Trojan horse Downloader.Generic.ML

It's the file C:\NULL

Suddenly shortly after cold boot my fully updated(WinUp) and patched W98se
PC reported the above noted infection. It's Grisoft free AVG with the
latest updates. This PC is also protected by ZoneAlarm, Belkin WiFi router
with firewall, SpyBot(resident). A normal Shutdown was done 12 hours
earlier with no indication of any problems. There are still no indications
of any problems EXCEPT that AVG claims it's found this trojan. There have
been no floppy operations/mounts, no CD operations/mounts and no downloads
and installs of anything since an hour before shutdown last night and now.

From the DOS prompt I can see a file C:\NULL that has a 5/5/05 date. Since
5/5 both a full manual AVG and Trend HouseCall 6 run have been done on this
PC finding nothing.

So where and how did this file C:\NULL that AVG claims is Trojan horse
Downloader.Generic.ML appear from? Was it really there since 5/5 but went
unnoticed by both AVG and Trend HouseCall 6 and then this morning AVG
suddenly downloaded a new definition file which started seeing this trojan?
OR did something penetrate all the firewalls and suddenly spawn this file
which AVG quickly recognized?

What likely happened here?

The operation I was in the middle of when AVG popped up was reading a text
only no attachment NG message in OE 6.00.2800.1123.

Ron Reaugh

"Ron Reaugh" <ron-> wrote in message
news:EKYre.963481$...
> It's the file C:\NULL
>
> Suddenly shortly after cold boot my fully updated(WinUp) and patched W98se
> PC reported the above noted infection. It's Grisoft free AVG with the
> latest updates. This PC is also protected by ZoneAlarm, Belkin WiFi router
> with firewall, SpyBot(resident). A normal Shutdown was done 12 hours
> earlier with no indication of any problems. There are still no indications
> of any problems EXCEPT that AVG claims it's found this trojan. There have
> been no floppy operations/mounts, no CD operations/mounts and no downloads
> and installs of anything since an hour before shutdown last night and now.
>
> From the DOS prompt I can see a file C:\NULL that has a 5/5/05 date. Since
> 5/5 both a full manual AVG and Trend HouseCall 6 run have been done on this
> PC finding nothing.
>
> So where and how did this file C:\NULL that AVG claims is Trojan horse
> Downloader.Generic.ML appear from? Was it really there since 5/5 but went
> unnoticed by both AVG and Trend HouseCall 6 and then this morning AVG
> suddenly downloaded a new definition file which started seeing this trojan?
> OR did something penetrate all the firewalls and suddenly spawn this file
> which AVG quickly recognized?
>
> What likely happened here?
>
> The operation I was in the middle of when AVG popped up was reading a text
> only no attachment NG message in OE 6.00.2800.1123.
>
>

If you're doubting AVG, you could submit the file to www.virustotal.com.
That would give you a lots of opinions on it.
As to how it got there, I can't help.

eric

eric
--
Remove the dross to contact me directly

Eric Parker

"Eric Parker" <> wrote in message
news:42b06ef5$0$2402$...
>
> "Ron Reaugh" <ron-> wrote in message
> news:EKYre.963481$...
> > It's the file C:\NULL
> >
> > Suddenly shortly after cold boot my fully updated(WinUp) and patched
W98se
> > PC reported the above noted infection. It's Grisoft free AVG with the
> > latest updates. This PC is also protected by ZoneAlarm, Belkin WiFi
router
> > with firewall, SpyBot(resident). A normal Shutdown was done 12 hours
> > earlier with no indication of any problems. There are still no
indications
> > of any problems EXCEPT that AVG claims it's found this trojan. There
have
> > been no floppy operations/mounts, no CD operations/mounts and no
downloads
> > and installs of anything since an hour before shutdown last night and
now.
> >
> > From the DOS prompt I can see a file C:\NULL that has a 5/5/05 date.
Since
> > 5/5 both a full manual AVG and Trend HouseCall 6 run have been done on
this
> > PC finding nothing.
> >
> > So where and how did this file C:\NULL that AVG claims is Trojan horse
> > Downloader.Generic.ML appear from? Was it really there since 5/5 but
went
> > unnoticed by both AVG and Trend HouseCall 6 and then this morning AVG
> > suddenly downloaded a new definition file which started seeing this
trojan?
> > OR did something penetrate all the firewalls and suddenly spawn this
file
> > which AVG quickly recognized?
> >
> > What likely happened here?
> >
> > The operation I was in the middle of when AVG popped up was reading a
text
> > only no attachment NG message in OE 6.00.2800.1123.
> >
> >
>
> If you're doubting AVG,

NO, I'm not doubting AVG at all. The file c:\null didn't belong there and
came from some unknown source and I assume that in fact is a trojan. What I
can't understand is how and when it got there unnoticed until this AM?? I
thought I'd taken all the extra precautions and kept very current and then
all of the sudden from left field this AVG warning appears at a time and
circumstance that does NOT correspond to when I'd expect such a thing to
have happened.

FURTHER I was under the impression that most all the current virus checker
companies were really on top of things and got out protection(new def files)
within hours or at most a day from when something new was found in the wild.
I find it highly unlikely that I'm some special case that got this infection
only or long before anyone else. If one believes the 5/5/05 date on c:\null
then that suggests that this thing has been out in the wild for over a month
when AVG just this AM suddenly updated the def file to include its
detection. Also Trend Housecall 6 didn't find it if you believe the 5/5/05
date.

How did this all come to pass. Do I have some misconceptions somewhere
regarding these issues? I thought I had all my bases covered and then this.
What should I start doing differently? Are virus/trojan files ever put of
folks HD and then change their own dates back in time; has that ever been
seen?

> you could submit the file to www.virustotal.com.

AVG zapped it already.

> That would give you a lots of opinions on it.
> As to how it got there, I can't help.
>
> eric
>
> eric
> --
> Remove the dross to contact me directly
>
>

Ron Reaugh

Google web/groups doesn't show any hits on "downloader.generic.ml" so this
may be something really NEW!

"Ron Reaugh" <ron-> wrote in message
news:EKYre.963481$...
> It's the file C:\NULL
>
> Suddenly shortly after cold boot my fully updated(WinUp) and patched W98se
> PC reported the above noted infection. It's Grisoft free AVG with the
> latest updates. This PC is also protected by ZoneAlarm, Belkin WiFi
router
> with firewall, SpyBot(resident). A normal Shutdown was done 12 hours
> earlier with no indication of any problems. There are still no
indications
> of any problems EXCEPT that AVG claims it's found this trojan. There have
> been no floppy operations/mounts, no CD operations/mounts and no downloads
> and installs of anything since an hour before shutdown last night and now.
>
> From the DOS prompt I can see a file C:\NULL that has a 5/5/05 date.
Since
> 5/5 both a full manual AVG and Trend HouseCall 6 run have been done on
this
> PC finding nothing.
>
> So where and how did this file C:\NULL that AVG claims is Trojan horse
> Downloader.Generic.ML appear from? Was it really there since 5/5 but went
> unnoticed by both AVG and Trend HouseCall 6 and then this morning AVG
> suddenly downloaded a new definition file which started seeing this
trojan?
> OR did something penetrate all the firewalls and suddenly spawn this file
> which AVG quickly recognized?
>
> What likely happened here?
>
> The operation I was in the middle of when AVG popped up was reading a text
> only no attachment NG message in OE 6.00.2800.1123.
>
>

Ron Reaugh

"Ron Reaugh" <ron-> wrote in message
news:EKYre.963481$...
> It's the file C:\NULL
>
> Suddenly shortly after cold boot my fully updated(WinUp) and patched W98se
> PC reported the above noted infection. It's Grisoft free AVG with the
> latest updates. This PC is also protected by ZoneAlarm, Belkin WiFi
router
> with firewall, SpyBot(resident).

