Wrong trojan detection (BoeBot.Explorer)

Henry Habermacher [MVP Access] · Mar 22, 2005

Following steps result in a wrong detection of a trojan (BoeBot.Explorer)

- Create a New Text Document on the desktop
- Rename "New Text Document.txt" to "something.vbs"
- Open something.vbs by doubleclicking it

==> Microsoft AntiSpaware Alert appears, telling

========================================================================
[X] Warning, BoeBot.Explorer Trojan is trying to Install!
========================================================================
Microsoft AntiSpyware has detected the threat PoeBot.Explorer trying to
install a Script on your computer. If you would like to allow
PoeBot.Explorer to install the Script click the 'Allow' Buton below.

Name: PoeBot.Explorer
Type: Trojan
Threat Level: Severe

(!) Click more information about this threat ...

========================================================================
what would you like to do?

[Allow] [Remove!]

[] Always ignore this threat
========================================================================

And an additional bug: Clicking on more information results in "The
requested information is not
currently available"

Remove tells me it could successfully remove this Trojan?!? what ever it may
have removed. My empty .vbs fils is still here.

But I'm pretty shure, this trojan doesn't exist on my machine at all. It's
just a wrong alert if I'm starting a .vbs File without any content.

If I just add a comment sign (') to the first line of the newly created file
AntiSpyware just informs me that a script is beeing to be executed.

HTH to reproduce

Greetings from Phuket/Thailand

Henry Habermacher, MVP Access

Bill Sanderson · Mar 22, 2005

Thanks Henry. I can confirm reproducing this.

Henry Habermacher [MVP Access] · Mar 23, 2005

Hi Bill

Bill Sanderson said:
Thanks Henry. I can confirm reproducing this.

Just upgraded to Build .509. I still was on build .501 (didn't upgrade
automatically). Is reproduceable there too.

Henry

--
Keine E-Mails auf Postings in NGs senden!
Don't send e-mails to postings in newsgroups!
KB: http://support.microsoft.com/default.aspx
FAQ: http://www.donkarl.com (neu mit Suchfunktion!)
OH: Online Hilfe von Microsoft Access (Taste F1)
Downloads: http://www.dbdev.org

Bill Sanderson · Mar 23, 2005

There's no automatic upgrade during the beta--new builds are requiring new
downloads. I reproduced on .509, fwiw.

Michael · Mar 24, 2005

I have the same thing, but it happend to me after
clicking on my autoexec. file in windows. Hidden. I just
posted in general about this and am now just reading
this. So I guess I need not worry. Correct? Michael

Bill Sanderson · Mar 25, 2005

I think you are correct--thanks for providing a concrete example where a
user could be unnecessarily alarmed by this misdetection.

The autoexec.bat file normally lives in the root of the drive windows boots
from, and isn't normally hidden--you can look at it with notepad, for
example. If you confirm that it is empty via notepad, or by looking at the
length in a file listing, that'd be enough evidence for me that this is the
same issue.

Thanks for reading before posting!

False PoeBot.Explorer Trojan	4	Mar 30, 2005
pws.bancos.a trojan	8	Feb 10, 2006
MS antispyware could not remove trojan spyware	2	Aug 27, 2005
False Trojan detection for ATI Catalyst Panel?	6	Aug 7, 2005
#1 feature request and might consider adding please	1	May 13, 2005
Same problem looks like a trojan	2	Feb 16, 2005
False positive	4	Mar 14, 2006
XP Firewall Suddenly Turned Off	2	Sep 20, 2008

Wrong trojan detection (BoeBot.Explorer)

Henry Habermacher [MVP Access]

Bill Sanderson

Henry Habermacher [MVP Access]

Bill Sanderson

Michael

Bill Sanderson

Ask a Question

Similar Threads