Trojan horse Downloader.Generic.ML

[Gargantu Butt]

It's the file C:\NULL

Suddenly shortly after cold boot my fully updated(WinUp) and patched W98se
PC reported the above noted infection. It's Grisoft free AVG with the
latest updates. This PC is also protected by ZoneAlarm, Belkin WiFi router
with firewall, SpyBot(resident). A normal Shutdown was done 12 hours
earlier with no indication of any problems. There are still no indications
of any problems EXCEPT that AVG claims it's found this trojan. There have
been no floppy operations/mounts, no CD operations/mounts and no downloads
and installs of anything since an hour before shutdown last night and now.

From the DOS prompt I can see a file C:\NULL that has a 5/5/05 date. Since
5/5 both a full manual AVG and Trend HouseCall 6 run have been done on this
PC finding nothing.

So where and how did this file C:\NULL that AVG claims is Trojan horse
Downloader.Generic.ML appear from? Was it really there since 5/5 but went
unnoticed by both AVG and Trend HouseCall 6 and then this morning AVG
suddenly downloaded a new definition file which started seeing this trojan?
OR did something penetrate all the firewalls and suddenly spawn this file
which AVG quickly recognized?

What likely happened here?

The operation I was in the middle of when AVG popped up was reading a text
only no attachment NG message in OE 6.00.2800.1123.

Does the machine possess an ATI graphics card?
I got c:\null on my machine. File size is just shy of 1 MB.
Viewing the content I see mainly binary gibberish but what does stick
out prominently is numerous references to ATI drivers. The file looks
to be part of the ATI driver installer.

Text content includes weird stuff like:

ATI2I9AG
IDCGETMODESAVAILABLE
IDC_ENABLECRTCONTROLLER
IDCSETGAMMAMODE

and

Path INFO INIT 00 01 Driver SOFTWARE\ATI Technologies\...
QSInitForDisplayDriver ati2cqag.dll

and so on.

Can't say if your file is the same type of thing but I know mine had
me guessing for a while. I meant to move the file to a place of
quarantine but I forgot. The file date on my file is Nov 13, 2003

Joachim

 

[Jason Edwards]

Recommended by who?

There was a Microsoft technet article giving just this advice but I've not
been able to find it.

Are you saying that all this virus checkers and
cleaners/disinfectors are frauds as that can't possibly work reliably?? If
so then I know how to build an app that can detect any infection...I assumed
that such had already been done. Start with an app that does somekind of a
fancy encrypted CRC of all the relevant files on a HD and then it keeps an
encrypted database of same for later comparison...I didn't say it was
pretty.

Ok so why don't virus scanners use this method?

Clean install isn't a rational/reasonable option.

It doesn't take very long with drive imaging software and an external USB
2.0 hard drive.
There are other methods.

Jason

 

[kurt wismer]

I thought they protected against virus like behavior.

only behaviour blockers stop so-called 'virus-like' behaviour... nobody
uses behaviour blockers, though... probably because they typically ask
the user far too many questions s/he doesn't have good answers for...

AH, how about ZoneAlarm???

only if it blocks the sharing of the root directory itself...

 

[kurt wismer]

Ok so why don't virus scanners use this method?

because then they wouldn't be virus scanners, they'd be integrity
checkers... there actually are products out there that do this sort of
thing, but they aren't used by nearly as many people as use scanners...

 

[kurt wismer]

Jason Edwards wrote:
[snip]

Virus scanners are useless for exactly the reason that you are
understandably upset about discovering for yourself. You thought you were
doing everything possible but you still got a trojan.

fallibility is not the same as uselessness... no security is perfect,
does that render all security useless? no...

virus scanners are not useless, they just don't offer perfect protection...

[snip]

There was a Microsoft technet article giving just this advice but I can't
find it, maybe someone else can unless it's gone.

they probably got rid of it to pave the way for their new anti-virus
offering...