And do you use Internet Explorer?

> A normal Shutdown was done 12 hours
> earlier with no indication of any problems.

There wouldn't be.
If something did sneak in via an IE or some other vulnerability then it
would most likely not run until the next startup.

> There are still no indications
> of any problems EXCEPT that AVG claims it's found this trojan.

Sounds like an indication of a problem to me.
A false detection is a possibility but there is no way for me to be certain.

> There have
> been no floppy operations/mounts, no CD operations/mounts and no downloads
> and installs of anything since an hour before shutdown last night and now.

But you did surf with Internet Explorer?

>
> From the DOS prompt I can see a file C:\NULL that has a 5/5/05 date.
Since
> 5/5 both a full manual AVG and Trend HouseCall 6 run have been done on
this
> PC finding nothing.
>
> So where and how did this file C:\NULL that AVG claims is Trojan horse
> Downloader.Generic.ML appear from? Was it really there since 5/5 but went
> unnoticed by both AVG and Trend HouseCall 6 and then this morning AVG
> suddenly downloaded a new definition file which started seeing this
trojan?

Virus scanners don't have any magical ability to detect trojans, they have
to be told what is a trojan and what isn't via the updates. An anti-virus
vendor may manage to do an update in less that a day if the virus/trojan is
all over the news but it may otherwise take longer. Trojan writers are not
under any obligation to send copies of their trojans to anti-virus vendors.

> OR did something penetrate all the firewalls and suddenly spawn this file
> which AVG quickly recognized?

I have no idea where C:\NULL came from but if it were on my PC I would want
to know what it was.
If I was sitting at the PC which had C:\NULL on it then I'd look in C:\NULL
to see what was there.
I'd also find out whether anything in there was referenced during startup.
For that I'd need spybot S&D in advanced mode or http://www.hijackthis.de/
or just regedit.

>
> What likely happened here?

Impossible to say. One possibility is that you got something via an
unpatched IE vulnerability. Another is that AVG is/was giving a false
detection. Another is that I don't have a clue what happened.

>
> The operation I was in the middle of when AVG popped up was reading a text
> only no attachment NG message in OE 6.00.2800.1123.

Did this message contain a link/url that you happened to click on?

Jason

>
>

Jason Edwards

"Jason Edwards" <> wrote in message
news:...
> "Ron Reaugh" <ron-> wrote in message
> news:EKYre.963481$...
> > It's the file C:\NULL
> >
> > Suddenly shortly after cold boot my fully updated(WinUp) and patched
W98se
> > PC reported the above noted infection. It's Grisoft free AVG with the
> > latest updates. This PC is also protected by ZoneAlarm, Belkin WiFi
> router
> > with firewall, SpyBot(resident).
>
> And do you use Internet Explorer?

Yep, the very latest and fully patched/WinUp-ed version.

> > A normal Shutdown was done 12 hours
> > earlier with no indication of any problems.
>
> There wouldn't be.
> If something did sneak in via an IE or some other vulnerability then it
> would most likely not run until the next startup.

Are you saying that AVG's resident and SpyBots resident(watching reg
updates) wouldn't have caught it at the time of infection?

> > There are still no indications
> > of any problems EXCEPT that AVG claims it's found this trojan.
>
> Sounds like an indication of a problem to me.
> A false detection is a possibility but there is no way for me to be
certain.

That c:\null IS a bogus file from an unknown source suggests that there was
no false detection.

> > There have
> > been no floppy operations/mounts, no CD operations/mounts and no
downloads
> > and installs of anything since an hour before shutdown last night and
now.
>
> But you did surf with Internet Explorer?

Yep and other than the possibility that you are a FireFox drum beater, the
use of a fully updated IE generally does NOT expose one to such when a fully
functional firewall, virus checker and spyware checker are in place.

