Trojan horse Downloader.Generic.ML

[Ron Reaugh]

Hi Ron - No, if you've already let A2 clean things (except c:\null?), then
that's OK, although I'd at least run it again and be sure it's still clean
in Safe or Clean Boot, then again after a normal boot (if you didn't already
do this). These things can often re-infect themselves.

As to rootkitresponder - it would be good IMO to increase your confidence
that this (a rootkit) hasn't happened, given the atypical circumstances of
your infection. But of course running this and using the HiJackThis
approach are entirely your choice. Those were just my recommendations,
since in my experience multiple tools can give more complete confidence in a
clean system, particularly when starting from an unknown infection point.
(For well know infections there often exist specific tools which are very
efficient in clean up that specifc malware.)

I understand completely and agree with your thinking....BILLY PLEASE SAVE US
AGAIN.

OK, Ron - If you got that from A2 then I would believe a real
infection which, when you're ready, you can have A2 try and clean.

Well I thought it was already cleaned...well. It wanted to delete
c:\null but I said no for now. I did let it delete all the other
stuff. Is there some whole other step that I'm missing? I will say
that after the A2 run and deletions that something is
different....BETTER. Does it do more than advertised?

I would recommend
two additional steps at this point if you wish to continue to
investigate.

OH SHIT, you're trying to send me on a whole new career path. I was
pleased as punch when Gates saved the world from NetRoom and Stacker
hell....I did that career path fully. Please Billy save us all and
start including a robust equivalent set of tools/fixes in SP3 or
maybe that new service that's coming! This is going out of control.
How can the average PC user hope to survive? Billy needs to save em
all again. In the mean time the Geek Squad can't hope to handle such
so they'll just have to keep payin folks like me $100/hr. to keep
there PCs running. Most don't. Most don't keep running....they just
buy a new PC.....I wonder if mikey is financing the malware

First, download and run Mark Russinovich's rootkitrevealer from
www.sysinternals.com.

I DON'T WANNA! But the I really didn't wanna screw with A2 either
and look what happened. I have fastidiously avoided HiJackThis for
several years now. I don't wanna go here. I want something to just
handle it all...damnit.

Then, I would also download and run HiJackThis and post your results
to one of the forums. There are experts there who can help you
considerably with this:


Download HijackThis, free, here:

http://209.133.47.200/~merijn/files/HijackThis.exe (Always download
a new fresh copy of HijackThis [and CWShredder also] - It's UPDATED
frequently.)

You may also get it here if that link is blocked:

http://www.majorgeeks.com/downloadg...86d536d57b5f65b6e40c55365e;act=ST;f=27;t=6949

 

[Ron Reaugh]

I would define a compromised system as one that has an ongoing or
repeatable security breach. Ongoing as in an active trojan, and
repeatable as in a trapdoor that allows the attacker to re-enter the
system after you thought you had secured it.


Backups made before any malware could have had access to it or from a
read only media so that malware couldn't have had such access.

The existence of which is a Cartesian impossibility.

An
install CD with slipstreamed patches and copies of the original
application software could qualify - but this is highly subjective
because 'known good" isn't always good in practice.


Maybe now they have added detection for that which has affected tha data
store.

that.

The best tools are the ones that help you to prevent having to use
recovery tools.


Exactly - no tools exist to fix unknown problems.

Can you say heuristic?

 

[David W. Hodgins]

Back to my original issue, why would AVG be detecting c:\null at that
moment. What could have caused AVG resident to detect a file in c:\ at that
moment EXCEPT watching/checking some file I/O to that file at that moment?

The virus definitions may have been updated.
The date on the file may not reflect it's actual creation date.

Keep in mind that on access scanning, does not normally scan non-executable
files. On demand scanning, only does so, if you specify it in the configuration
settings.

As to the question, of when to format/reinstall, it's easier to describe when it
isn't needed.

If you know what malware was installed, how it got installed, can be confident that
that's the only malware that was installed, and that malware does not provide
remote access, then it's safe to just clean it using whatever tools are most
suitable.

Otherwise, you should assume all executables (including macros etc), are compromised.

You could boot from a known clean boot media, and compare every executable, to the
files from the installation sources, but it's usually faster to just reinstall.

In most cases, just using an appropriate anti malware tool, to remove the infection,
will be effective, but you cannot/should not count on it. If the pc is used for
any financial activity (online banking, etc), failing to wipe/reinstall, and change
all passwords, could be expensive. Same with failure to remove a dialler, if you
have a regular modem connected to a phone line. Remote access tools can also get
your account terminated for sending spam etc, or cause reputation loss, if everyone
in your address book gets spammed with malware, from your computer.

Regards, Dave Hodgins

 

[Ron Reaugh]

moment?

The virus definitions may have been updated.
The date on the file may not reflect it's actual creation date.

YES, but since then I left the file there and today's AVG update did NOT
trigger a detection. Later I selected to scan selected area(C:\) and it
immediately detected it. So my conclusion is that in fact there was I/O to
that file at that original moment. A moment that appears to correspond to
nothing.

 

[Roger Wilco]

definition.


Hours or a day or two seems to be what's happening.

Yes with worms, viruses, and mass distributed trojans which become
noticeable very quickly. Not all malware will be that blatant.

[snip]

'restore as' hangs...'restore' works and I submitted to www.virustotal.com
....see my other posts.

Having so many of those scanners FP on that file (if that is what is
happening) is very disappointing.

As I already posted...no other file in the system has 5/5/5...but I noticed
that date at the time.....wait til next year<G>.

Oh well - it was worth a try.

 

[Roger Wilco]

The existence of which is a Cartesian impossibility.

Ok, W.O.R.M media then - and I did say it was highly subjective (below).
)

An
install CD with slipstreamed patches and copies of the original
application software could qualify - but this is highly subjective
because 'known good" isn't always good in practice.

[snip]

Exactly - no tools exist to fix unknown problems.

Can you say heuristic?

Yes I can - but that is beside the point. Heuristics still deal with
what is known.

 

[Ron Reaugh]

definition.


Hours or a day or two seems to be what's happening.

Yes with worms, viruses, and mass distributed trojans which become
noticeable very quickly. Not all malware will be that blatant.

[snip]

'restore as' hangs...'restore' works and I submitted to www.virustotal.com
....see my other posts.

Having so many of those scanners FP on that file (if that is what is
happening) is very disappointing.

It's NO FP. A2 flags it also. It's for real. The designer may have been
targetting the margin between the real and the false positive in various
scanners. It's something new apparently. I may have been an early/alpha
case. It appeared on my system from thin air seemingly and on the same day
that AVG started seeing it....just a coincidence.....

 

[Ron Reaugh]

The existence of which is a Cartesian impossibility.

Ok, W.O.R.M media then - and I did say it was highly subjective (below).
)

An
install CD with slipstreamed patches and copies of the original
application software could qualify - but this is highly subjective
because 'known good" isn't always good in practice.

[snip]

The conclusion one might draw from what you and a few others have been
saying is that no such tools exist?

Exactly - no tools exist to fix unknown problems.

Can you say heuristic?

Yes I can - but that is beside the point. Heuristics still deal with
what is known.

What is known is that it exists.

 

[Roger Wilco]

Using the current model of anti-virus software I don't see how any virus
scanner vendor can be expected to get an update done and distributed to
users before malware has executed on their PC.

In some cases they could add detection for exploit code which was
published and have detection in place before some malware author
actually used it in a program. But most often the malware program's
release prompts the creation of the detection update after some time
elapses. This gives active or autoexecuting exploit based worms the time
they need to spread fairly widely - but for the "click required" worms
and viruses it shouldn't be a problem because there is really no good
reason for a user to execute every damned executable they see when they
could wait a reasonable amount of time for the malware fighters to add
detection capabilities to their scanners.

This is simply not possible unless they turn their efforts to time travel
instead of malware detection.
I cannot recall a virus I came across this year which hadn't executed and
done damage to a user's PC BEFORE their virus scanner was updated to detect
it. The last one was due to a 12 year old using MSN messenger in an XP
administrator account. This left the user helpless because task manager
wouldn't run and IE wouldn't go to any anti-virus sites. AVG took more than
24 hours to start detecting it and I don't see how they could have done it
any faster.
Is it only me who thinks that there may be something wrong with this

model?

The current model only enables users to get by without proper safe
practices. I like the old model better - you know, the one where AV was
a tool to help you to climb to better security instead of a crutch to
help your muscles atrophy. Too many people depend on AV to protect them
while they engage in risky behavior when a simple change in behavior
would leave little for the AV to do.

 

[Roger Wilco]

YES, but since then I left the file there and today's AVG update did NOT
trigger a detection. Later I selected to scan selected area(C:\) and it
immediately detected it. So my conclusion is that in fact there was I/O to
that file at that original moment. A moment that appears to correspond to
nothing.

