-=PCTechTalk=- Re: Trojan horse DROPPER.VB.BXQ
- From: "Patricia" <rhekay@xxxxxxxxxx>
- To: <pctechtalk@xxxxxxxxxxxxx>
- Date: Tue, 24 Feb 2009 11:02:19 -0500
wow thank you for this
may I forward this to her?
and I will scan it again with the url you have posted
YOU'RE THE BEST!!!!!!! ; )
----- Original Message -----
From: "Gman" <gman.pctt@xxxxxxxxx>
To: <pctechtalk@xxxxxxxxxxxxx>
Sent: Tuesday, February 24, 2009 10:54 AM
Subject: -=PCTechTalk=- Re: Trojan horse DROPPER.VB.BXQ
> Patricia,
> You've stumbled onto one of the worst aspects of the wonderful world of
> computer security here.
>
> First up is the fact that no two AV apps will detect exactly the same
> things. Each company has their own way of creating definition files for
> their product and not every virus, trojan, etc. will be picked up within
> every set of definition files. Part of the reason for that is that some
> companies will make a more serious serious effort to include defs for
> things
> like tracking cookies than others. Some are faster to get newly released
> infections covered than others. Some flag items that are just suspicious,
> usually because of the wrapper used to hold them together. And over the
> last year and a half or so, many of them have been flagging more and more
> items that are not even true malware (such as silly joke files that do
> things like turn your screen upside down or open up your CD/DVD tray when
> they are run).
>
> While I could probably write an encyclopedia's worth to describe all of
> the different aspects of how these things work and what's wrong with the
> approach, the simple fact will always be that no AV or AM program will
> ever
> be capable of sniffing out every possible file that's bad for a system
> without also catching a bunch that are harmless. I strongly suspect that
> the file you're talking about is what's known as a false positive. That
> is,
> there's something about it that makes it suspicious looking enough to one
> AV/AM program to flag it, but running it will not cause anything bad to
> happen to your system. Whenever I find myself in a similar situation, I
> upload the file to VirusTotal to see what 30+ AV apps have to say about
> it.
>
> http://www.virustotal.com/
>
> If no one else has ever uploaded that exact file before, you'll get to
> see it tested before your eyes. If it has already been checked before,
> you'll be told that fact and a button will be provided to let you see the
> results of the previous scans. The site uses over 30 different AV
> programs
> to scan the suspected file for everything the individual AV scanners can
> detect. If an app if flagged by any of them, you'll see that app's name
> of
> the definition that flagged it (like W32.Trojan.Sniffer). It's almost
> funny
> to see how different AV programs will flag the same file with so many
> different names. What I often find is that a couple of them will flag a
> file while the rest of them pass the file without a problem. It takes
> time
> to become familiar enough with the naming to be able to tell the type of
> malware that's suspected, but you'll also learn how to spot the ones that
> aren't true malware. Of course, if a majority of these scanners have
> nothing nice to say about a file you're testing, err on this side of
> caution
> and don't run that file on your main system.
>
> On the urging of Disastar, I installed a program called Sandboxie a
> while back and I use it to peek inside any file that is likely to be a
> false
> positive. Think of Sandboxie as an app that isolates the file inside a
> bubble that cannot be broken. The file will believe and behave just like
> it
> has full freedom to roam over your entire system. If it normally writes
> something to the registry, it will write its entries to the imaginary
> registry set up by the Sandboxie program. If it unpacks any support
> files,
> they will be unpacked into what looks like the proper locations. But
> those
> files and entries will all be contained inside the Sandboxie 'bubble' and,
> even if they ARE malicious, they cannot do any harm to your system. When
> you're done 'testing' the file, you can open up the Sandboxie console and
> take a look at the changes it would have made to your REAL system and
> decide
> for yourself whether you can/should run it outside of Sandboxie. Then,
> just
> delete the sandbox and all of those changes will simply go away. It's a
> GREAT way to test individual files for their content and safety.
>
> http://www.sandboxie.com/
>
>
> I know full well that what I've said above is more likely to cloud the
> issue more than clear it up for you, but that's just a small part of the
> cloud all of us techs are under when it comes to these things. With tools
> like VirusTotal, those with some basic understanding of malware can keep
> themselves relatively safe without losing too many files to false
> positives.
>
> Peace,
> Gman
> http://www.bornagainamerican.org
>
> "The only dumb questions are the ones we fail to ask"
>
> ----- Original Message -----
> From: "Patricia" <rhekay@xxxxxxxxxx>
> To: "PCTechTalk" <pctechtalk@xxxxxxxxxxxxx>
> Sent: Tuesday, February 24, 2009 6:49 AM
> Subject: -=PCTechTalk=- Trojan horse DROPPER.VB.BXQ
>
>
>>A friend sent me a zip the other day for a program we use. I saved the
>>attachment and
>> then ran a scan on it like I do every attachment, I use AVG 8 free
>> edition
>> and avg said
>> the package was infected with the Trojan horse DROPPER.VB.BXQ.
>> When I notified her she told me when she scanned it with her Norton's it
>> came back clean.
>> So I had another friend scan it also with Norton's came back clean, I
>> then
>> set it to my
>> lap top and scanned it there with AVG 8 and got the same results it was
>> infected,
>> So my question is do you suppose AVG is picking up that the exe file as a
>> trojan?
>> The friend who sent it has been using this program for about 5 months and
>> has had no problems
>> she scans her pc weekly and nothing has come up .
>> Which anti-virus do I trust AVG or her Norton's?
>>
>>
>> Patricia
>
> ---------------------------------------------------------------
> Please remember to trim your replies (including this sentence and
> everything below it) and adjust the subject line as necessary.
>
> To subscribe, unsubscribe or modify your email settings:
> //www.freelists.org/webpage/pctechtalk
>
> To access our Archives:
> http://groups.yahoo.com/group/PCTechTalk/messages/
> //www.freelists.org/archives/pctechtalk/
>
> To contact only the PCTT Mod Squad, write to:
> pctechtalk-moderators@xxxxxxxxxxxxx
>
> To join the PCTableTalk off-topic group, send a blank email to:
> pctabletalk+subscribe@xxxxxxxxxxxxxxxx
> ---------------------------------------------------------------
>
>
--------------------------------------------------------------------------------
No virus found in this incoming message.
Checked by AVG - www.avg.com
Version: 8.0.237 / Virus Database: 270.11.3/1969 - Release Date: 02/24/09
06:43:00
---------------------------------------------------------------
Please remember to trim your replies (including this sentence and everything
below it) and adjust the subject line as necessary.
To subscribe, unsubscribe or modify your email settings:
//www.freelists.org/webpage/pctechtalk
To access our Archives:
http://groups.yahoo.com/group/PCTechTalk/messages/
//www.freelists.org/archives/pctechtalk/
To contact only the PCTT Mod Squad, write to:
pctechtalk-moderators@xxxxxxxxxxxxx
To join the PCTableTalk off-topic group, send a blank email to:
pctabletalk+subscribe@xxxxxxxxxxxxxxxx
---------------------------------------------------------------
Other related posts:
