wow thank you for this may I forward this to her? and I will scan it again with the url you have posted YOU'RE THE BEST!!!!!!! ; ) ----- Original Message ----- From: "Gman" <gman.pctt@xxxxxxxxx> To: <pctechtalk@xxxxxxxxxxxxx> Sent: Tuesday, February 24, 2009 10:54 AM Subject: -=PCTechTalk=- Re: Trojan horse DROPPER.VB.BXQ > Patricia, > You've stumbled onto one of the worst aspects of the wonderful world of > computer security here. > > First up is the fact that no two AV apps will detect exactly the same > things. Each company has their own way of creating definition files for > their product and not every virus, trojan, etc. will be picked up within > every set of definition files. Part of the reason for that is that some > companies will make a more serious serious effort to include defs for > things > like tracking cookies than others. Some are faster to get newly released > infections covered than others. Some flag items that are just suspicious, > usually because of the wrapper used to hold them together. And over the > last year and a half or so, many of them have been flagging more and more > items that are not even true malware (such as silly joke files that do > things like turn your screen upside down or open up your CD/DVD tray when > they are run). > > While I could probably write an encyclopedia's worth to describe all of > the different aspects of how these things work and what's wrong with the > approach, the simple fact will always be that no AV or AM program will > ever > be capable of sniffing out every possible file that's bad for a system > without also catching a bunch that are harmless. I strongly suspect that > the file you're talking about is what's known as a false positive. That > is, > there's something about it that makes it suspicious looking enough to one > AV/AM program to flag it, but running it will not cause anything bad to > happen to your system. Whenever I find myself in a similar situation, I > upload the file to VirusTotal to see what 30+ AV apps have to say about > it. > > http://www.virustotal.com/ > > If no one else has ever uploaded that exact file before, you'll get to > see it tested before your eyes. If it has already been checked before, > you'll be told that fact and a button will be provided to let you see the > results of the previous scans. The site uses over 30 different AV > programs > to scan the suspected file for everything the individual AV scanners can > detect. If an app if flagged by any of them, you'll see that app's name > of > the definition that flagged it (like W32.Trojan.Sniffer). It's almost > funny > to see how different AV programs will flag the same file with so many > different names. What I often find is that a couple of them will flag a > file while the rest of them pass the file without a problem. It takes > time > to become familiar enough with the naming to be able to tell the type of > malware that's suspected, but you'll also learn how to spot the ones that > aren't true malware. Of course, if a majority of these scanners have > nothing nice to say about a file you're testing, err on this side of > caution > and don't run that file on your main system. > > On the urging of Disastar, I installed a program called Sandboxie a > while back and I use it to peek inside any file that is likely to be a > false > positive. Think of Sandboxie as an app that isolates the file inside a > bubble that cannot be broken. The file will believe and behave just like > it > has full freedom to roam over your entire system. If it normally writes > something to the registry, it will write its entries to the imaginary > registry set up by the Sandboxie program. If it unpacks any support > files, > they will be unpacked into what looks like the proper locations. But > those > files and entries will all be contained inside the Sandboxie 'bubble' and, > even if they ARE malicious, they cannot do any harm to your system. When > you're done 'testing' the file, you can open up the Sandboxie console and > take a look at the changes it would have made to your REAL system and > decide > for yourself whether you can/should run it outside of Sandboxie. Then, > just > delete the sandbox and all of those changes will simply go away. It's a > GREAT way to test individual files for their content and safety. > > http://www.sandboxie.com/ > > > I know full well that what I've said above is more likely to cloud the > issue more than clear it up for you, but that's just a small part of the > cloud all of us techs are under when it comes to these things. With tools > like VirusTotal, those with some basic understanding of malware can keep > themselves relatively safe without losing too many files to false > positives. > > Peace, > Gman > http://www.bornagainamerican.org > > "The only dumb questions are the ones we fail to ask" > > ----- Original Message ----- > From: "Patricia" <rhekay@xxxxxxxxxx> > To: "PCTechTalk" <pctechtalk@xxxxxxxxxxxxx> > Sent: Tuesday, February 24, 2009 6:49 AM > Subject: -=PCTechTalk=- Trojan horse DROPPER.VB.BXQ > > >>A friend sent me a zip the other day for a program we use. I saved the >>attachment and >> then ran a scan on it like I do every attachment, I use AVG 8 free >> edition >> and avg said >> the package was infected with the Trojan horse DROPPER.VB.BXQ. >> When I notified her she told me when she scanned it with her Norton's it >> came back clean. >> So I had another friend scan it also with Norton's came back clean, I >> then >> set it to my >> lap top and scanned it there with AVG 8 and got the same results it was >> infected, >> So my question is do you suppose AVG is picking up that the exe file as a >> trojan? >> The friend who sent it has been using this program for about 5 months and >> has had no problems >> she scans her pc weekly and nothing has come up . >> Which anti-virus do I trust AVG or her Norton's? >> >> >> Patricia > > --------------------------------------------------------------- > Please remember to trim your replies (including this sentence and > everything below it) and adjust the subject line as necessary. > > To subscribe, unsubscribe or modify your email settings: > //www.freelists.org/webpage/pctechtalk > > To access our Archives: > http://groups.yahoo.com/group/PCTechTalk/messages/ > //www.freelists.org/archives/pctechtalk/ > > To contact only the PCTT Mod Squad, write to: > pctechtalk-moderators@xxxxxxxxxxxxx > > To join the PCTableTalk off-topic group, send a blank email to: > pctabletalk+subscribe@xxxxxxxxxxxxxxxx > --------------------------------------------------------------- > > -------------------------------------------------------------------------------- No virus found in this incoming message. Checked by AVG - www.avg.com Version: 8.0.237 / Virus Database: 270.11.3/1969 - Release Date: 02/24/09 06:43:00 --------------------------------------------------------------- Please remember to trim your replies (including this sentence and everything below it) and adjust the subject line as necessary. To subscribe, unsubscribe or modify your email settings: //www.freelists.org/webpage/pctechtalk To access our Archives: http://groups.yahoo.com/group/PCTechTalk/messages/ //www.freelists.org/archives/pctechtalk/ To contact only the PCTT Mod Squad, write to: pctechtalk-moderators@xxxxxxxxxxxxx To join the PCTableTalk off-topic group, send a blank email to: pctabletalk+subscribe@xxxxxxxxxxxxxxxx ---------------------------------------------------------------