I think Zvi nailed this one (we'll see when he again responds). You
probably have a program running that wants to hide its messages from
your view by redirecting any echoes destined to the console to the nul
device. The programmer mispelled nul as null and as a result the file is
created (or overwritten) whenever the program is run. Now you will need
to find out what program is creating (or overwriting) this file.

 

[Ron Reaugh]

I think Zvi nailed this one (we'll see when he again responds). You
probably have a program running that wants to hide its messages from
your view by redirecting any echoes destined to the console to the nul
device. The programmer mispelled nul as null and as a result the file is
created (or overwritten) whenever the program is run. Now you will need
to find out what program is creating (or overwriting) this file.

Are you visiting Neverland? That file REALLY IS a trojan. And A2 confirmed
that. And it's detection
seems to have been triggered by some I/O to c:\null from left field. Maybe
something penetrated my Belkin wireless router and then ZA? OR maybe
somebody close has broken my 26 hex char WEP key and come in that way. OR
maybe there is still some undetected infection that happened to trigger at
that moment the spawning of the real trojan c:\null.

 

[Ron Reaugh]

Would you mind sending it to my e-mail address (see my signature) for

analysis?

DONE!

It appears to be an executable.

 

[kurt wismer]

"kurt wismer" <[email protected]> wrote in message

[snip the rest of the integrity checker discussion]

A url or two please.

google on "integrity checker" and you'll find plenty... back in the day
(before windows) i rather liked integrity master and advanced disk
infoscope... i just did a status check on them (i *neglect* to use
integrity checkers myself, but there are mitigating circumstances there)
and although integrity master doesn't seem to be handling current file
systems all that cleanly, adinf (http://www.adinf.com) seems to have
been kept sufficiently up to date to be usable on xp...

 

[kurt wismer]

Jason Edwards wrote:
[snip]

Virus scanners are useless for exactly the reason that you are
understandably upset about discovering for yourself. You thought you were
doing everything possible but you still got a trojan.

fallibility is not the same as uselessness... no security is perfect,
does that render all security useless? no...

RIGHT, and your view plus the apparent failure of the normal model in my
case is why I'm the OP of this thread and am trolling for hints about an
improved model.

there will always be occasional failures, it's just a fact of life...

to try and deal with the failures in preventative measures one must
realize there's more to security than just preventative measures, and
there's more to preventative measures than just using the best scanner...

within the realm of preventative measures there's OS hardening and
keeping your applications/OS up-to-date and patched... there's process
whitelisting (i don't know about other software firewalls but kerio
personal firewall has something called application launch control which
is sort of along those lines)... also, on the behavioural side there's
the simple avoidance of new executable material (ie. keep your playing
around with new software/cracks/keygens/whatever to a bare minimum)...

besides preventative measures there are also detective and restorative
measures... detective measures include virus detectors (we actually use
their detective capabilities to try an implement a preventative measure)
but also change detectors (integrity checkers),
network/registry/filesystem/process monitoring tools, so-called rootkit
detection software, an observant user, etc... restorative measures are,
of course, the various backup facilities that are available, the
dedicated malware removal tools when available, and detailed manual
removal instructions when available...

when gauging how effective your security response to an incident was you
need to look at the whole picture, not just part... so your preventative
measures failed - how quickly were your detective measures able to sound
the alarm and how easy was it to recover?

if the only issue is the frequency of preventative failures then look at
exactly what security (not necessarily software) vulnerability is
involved in those failures and tighten that up...

 

[Zvi Netiv]

analysis?

DONE!

It appears to be an executable.

Got the sample, and found interesting things in it.

I am writing the follow up, but it will take a few more hours as all three
computers are now taken for my grandchildren games. They gave me just a couple
of minutes to post this message.

Regards, Zvi

 

[Gabriele Neukam]

On that special day, Roger Wilco, ([email protected]) said...

but for the "click required" worms
and viruses it shouldn't be a problem because there is really no good
reason for a user to execute every damned executable they see when they
could wait a reasonable amount of time

Create a dummy file with the name "example.txt.pif", and then try to
find it in the Windows Explorer.

You won't see the "pif" in the name. Not if you don't change the
setting in the registry by hand, at HKEY_CLASSES_ROOT, and put
NeverShowExt to zero. Yet, any executable can be renamed as
"pif", and if you double click it, it will be /run/, as the command for
the piffile is "%1" %*.

A good deal of the Netsky worms abuse this Microsoft "feature"


Gabriele Neukam

(e-mail address removed)

 

[Zvi Netiv]

analysis?

OK!

A quick and partial analysis of the "NULL" sample yields interesting findings:
Although the file has the structure of a 32 bit executable, it isn't one and
won't execute even if assigned an executable extension (.exe for that matter).
This confirms my previous statement that the detection as Qdown.s or whatever
ARE false alarms!