 

[Jason Edwards]

Jason Edwards wrote:
[snip]

Virus scanners are useless for exactly the reason that you are
understandably upset about discovering for yourself. You thought you were
doing everything possible but you still got a trojan.

fallibility is not the same as uselessness...

I've yet to see a virus scanner advertised as being fallible.
How are users going to know that virus scanners are fallible?

no security is perfect,
Yes

does that render all security useless? no...

Where did "all security" come from? Not from me.
I sometimes advise installation of a virus scanner because it will be better
than nothing and anyway the user wants one because everyone else has one so
it must be the only way to prevent viruses.

virus scanners are not useless, they just don't offer perfect

protection...

So they are fallible as you say.
How many home Windows users know that their virus scanner is no guarantee
that an undetected trojan isn't sending their personal information to almost
anywhere?

Jason

[snip]

There was a Microsoft technet article giving just this advice but I can't
find it, maybe someone else can unless it's gone.

they probably got rid of it to pave the way for their new anti-virus
offering...

--
"they threw a rope around yer neck to watch you dance the jig of death
then left ya for the starvin' crows, hoverin' like hungry whores
one flew down plucked out yer eye, the other he had in his sights
ya snarled at him, said leave me be - i need the bugger so i can see"

 

[Gabriele Neukam]

On that special day, Chris Salter, ([email protected]) said...

Cert & Microsoft. Google it.

The Microsoft page is

http://www.microsoft.com/technet/community/columns/secmgmt/sm0504.mspx

Read yourself...


Gabriele Neukam

(e-mail address removed)

 

[Jason Edwards]

On that special day, Chris Salter, ([email protected]) said...


The Microsoft page is

http://www.microsoft.com/technet/community/columns/secmgmt/sm0504.mspx

That's what I was looking for. Thanks.

Jason

 

[Jason Edwards]

because then they wouldn't be virus scanners, they'd be integrity
checkers...

And the user would get more "this file has changed" messages than they'd
know what to do with.

there actually are products out there that do this sort of
thing, but they aren't used by nearly as many people as use scanners...

If you're running 2000 or XP, start, run, cmd, type sfc
Before using it, be aware that it's your own problem if you get into a mess.

Jason

 

[Ron Reaugh]

Hi Ron - A2 is designed specifically to detect Trojans. The only _virus_
scanner I'm aware of that offers comparable _Trojan_ detection is

SysClean.


OK, so I did the whole SysClean thing from the very latest stuff(691) at
Trend. I did however use Safe Mode GUI on the affected system to host the
process rather than a totally clean OS install. It found NOTHING!.....it
took about 12 hours to complete the process.

Is there any reason to believe that A2 would be worthwhile? Does trying it
again using a clean OS install(move HD to another clean PC or boot from
floppy) really useful? Is it just a Cartesian parnoid possbility that
something could be in the SafeMode OS environment and could be "deceiving"
the scan? Are such deceptions well known or just some theoretical
possibility?

 

[kurt wismer]

Jason Edwards wrote:
[snip]

Virus scanners are useless for exactly the reason that you are
understandably upset about discovering for yourself. You thought you
were
doing everything possible but you still got a trojan.

fallibility is not the same as uselessness...

I've yet to see a virus scanner advertised as being fallible.
How are users going to know that virus scanners are fallible?

oh, i don't know... a little saying that goes "nothing's perfect", perhaps?

of course whether or not the user knows their product is fallible has no
bearing on whether or not the product is useless or useful...

Where did "all security" come from? Not from me.
I sometimes advise installation of a virus scanner because it will be better
than nothing and anyway the user wants one because everyone else has one so
it must be the only way to prevent viruses.

it is one of many layers of protection that users should be using...
unfortunately it's often the only layer they're actually using...

So they are fallible as you say.
How many home Windows users know that their virus scanner is no guarantee
that an undetected trojan isn't sending their personal information to almost
anywhere?

non-sequitur... that doesn't affect whether or not the scanner is useful...

 

[Ron Reaugh]

Cert & Microsoft. Google it.

Google what exactly?

