MSN Toolbar Suite installer contains, or allows, viruses?

[Clay Calvert]

I just downloaded and insalled Microsoft's new beta Toolbar suite,
version 2.0.0.1180, from here: http://beta.toolbar.msn.com/. In the
process of letting it run 2 hours SAV found 10 viruses in the
following directory:

C:\Documents and Settings\USERNAME\Local Settings\Application Data\MSN
Toolbar Suite\DS\Temp\rssgthrsvc

The above directory did NOT exist before this toolbar was installed.
Here are the dates and names involved.

Date Virus Name Filename
12/13/2004 21:46 VBS.LoveLetter.CI 1228.eml
12/13/2004 21:03 VBS.LoveLetter.CI 1228.eml
12/13/2004 21:02 VBS.LoveLetter.CI 834.eml
12/13/2004 20:35 VBS.LoveLetter.CI 834.eml
12/13/2004 20:34 EICAR Test String cd8_eicar.com
12/13/2004 20:23 VBS.LoveLetter.CI 1228.eml
12/13/2004 20:17 Happy99.Worm cd8_Happy99.exe
12/13/2004 19:48 W95.MTX.dr cd8_Me_nude.AVI.pif
12/13/2004 19:45 W32.Beagle.AR@mm cd8_Price.scr.VIRUS
12/13/2004 19:45 W32.Beagle.AR@mm cd8_Price.scr.VIRUS

I shortened some of the names starting with "cd8" so they wouldn't
wrap, and I know that EICAR is a harmless string, but this frightens
me. My SAV is up to date and so are my hotfixes. My systems is
dual-firewalled, both software stateful inspection hardware.

This definitely looks like something was opened up by the toolbar
installation.

Has anyone else installed this utility and/or seen similar behavior?

Thanks

Clay Calvert
(e-mail address removed)
Replace "W" with "L"

 

[Mal]

I just downloaded and insalled Microsoft's new beta Toolbar suite,
version 2.0.0.1180, from here: http://beta.toolbar.msn.com/. In the
process of letting it run 2 hours SAV found 10 viruses in the
following directory:

C:\Documents and Settings\USERNAME\Local Settings\Application Data\MSN
Toolbar Suite\DS\Temp\rssgthrsvc

I'll hazzard a guess here.

Your email (Outlook Express maybe) has been sent various viruses in
previous times. They are still in your inbox or similar areas.

This new beta goes over your computer and indexes various things. I
assume this also includes emails.

So the emails get extracted from your inbox and parsed.

These infected emails get extracted to the working directory for MSN
toolbar, and Sophos sees the executable virus files and starts screaming...

Plausible?

 

[Clay Calvert]

I'll hazzard a guess here.

Your email (Outlook Express maybe) has been sent various viruses in
previous times. They are still in your inbox or similar areas.

This new beta goes over your computer and indexes various things. I
assume this also includes emails.

So the emails get extracted from your inbox and parsed.

These infected emails get extracted to the working directory for MSN
toolbar, and Sophos sees the executable virus files and starts screaming...

Plausible?

You just might be right. I did find two infected messages with the
same type of virus in my deleted items, and I do remember e-mailing
the Eicar test 'virus' long ago. I'm still trying to track down the
other three, or so viruses.

Thanks

Clay Calvert
(e-mail address removed)
Replace "W" with "L"