virus in MS NG?

[dentalfloss]

recently when browsing the newsgroups I got a warning from my AV app saying
it found a virus! I deleted it right away and did numerous scans with my AV,
spybot s&d and online scans and thankfully nothing else turned up. what I
want to know is did this virus originate from MS newsgroups or somewhere
else?

Event Type: Warning
Event Source: avast!
Event Category: Client
Event ID: 90
Date: 30/01/2008
Time: 7:25:14 PM
User: N/A
Computer: DUNGEONCOMPUTER
Description:
Sign of "BV:KillFiles-K [Trj]" has been found in "C:\Documents and
Settings\Compaq_Owner\Local Settings\Application
Data\Identities\{5E41BDC3-3E9B-4A7D-ADED-969491FFC466}\Microsoft\Outlook
Express\microsoft.public.windowsxp.general.dbx" file.

 

[David H. Lipman]

From: "dentalfloss" <[email protected]>

| recently when browsing the newsgroups I got a warning from my AV app saying
| it found a virus! I deleted it right away and did numerous scans with my AV,
| spybot s&d and online scans and thankfully nothing else turned up. what I
| want to know is did this virus originate from MS newsgroups or somewhere
| else?
|
| Event Type: Warning
| Event Source: avast!
| Event Category: Client
| Event ID: 90
| Date: 30/01/2008
| Time: 7:25:14 PM
| User: N/A
| Computer: DUNGEONCOMPUTER
| Description:
| Sign of "BV:KillFiles-K [Trj]" has been found in "C:\Documents and
| Settings\Compaq_Owner\Local Settings\Application
| Data\Identities\{5E41BDC3-3E9B-4A7D-ADED-969491FFC466}\Microsoft\Outlook
| Express\microsoft.public.windowsxp.general.dbx" file.
|

Well Avast declared this a a Trojan, [Trj], not a virus.

I sorted the group by size of posts and coul not find an EXE file. I did see some log
files. Maybe Avast created a False Positive declaration based upon one of those log files
and my McAfee did not flag anything.

Avast is well known for False Positives of this kind.

 

[VanguardLH]

in message

recently when browsing the newsgroups I got a warning from my AV app
saying it found a virus! I deleted it right away and did numerous
scans with my AV, spybot s&d and online scans and thankfully nothing
else turned up. what I want to know is did this virus originate from
MS newsgroups or somewhere else?

Event Type: Warning
Event Source: avast!
Event Category: Client
Event ID: 90
Date: 30/01/2008
Time: 7:25:14 PM
User: N/A
Computer: DUNGEONCOMPUTER
Description:
Sign of "BV:KillFiles-K [Trj]" has been found in "C:\Documents and
Settings\Compaq_Owner\Local Settings\Application
Data\Identities\{5E41BDC3-3E9B-4A7D-ADED-969491FFC466}\Microsoft\Outlook
Express\microsoft.public.windowsxp.general.dbx" file.

No, your antivirus program did not say there was a virus in a
newsgroup. It might've said there was a virus in a *post*.
Newsgroups don't have viruses. Posts might have viruses. So for
which post did you get the alert? Apparently the AV program found the
virus during a scan of files rather than when you actually downloaded
the particular post's body. It reported the .dbx file because the
*post* within it had whatever it thought was a trojan (not virus).
I've use AVG, Norton, and McAfee and each would tell me of the
infected post at the time that I downloaded it (because their
on-access scanner would detect the .dbx file got updated and then scan
it to find the pest or they interrogate the traffic for pest
signatures). That means I get an alert when the *post* is downloaded,
not sometime later during a scheduled scan of files.

Are you wasting time downloading message bodies that you won't read?
Just download the message headers and then pick which ones to read
(and get them downloaded).

Did the trojan originate from MS newsgroups? No, it originated with
whomever submitted that post. The Microsoft NNTP servers don't go
injected trojans into posts. Of course, we don't know if you were
using the Microsoft NNTP server to access the microsoft.* newsgroups.

