-=PCTechTalk=- Re: Trojan horse DROPPER.VB.BXQ
- From: Gman <gman.pctt@xxxxxxxxx>
- To: <pctechtalk@xxxxxxxxxxxxx>
- Date: Tue, 24 Feb 2009 10:54:41 -0500
Patricia,
You've stumbled onto one of the worst aspects of the wonderful world of
computer security here.
First up is the fact that no two AV apps will detect exactly the same
things. Each company has their own way of creating definition files for
their product and not every virus, trojan, etc. will be picked up within
every set of definition files. Part of the reason for that is that some
companies will make a more serious serious effort to include defs for things
like tracking cookies than others. Some are faster to get newly released
infections covered than others. Some flag items that are just suspicious,
usually because of the wrapper used to hold them together. And over the
last year and a half or so, many of them have been flagging more and more
items that are not even true malware (such as silly joke files that do
things like turn your screen upside down or open up your CD/DVD tray when
they are run).
While I could probably write an encyclopedia's worth to describe all of
the different aspects of how these things work and what's wrong with the
approach, the simple fact will always be that no AV or AM program will ever
be capable of sniffing out every possible file that's bad for a system
without also catching a bunch that are harmless. I strongly suspect that
the file you're talking about is what's known as a false positive. That is,
there's something about it that makes it suspicious looking enough to one
AV/AM program to flag it, but running it will not cause anything bad to
happen to your system. Whenever I find myself in a similar situation, I
upload the file to VirusTotal to see what 30+ AV apps have to say about it.
http://www.virustotal.com/
If no one else has ever uploaded that exact file before, you'll get to
see it tested before your eyes. If it has already been checked before,
you'll be told that fact and a button will be provided to let you see the
results of the previous scans. The site uses over 30 different AV programs
to scan the suspected file for everything the individual AV scanners can
detect. If an app if flagged by any of them, you'll see that app's name of
the definition that flagged it (like W32.Trojan.Sniffer). It's almost funny
to see how different AV programs will flag the same file with so many
different names. What I often find is that a couple of them will flag a
file while the rest of them pass the file without a problem. It takes time
to become familiar enough with the naming to be able to tell the type of
malware that's suspected, but you'll also learn how to spot the ones that
aren't true malware. Of course, if a majority of these scanners have
nothing nice to say about a file you're testing, err on this side of caution
and don't run that file on your main system.
On the urging of Disastar, I installed a program called Sandboxie a
while back and I use it to peek inside any file that is likely to be a false
positive. Think of Sandboxie as an app that isolates the file inside a
bubble that cannot be broken. The file will believe and behave just like it
has full freedom to roam over your entire system. If it normally writes
something to the registry, it will write its entries to the imaginary
registry set up by the Sandboxie program. If it unpacks any support files,
they will be unpacked into what looks like the proper locations. But those
files and entries will all be contained inside the Sandboxie 'bubble' and,
even if they ARE malicious, they cannot do any harm to your system. When
you're done 'testing' the file, you can open up the Sandboxie console and
take a look at the changes it would have made to your REAL system and decide
for yourself whether you can/should run it outside of Sandboxie. Then, just
delete the sandbox and all of those changes will simply go away. It's a
GREAT way to test individual files for their content and safety.
http://www.sandboxie.com/
I know full well that what I've said above is more likely to cloud the
issue more than clear it up for you, but that's just a small part of the
cloud all of us techs are under when it comes to these things. With tools
like VirusTotal, those with some basic understanding of malware can keep
themselves relatively safe without losing too many files to false positives.
Peace,
Gman
http://www.bornagainamerican.org
"The only dumb questions are the ones we fail to ask"
----- Original Message -----
From: "Patricia" <rhekay@xxxxxxxxxx>
To: "PCTechTalk" <pctechtalk@xxxxxxxxxxxxx>
Sent: Tuesday, February 24, 2009 6:49 AM
Subject: -=PCTechTalk=- Trojan horse DROPPER.VB.BXQ
>A friend sent me a zip the other day for a program we use. I saved the
>attachment and
> then ran a scan on it like I do every attachment, I use AVG 8 free edition
> and avg said
> the package was infected with the Trojan horse DROPPER.VB.BXQ.
> When I notified her she told me when she scanned it with her Norton's it
> came back clean.
> So I had another friend scan it also with Norton's came back clean, I then
> set it to my
> lap top and scanned it there with AVG 8 and got the same results it was
> infected,
> So my question is do you suppose AVG is picking up that the exe file as a
> trojan?
> The friend who sent it has been using this program for about 5 months and
> has had no problems
> she scans her pc weekly and nothing has come up .
> Which anti-virus do I trust AVG or her Norton's?
>
>
> Patricia
---------------------------------------------------------------
Please remember to trim your replies (including this sentence and everything
below it) and adjust the subject line as necessary.
To subscribe, unsubscribe or modify your email settings:
//www.freelists.org/webpage/pctechtalk
To access our Archives:
http://groups.yahoo.com/group/PCTechTalk/messages/
//www.freelists.org/archives/pctechtalk/
To contact only the PCTT Mod Squad, write to:
pctechtalk-moderators@xxxxxxxxxxxxx
To join the PCTableTalk off-topic group, send a blank email to:
pctabletalk+subscribe@xxxxxxxxxxxxxxxx
---------------------------------------------------------------
Other related posts:
