False PoeBot.Explorer Trojan

[=?iso-8859-1?Q?Pedro_Gon=E7alves_=5BMCSD=5D?=]

Hi all,

I found what I think is a bug of AntiSpyware.
I created a new Text Document on my desktop using the
rigth-click of the mouse. Then I change its name to
Test.vbs, to create a Visual Basic Script I needed to
test. Then I rigth-click it with the mouse and said to
open it with Visual Studio .NET 2003, and a warning
Alert! apeared in my desktop saying that the
PoeBot.Explorer Trojan is trying to install in my machine!
At the first time I thougth it may be true and asked to
remove it. The tool remove it with success!!!

But after 2 more tries I understand that it happen by my
edit command.

Regards to all,
Pedro Gonçalves

 

[Andre Da Costa]

Best recommendation then would be to
restart in safe mode and do a deep
scan. On the Scan Page choose Scan Options > Full System Scan. Do this at
least two times until detects something. Also, before you restart in safe
mode, disable System Restore, some trojans and spyware programs are likely
to restore themselves with system snap shots:

Right click My Computer > Properties > System Restore, check the "Disable
System Restore" check box and restart in safe mode.

Restart in safe mode instructions:
www.microsoft.com/resources/documentation/
windows/xp/all/proddocs/en-us/boot_failsafe.mspx

Remember, this is still beta and cannot be judged as a finished shipping
product. I also recommend using additional AntiSpyware utilities in tandem
with Microsoft AntiSpyware, also use your Antivirus solution to do a
thorough scan in safe mode also and ensure that it fully up to date.

Ad-Aware - www.lavasoftusa.com
Spybot - http://www.safer-networking.org/
CWShredder - http://www.intermute.com/products/cwshredder.html
Spy Sweeper - www.webroot.com

PoeBot.Explorer is actually Spyware, check here:
http://www.cybersoft.com/about/alerts.php

Bill Sanderson on the otherhand said its a false positive:
I have seen Poebot detected on
my own machine, and believe it to be a false positive.
--

Andre
http://spaces.msn.com/members/adacosta
FAQ for MS AntiSpy http://www.geocities.com/marfer_mvp/FAQ_MSantispy.htm

message Hi all,

I found what I think is a bug of AntiSpyware.
I created a new Text Document on my desktop using the
rigth-click of the mouse. Then I change its name to
Test.vbs, to create a Visual Basic Script I needed to
test. Then I rigth-click it with the mouse and said to
open it with Visual Studio .NET 2003, and a warning
Alert! apeared in my desktop saying that the
PoeBot.Explorer Trojan is trying to install in my machine!
At the first time I thougth it may be true and asked to
remove it. The tool remove it with success!!!

But after 2 more tries I understand that it happen by my
edit command.

Regards to all,
Pedro Gonçalves

 

[Bill Sanderson]

You are correct--this is a false postive.
--
FAQ for Microsoft Antispyware:
http://www.geocities.com/marfer_mvp/FAQ_MSantispy.htm

message Hi all,

I found what I think is a bug of AntiSpyware.
I created a new Text Document on my desktop using the
rigth-click of the mouse. Then I change its name to
Test.vbs, to create a Visual Basic Script I needed to
test. Then I rigth-click it with the mouse and said to
open it with Visual Studio .NET 2003, and a warning
Alert! apeared in my desktop saying that the
PoeBot.Explorer Trojan is trying to install in my machine!
At the first time I thougth it may be true and asked to
remove it. The tool remove it with success!!!

But after 2 more tries I understand that it happen by my
edit command.

Regards to all,
Pedro Gonçalves

 

[Steve Dodson [MSFT]]

This is a false positive... I'll file a bug tomorrow morning..

--
-steve

Steve Dodson [MSFT]
MCSE, CISSP
PSS Security

--

This posting is provided "AS IS" with no warranties, and confers no rights.
Use of included script samples are subject to the terms specified at
http://www.microsoft.com/info/cpyright.htm

Note: For the benefit of the community-at-large, all responses to this
message are best directed to the newsgroup/thread from which they
originated.

 

[Bill Sanderson]

I thought I might have already, but see that I did not.

Here's where this one may be a significant issue: The typical autoexec.bat
on XP is just such an empty .bat file.

Losing it isn't a big deal, but if it is found on scans, lots of people will
be needlessly alarmed. I'm unclear what happens with this detection--I've
seen it found on a scan, but not been able to verify the details of what was
found--I only saw it in history.

--
FAQ for Microsoft Antispyware:
http://www.geocities.com/marfer_mvp/FAQ_MSantispy.htm

This is a false positive... I'll file a bug tomorrow morning..

--
-steve

Steve Dodson [MSFT]
MCSE, CISSP
PSS Security

--

This posting is provided "AS IS" with no warranties, and confers no
rights.
Use of included script samples are subject to the terms specified at
http://www.microsoft.com/info/cpyright.htm

Note: For the benefit of the community-at-large, all responses to this
message are best directed to the newsgroup/thread from which they
originated.

You are correct--this is a false postive.
--
FAQ for Microsoft Antispyware:
http://www.geocities.com/marfer_mvp/FAQ_MSantispy.htm

message Hi all,

I found what I think is a bug of AntiSpyware.
I created a new Text Document on my desktop using the
rigth-click of the mouse. Then I change its name to
Test.vbs, to create a Visual Basic Script I needed to
test. Then I rigth-click it with the mouse and said to
open it with Visual Studio .NET 2003, and a warning
Alert! apeared in my desktop saying that the
PoeBot.Explorer Trojan is trying to install in my machine!
At the first time I thougth it may be true and asked to
remove it. The tool remove it with success!!!

But after 2 more tries I understand that it happen by my
edit command.

Regards to all,
Pedro Gonçalves