? His text didn't even hint at them being frauds. Can't work reliably
when compromised yes.

Define "compromised"?

It has been done, host based IDS. Its still unreliable in the case of
being owned or root-kitted.


Its entirely upto whether you reinstall. (It doesn't take long

HUH? With all the app installs, updates and settings to recreate one's
working environment, it is often a huge and tedious job. AND a job that
the immediate user might not be up to undertaking.

so i
don't understand why you wouldn't.)


Your flawed logic maybe. The real logic would dicate that you would
reinstall windows, recover executable data from a known good backup,

Define "known good"!

and
restore the data from a recent backup. At this point the data is still
untrust worthy so you would have to test it, check it etc etc.

That's the catch 22. If one's virus checkers weren't up to detecting it
before/at the fact then why be confident that "test it, check it etc etc."
has any meaning.

Fixing the sytem in place is the much more reasonable route. That of course
assumes that there are competent and effective tools to help one do that.
The conclusion one might draw from what you and a few others have been
saying is that no such tools exist?

 

[Ron Reaugh]

Sure. Some time ago

"Some time ago" seems to be confirming what I said.

Now did your test PC have a then current virus checker and a then current
firewall?

I was curious about strange messages with links
appearing in newsgroups, so I set up an isolated PC with its own broadband
connection running Windows 98 with ALL updates and clicked one of the links.
This took me to a website offering adult material. I can't remember the
details but it had some clever way of getting me to scroll down and click. A
quick run of hijackthis then discovered that a trojan had been planted in
the startup folder and was waiting to run on the next startup.
The computer was then wiped and restored from a clean image.
I got rid of the trojan file about a week later, it was kept only to verify
that two popular virus scanners were still pronouncing it clean after a
week.

OK. so I assume you finished the experiment and can tell us when "two
popular virus scanners" DID start finding it?

for?

I thought I'd already explained that no matter how hard they look they can't
be expected to include all malware the same day it's written. Some may only
be included months later, or perhaps never.

"never" implies incompetence/fraud or that the infection was a very special
one target thing.

Sure it's the usual model for a home Windows user but it is not effective
for the reasons you have discovered for yourself. Personal software
firewalls are useless because there are many ways for malware to bypass
them. Malware might ride on another application such as Internet Explorer,
it might answer the firewall's popup questions itself, it might shut the
firewall down completely, it might prevent the firewall from getting
updates, etc.
Virus scanners are useless for exactly the reason that you are
understandably upset about discovering for yourself. You thought you were
doing everything possible but you still got a trojan.

OK, so tell us all the secret solution save the daily clean OS install that
seems so popular here

done 5/5
but morning
AVG

I find that unlikely but barely possible.

Barely possible would be more than enough for me. I'd rather make it
impossible. To do that you arrange to prevent any executable code getting
where you don't want it. This is likely to be impossible with a Windows 98
PC connected directly to a broadband connection where everything has
complete access to everything else.
Consider an external firewall box which stops it getting to the PC in the
first place.

An anti-virus
vendor may manage to do an update in less that a day if the virus/trojan
is
all over the news but it may otherwise take longer. Trojan writers are
not
under any obligation to send copies of their trojans to anti-virus
vendors.

OR did something penetrate all the firewalls and suddenly spawn this
file
which AVG quickly recognized?

I have no idea where C:\NULL came from but if it were on my PC I would
want
to know what it was.
If I was sitting at the PC which had C:\NULL on it then I'd look in
C:\NULL
to see what was there.

After one noticed it. I don't inspect c:\ or c:\win or c:\win\system[32]
hourly to spot undesirable files. That's what I got AVG etc. for.

I don't either, but I don't allow additional executable files on to the
system in the first place, so I don't have to go file spotting very

often

on
my own machines. I also don't need AVG.


I'd also find out whether anything in there was referenced during
startup.
For that I'd need spybot S&D in advanced mode or
http://www.hijackthis.de/
or just regedit.


What likely happened here?