Digging in the sample code reveals that the use of the NULL file name is
deliberate. The code also suggests that the NULL file may be renamed at some
stage through the Wininit procedure, probably to QDOWAS2.DLL. What's clear
beyond doubt is that NULL per se isn't a Trojan.

For the sake of completeness, I suggest that you look with Notepad in your
%Windir%\WININIT.BAK file (it contains a backup of the last instructions
executed by Wininit.exe). If your NULL file was involved in the installation of
anything through Wininit, then you will find there traces in Wininit.bak of what
it did, in plain text. The time and date of Wininit.bak will also tell when
this happened.

I also suggest that you search for a file named Qdowas2.dll, just in case.

[...]

c:\null is still there. Today AVG updated and nothing happened. I'm
assuming therefore that in the original incident that some I/O did occur to
c:\null and that I/O was from out of left field. Nothing was supposed to be
doing that.

You are asking the wrong questions and looking in the wrong places for answers.

For starters, on-access AV aren't supposed to check non-executable files, even
if they have an executable structure! Doing so would yield excessive false
alarms (just demonstrated!) and would slow down processing considerably.

If curious what drops the NULL file on your drive then get InVircible, set a
trap for "NULL" in its blacklist, and you'll know the moment anything attempts
dropping that file again, including the name of the parent process that induces
the creation of the file. A by-product would be gaining a sound real-time
defense! For the sake of full disclosure, pay attention to my signature, below.

Note that you should not run more than *one* on-access AV defense on the same
PC, at any given time!

That triggers AVG. What is the significance of the 'dot'?

Notepad opens by default files with the .TXT extension. Therefore, if you run
NOTEPAD C:\NULL then it will look for a file named null.txt and nothing will
happen. The dot after null is a delimiter that instructs NOTEPAD to interpret
the argument as "null" plain, with no extension.

[...]

Aren't the critical questions: Why is Kaspersky in the group that found it?

Because KAV is also susceptible to false positives, although less than some
mediocre scanners in the first group.

Why did AVG suddenly start detecting it? So you seem to be saying that AVG
updated its def-s to suddenly start false positive detecting a known
year-old trojan?

What I am saying is that you are overly confident in scanners reliability.

AND on the date of that new buggy update it just happens
that I get from left field some file I/O to c:\null and a false positive. I
think that there is a more likely explanation than that.

There sure is, and I explained how to find out. Speculating on scanners
reliability won't get you to the bottom of this. A systematic approach, will.

Regards, Zvi

 

[Roger Wilco]

It's NO FP. A2 flags it also. It's for real. The designer may have been
targetting the margin between the real and the false positive in various
scanners. It's something new apparently. I may have been an early/alpha
case. It appeared on my system from thin air seemingly and on the same day
that AVG started seeing it....just a coincidence.....

That file may be a malware related file, but it itself is not malware
(it is not executable and as such is not a threat) and any scanner that
detects it as such is wrong (but some would do so purposefully to get
better scores in AV comparative tests - like detecting boot sector
viruses in "files" like .bak backup files.. The only way it could be
executable is if it is an OLE2 filetype (.doc) that has been renamed
extensionless. It is a good idea for scanners to completely ignore
extensions and determine filetypes by their internal structure - but
this adds too much scanning time I suppose.

 

[Roger Wilco]

What is known is that it exists.

It's not magic, it is only a way to trade accuracy for time. A little
less accurate, but much quicker. It still requires that a known thing
(or known things) be looked for and a judgement made. If you knew for
instance that it was a virus you were looking for, there are known
attributes of previous viruses that can be looked for. When you start
with a complete unknown you have nothing to go on. Do you think
heuristics can detect a retrograded patch level?

 

[Roger Wilco]

On that special day, Roger Wilco, ([email protected]) said...


Create a dummy file with the name "example.txt.pif", and then try to
find it in the Windows Explorer.

You won't see the "pif" in the name. Not if you don't change the
setting in the registry by hand, at HKEY_CLASSES_ROOT, and put
NeverShowExt to zero. Yet, any executable can be renamed as
"pif", and if you double click it, it will be /run/, as the command for
the piffile is "%1" %*.

Yeah, and that "clickme.txt .exe" thing
too.

A good deal of the Netsky worms abuse this Microsoft "feature"

A good point - I should have said also that they needn't open every
unsolicited e-mail's attachment.

The fact remains that most people don't even have to be tricked into
doing stupid stuff.