 

[David H. Lipman]

From: "VanguardLH" <[email protected]>

< snip >

|
| Did the trojan originate from MS newsgroups? No, it originated with
| whomever submitted that post. The Microsoft NNTP servers don't go
| injected trojans into posts. Of course, we don't know if you were
| using the Microsoft NNTP server to access the microsoft.* newsgroups.

Yes we do...

From: "dentalfloss" <[email protected]>
Subject: virus in MS NG?
Date: Wed, 6 Feb 2008 12:58:39 -0700
Lines: 21
X-Priority: 3
X-MSMail-Priority: Normal
X-Newsreader: Microsoft Outlook Express 6.00.2900.3138
X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2900.3198
X-RFC2646: Format=Flowed; Original
X-Antivirus: avast! (VPS 080205-0, 05/02/2008), Outbound message
X-Antivirus-Status: Clean
Message-ID: <[email protected]>
Newsgroups: microsoft.public.windowsxp.help_and_support
NNTP-Posting-Host: s01060015f2a00d67.ed.shawcable.net 68.148.13.129
Path: TK2MSFTNGP01.phx.gbl!TK2MSFTNGP05.phx.gbl
Xref: TK2MSFTNGP01.phx.gbl microsoft.public.windowsxp.help_and_support:794024

 

[Elmo]

recently when browsing the newsgroups I got a warning from my AV app saying
it found a virus! I deleted it right away and did numerous scans with my AV,
spybot s&d and online scans and thankfully nothing else turned up. what I
want to know is did this virus originate from MS newsgroups or somewhere
else?

Event Type: Warning
Event Source: avast!
Event Category: Client
Event ID: 90
Date: 30/01/2008
Time: 7:25:14 PM
User: N/A
Computer: DUNGEONCOMPUTER
Description:
Sign of "BV:KillFiles-K [Trj]" has been found in "C:\Documents and
Settings\Compaq_Owner\Local Settings\Application
Data\Identities\{5E41BDC3-3E9B-4A7D-ADED-969491FFC466}\Microsoft\Outlook
Express\microsoft.public.windowsxp.general.dbx" file.

Most likely, some script suggested by a helper in the post is similar to
one of their virus definitions. It's happened to me twice. Just
ignore, or "delete" that post when prompted by "Avast!".

 

[VanguardLH]

From: "VanguardLH"

Of course, we don't know if you were
using the Microsoft NNTP server to access the microsoft.*
newsgroups.

Yes we do...

From: "dentalfloss" <[email protected]>
Subject: virus in MS NG?
Date: Wed, 6 Feb 2008 12:58:39 -0700
Lines: 21
X-Priority: 3
X-MSMail-Priority: Normal
X-Newsreader: Microsoft Outlook Express 6.00.2900.3138
X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2900.3198
X-RFC2646: Format=Flowed; Original
X-Antivirus: avast! (VPS 080205-0, 05/02/2008), Outbound message
X-Antivirus-Status: Clean
Message-ID: <[email protected]>
Newsgroups: microsoft.public.windowsxp.help_and_support
NNTP-Posting-Host: s01060015f2a00d67.ed.shawcable.net 68.148.13.129
Path: TK2MSFTNGP01.phx.gbl!TK2MSFTNGP05.phx.gbl
Xref: TK2MSFTNGP01.phx.gbl
microsoft.public.windowsxp.help_and_support:794024

That tells which NNTP service was used to submit her query post. Not
which NNTP server was used or even the NNTP client when her anti-virus
program issued the alert. You assumed that she is positing using the
same NNTP server, the same NNTP client, and the same AV program to ask
her question as for when she encountered the pest alert. We can't
even be sure she is posting from the same host as where the pest alert
occurred. Yes, we can guess, especially when the details are missing.

Also, if she had mentioned which post it was then we could go look.
Apparently Avast, if that is what was used on whatever host where the
pest alert occurred, does not alert using its on-access scanner when
an infected post is downloaded, or that's how she configured Avast.

Since she doesn't know the post that is supposedly infected, and since
it could be a false positive, she could just delete that .dbx file
which will get recreated when she visits the newsgroup again.