> > From the DOS prompt I can see a file C:\NULL that has a 5/5/05 date.
> Since
> > 5/5 both a full manual AVG and Trend HouseCall 6 run have been done on
> this
> > PC finding nothing.
> >
> > So where and how did this file C:\NULL that AVG claims is Trojan horse
> > Downloader.Generic.ML appear from? Was it really there since 5/5 but
went
> > unnoticed by both AVG and Trend HouseCall 6 and then this morning AVG
> > suddenly downloaded a new definition file which started seeing this
> trojan?
>
> Virus scanners don't have any magical ability to detect trojans, they have
> to be told what is a trojan and what isn't via the updates.

Right but 5/5/05 is over 30 days old...am I some special case alpha
infection point?

> An anti-virus
> vendor may manage to do an update in less that a day if the virus/trojan
is
> all over the news but it may otherwise take longer. Trojan writers are not
> under any obligation to send copies of their trojans to anti-virus
vendors.
>
> > OR did something penetrate all the firewalls and suddenly spawn this
file
> > which AVG quickly recognized?
>
> I have no idea where C:\NULL came from but if it were on my PC I would
want
> to know what it was.
> If I was sitting at the PC which had C:\NULL on it then I'd look in
C:\NULL
> to see what was there.

After one noticed it. I don't inspect c:\ or c:\win or c:\win\system[32]
hourly to spot undesirable files. That's what I got AVG etc. for.

> I'd also find out whether anything in there was referenced during startup.
> For that I'd need spybot S&D in advanced mode or http://www.hijackthis.de/
> or just regedit.
>
> >
> > What likely happened here?
>
> Impossible to say. One possibility is that you got something via an
> unpatched IE vulnerability.

I was under the impression that there weren't any of these that have
resulted in actual infections any time recently. Lots of new
vulnerabilities keep being found and reported and fixed. And that's all
before there is any infections/penetrations using them and that's what I've
been hearing for over a year.

> Another is that AVG is/was giving a false
> detection. Another is that I don't have a clue what happened.
>
> >
> > The operation I was in the middle of when AVG popped up was reading a
text
> > only no attachment NG message in OE 6.00.2800.1123.
>
> Did this message contain a link/url that you happened to click on?

NOPE! I assume that the NG message reading had nothing to do with it but
then what did??

> Jason

Ron Reaugh

Hi Ron - You might want to download and run the free or trial version of A2
Personal, here: http://www.emsisoft.com/en/ UPDATE, then run from a Clean
Boot or Safe Mode with Show Hidden Files enabled. This is a MUCH better
piece of software for detecting Trojans than AVG.

Directions for a Clean Boot and Show Hidden Files in my Blog, addy in
Signature.

--
Regards, Jim Byrd, MS-MVP
My, Blog Defending Your Machine, here:
http://defendingyourmachine.blogspot.com/

"Ron Reaugh" <ron-> wrote in message
news:EKYre.963481$
> It's the file C:\NULL
>
> Suddenly shortly after cold boot my fully updated(WinUp) and patched
> W98se PC reported the above noted infection. It's Grisoft free AVG
> with the latest updates. This PC is also protected by ZoneAlarm,
> Belkin WiFi router with firewall, SpyBot(resident). A normal
> Shutdown was done 12 hours earlier with no indication of any
> problems. There are still no indications of any problems EXCEPT that
> AVG claims it's found this trojan. There have been no floppy
> operations/mounts, no CD operations/mounts and no downloads and
> installs of anything since an hour before shutdown last night and
> now.
>
> From the DOS prompt I can see a file C:\NULL that has a 5/5/05 date.
> Since 5/5 both a full manual AVG and Trend HouseCall 6 run have been
> done on this PC finding nothing.
>
> So where and how did this file C:\NULL that AVG claims is Trojan horse
> Downloader.Generic.ML appear from? Was it really there since 5/5 but
> went unnoticed by both AVG and Trend HouseCall 6 and then this
> morning AVG suddenly downloaded a new definition file which started
> seeing this trojan? OR did something penetrate all the firewalls and
> suddenly spawn this file which AVG quickly recognized?
>
> What likely happened here?
>
> The operation I was in the middle of when AVG popped up was reading a
> text only no attachment NG message in OE 6.00.2800.1123.

