://www.epix.net/~artnpeg

Art-
I scanned it with Avast and it did not catch it either.(I didn't try to
open it)By the way,are there any free AV products that use the Kapersky
engine?
-max

--
To help you stay safe see: http://www.geocities.com/maxpro4u/madmax.html
This message is virus free as far as I can tell.
Change nomail.afraid.org to neo.rr.com so you can reply
(nomail.afraid.org has been set up specifically for
use in Usenet. Feel free to use it yourself.)

On Sun, 15 Aug 2004 16:23:06 GMT, madmax <(E-Mail Removed)>
wrote:

>Art-
>I scanned it with Avast and it did not catch it either.(I didn't try to
>open it)By the way,are there any free AV products that use the Kapersky
>engine?

Yes. I recently put up at my web site both a automated utilility and
"manual instructions" for obtaining and updating a free scanner
offered by Microworld Systems, the Escan people.

I've received some mixed bag feedback on my utility. Some had no
problem with it while others complained of erratic behaviour,
apparently caused by wget.exe (the internet file downloader). I can't
figure out why. I've been using wget for years now with my upater
offerings, and have never heard of such a problem. I may withdrwaw my
utility since I can't figure out why a few users have experienced
problems.

If you want to do me a favor, and if you're brave <smile> please try
my utility and let me know how you make out. Otherwise, use the manual
instructions. Regarding the latter, a folder named c:\Downloads must
be created and used since the KAVUPD.EXE updater supplied by
Microworld only downloads to that directory. All extracted files go to
that working folder. The extracted working av program is
c:\Downloads\mwavscan.com

When using mwavscan.com, I suggest limiting its use to the default
settings. That should be sufficient for handling installations of
Trojans and I-Worms. And you can also aim it at just a download folder
and set it to scan all files when you want to check downloads. The
thing is, the scanner "shoots first and asks questions later", so to
speak. If you allow it to scan your entire drive(s) for viruses,
especially worrysome with the "scan all files" set, any false alarm
results in renaming, deleting or cleaning. There is no way to just
have it do a scan with report only. This is the downside of using
mwavscan. An upside is that users will have a super scanner for
checking memory, the registry, and main Windows and system files for
installed Trojans and I-worms (and viruses in those areas). It uses
the extra defs, so it's quite a extensive malware zapper. And the
default scan goes very quickly. A log file is generated.


Art
http://www.epix.net/~artnpeg

On Sun, 15 Aug 2004 03:13:39 GMT, (E-Mail Removed) wrote:

>A freeware MP3 to WAV installation file named ABLEMP3.EXE from:
>
>http://www.all4you.dk/FreewareWorld/links.php

Correction. I was just informed by the webmaster that site doesn't
offer downloads. So I was misinformed by a user I was helping.
However, I found the downloads from these sites of the subject
software are all Trojanized:

http://www.all4you.dk/FreewareWorld/links.php
http://www.hitsquad.com/smm/programs...download.shtml
http://www.guitar.sk/mp3_ogg_converter.htm
http://www.sharewarejunction.com/download-19906-2.htm
http://www.zdnet.fr/telecharger/wind...080029s,00.htm

>was found to contain a file named WU1345RD.EXE infested with
>TrojanDropper.Win32.Small.gt
>Actual infestation was confirmed by Kaspersky Lab virus analysis.

<snip>


Art
http://www.epix.net/~artnpeg

On Sun, 15 Aug 2004 19:31:51 GMT, (E-Mail Removed) wrote:

>However, I found the downloads from these sites of the subject
>software are all Trojanized:

Whoops. Forgot to delete the first one

>http://www.hitsquad.com/smm/programs...download.shtml
>http://www.guitar.sk/mp3_ogg_converter.htm
>http://www.sharewarejunction.com/download-19906-2.htm
>http://www.zdnet.fr/telecharger/wind...080029s,00.htm


Art
http://www.epix.net/~artnpeg

On Sun, 15 Aug 2004 18:46:03 GMT, (E-Mail Removed) wrote:

>On Sun, 15 Aug 2004 16:23:06 GMT, madmax <(E-Mail Removed)>
>wrote:
>
>>Art-
>>I scanned it with Avast and it did not catch it either.(I didn't try to
>>open it)By the way,are there any free AV products that use the Kapersky
>>engine?

>If you want to do me a favor, and if you're brave <smile> please try
>my utility and let me know how you make out.

Never mind. I just withdrew it. My daughter just reported a problem
with it and she's a good non-techy user test case

The "manual" instructions remain at my web site, of course.


Art
http://www.epix.net/~artnpeg

(E-Mail Removed) wrote:

> Correction. I was just informed by the webmaster that site doesn't
> offer downloads. So I was misinformed by a user I was helping.
> However, I found the downloads from these sites of the subject
> software are all Trojanized:
>
> http://www.all4you.dk/FreewareWorld/links.php
> http://www.hitsquad.com/smm/programs...download.shtml
> http://www.guitar.sk/mp3_ogg_converter.htm
> http://www.sharewarejunction.com/download-19906-2.htm
> http://www.zdnet.fr/telecharger/wind...080029s,00.htm

I didn't check them all but it seems they all link to the same file on a
Slovakian server. I certainly would have expected ZDNet to pay more
attention to what files it links to... :-(

(E-Mail Removed) wrote:
> On Sun, 15 Aug 2004 18:46:03 GMT, (E-Mail Removed) wrote:
>
>
>>On Sun, 15 Aug 2004 16:23:06 GMT, madmax <(E-Mail Removed)>
>>wrote:
>>
>>
>>>Art-
>>>I scanned it with Avast and it did not catch it either.(I didn't try to
>>>open it)By the way,are there any free AV products that use the Kapersky
>>>engine?
>
>
>>If you want to do me a favor, and if you're brave <smile> please try
>>my utility and let me know how you make out.
>
>
> Never mind. I just withdrew it. My daughter just reported a problem
> with it and she's a good non-techy user test case
>
> The "manual" instructions remain at my web site, of course.
>
>
> Art
> http://www.epix.net/~artnpeg

What a good scanner
Thank you for info!
-max

--
To help you stay safe see: http://www.geocities.com/maxpro4u/madmax.html
This message is virus free as far as I can tell.
Change nomail.afraid.org to neo.rr.com so you can reply
(nomail.afraid.org has been set up specifically for
use in Usenet. Feel free to use it yourself.)