Impossible to say. One possibility is that you got something via an
unpatched IE vulnerability.

I was under the impression that there weren't any of these that have
resulted in actual infections any time recently. Lots of new
vulnerabilities keep being found and reported and fixed. And that's all
before there is any infections/penetrations using them and that's what
I've
been hearing for over a year.

Who have you been hearing this from?

Where have you been hearing the other from?

Ask yourself why there is a cumulative update every month.

YES, please do so. Have you been reading about the intense preemptive work
going on to find the holes before the hackers. From what I've heard that's
been effective down to with a day or two for the last year or two.
References otherwise?

How about the experiment I did with the isolated windows 98 PC described
above.

"Some time ago"....

It may be that this hole has since been patched but it makes no difference
to me, I will continue to trust no executable code unless I'm very sure
about where it came from and what it's going to do to my system.
You may say that it's difficult or impossible to keep addware off a Windows
PC. But this is not the same as asking whether or not it can be done.

HMM, now that sounds like something I'd say.

There was a Microsoft technet article giving just this advice but I can't
find it, maybe someone else can unless it's gone.


No. What I have established is that you are understandably upset about the
fact that you did everything you thought you had to do (virus scanner,
personal firewall, spyware remover) but you STILL got a trojan.

YES, now if someone would care to describe in more detail why that came to
pass rather than hyperbole and paranoid rantings then I'd be happy. Is that
protection model many are using totally bogus?

It's not my fault if you would rather attack the person giving you this
information instead of asking yourself why the methods you've applied so far
are not working.

HMM, am I the OP of this thread?

 

[Ron Reaugh]

Does the machine possess an ATI graphics card?

Nope, 98se + 3D Blaster Riva TNT

I got c:\null on my machine. File size is just shy of 1 MB.

My c:\null was ~48K.

 

[Ron Reaugh]

It doesn't take very long with drive imaging software and an external USB
2.0 hard drive.

Glad to see that some folks actually know how to do backups these days. I
like removable SATA drives in shock mounted trays like KingWin KF-83 but
USB2 works well.

 

[Ron Reaugh]

only behaviour blockers stop so-called 'virus-like' behaviour... nobody
uses behaviour blockers, though... probably because they typically ask
the user far too many questions s/he doesn't have good answers for...


only if it blocks the sharing of the root directory itself...

Well, "blocks" or notices and queries? Does ZA deal with sharing settings
or only deal with actual file access attempts?

 

[Ron Reaugh]

because then they wouldn't be virus scanners, they'd be integrity
checkers

EXACTLY! That's the condition precedent.

... there actually are products out there that do this sort of
thing, but they aren't used by nearly as many people as use scanners...

A url or two please.

 

[Ron Reaugh]

Jason Edwards wrote:
[snip]

Virus scanners are useless for exactly the reason that you are
understandably upset about discovering for yourself. You thought you were
doing everything possible but you still got a trojan.

fallibility is not the same as uselessness... no security is perfect,
does that render all security useless? no...

RIGHT, and your view plus the apparent failure of the normal model in my
case is why I'm the OP of this thread and am trolling for hints about an
improved model.

 

[Ron Reaugh]

Jason Edwards wrote:
[snip]

Virus scanners are useless for exactly the reason that you are
understandably upset about discovering for yourself. You thought you were
doing everything possible but you still got a trojan.

fallibility is not the same as uselessness...

I've yet to see a virus scanner advertised as being fallible.
How are users going to know that virus scanners are fallible?

Did I use the word fraud before in this thread?

 

[Ron Reaugh]

On that special day, Chris Salter, ([email protected]) said...


The Microsoft page is

http://www.microsoft.com/technet/community/columns/secmgmt/sm0504.mspx

AH, yes a horribly paranoid clean install and burn the backups article(yes
read it) by someone who should by off with Descartes looking for the evil
demons. I say "It boots and surfs so therefore it is." Now lets's make it
do it better and catch those nasty lurking litte demons and exorcise
them....after all I don't have launch codes on this system.