Jim Byrd

"Jim Byrd" <> wrote in message
news:ReadnabBbuWj5i3fRVn-...
> Hi Ron - You might want to download and run the free or trial version of
A2
> Personal, here: http://www.emsisoft.com/en/ UPDATE, then run from a Clean
> Boot or Safe Mode with Show Hidden Files enabled.
> This is a MUCH better
> piece of software for detecting Trojans than AVG.

Why would AVG or Trend HouseCall 6 be weak in this regard?

> Directions for a Clean Boot and Show Hidden Files in my Blog, addy in
> Signature.
>
> --
> Regards, Jim Byrd, MS-MVP
> My, Blog Defending Your Machine, here:
> http://defendingyourmachine.blogspot.com/
>
> "Ron Reaugh" <ron-> wrote in message
> news:EKYre.963481$
> > It's the file C:\NULL
> >
> > Suddenly shortly after cold boot my fully updated(WinUp) and patched
> > W98se PC reported the above noted infection. It's Grisoft free AVG
> > with the latest updates. This PC is also protected by ZoneAlarm,
> > Belkin WiFi router with firewall, SpyBot(resident). A normal
> > Shutdown was done 12 hours earlier with no indication of any
> > problems. There are still no indications of any problems EXCEPT that
> > AVG claims it's found this trojan. There have been no floppy
> > operations/mounts, no CD operations/mounts and no downloads and
> > installs of anything since an hour before shutdown last night and
> > now.
> >
> > From the DOS prompt I can see a file C:\NULL that has a 5/5/05 date.
> > Since 5/5 both a full manual AVG and Trend HouseCall 6 run have been
> > done on this PC finding nothing.
> >
> > So where and how did this file C:\NULL that AVG claims is Trojan horse
> > Downloader.Generic.ML appear from? Was it really there since 5/5 but
> > went unnoticed by both AVG and Trend HouseCall 6 and then this
> > morning AVG suddenly downloaded a new definition file which started
> > seeing this trojan? OR did something penetrate all the firewalls and
> > suddenly spawn this file which AVG quickly recognized?
> >
> > What likely happened here?
> >
> > The operation I was in the middle of when AVG popped up was reading a
> > text only no attachment NG message in OE 6.00.2800.1123.

Ron Reaugh

"Ron Reaugh" <ron-> wrote in message
news:qW_re.324813$...
>
> "Jason Edwards" <> wrote in message
> news:...
> > "Ron Reaugh" <ron-> wrote in message
> > news:EKYre.963481$...
> > > It's the file C:\NULL
> > >
> > > Suddenly shortly after cold boot my fully updated(WinUp) and patched
> W98se
> > > PC reported the above noted infection. It's Grisoft free AVG with the
> > > latest updates. This PC is also protected by ZoneAlarm, Belkin WiFi
> > router
> > > with firewall, SpyBot(resident).
> >
> > And do you use Internet Explorer?
>
> Yep, the very latest and fully patched/WinUp-ed version.

Ok, so it's probably only got approximately n+100 vulnerabilities left to be
patched.

>
> > > A normal Shutdown was done 12 hours
> > > earlier with no indication of any problems.
> >
> > There wouldn't be.
> > If something did sneak in via an IE or some other vulnerability then it
> > would most likely not run until the next startup.
>
> Are you saying that AVG's resident and SpyBots resident(watching reg
> updates) wouldn't have caught it at the time of infection?

Yes

>
> > > There are still no indications
> > > of any problems EXCEPT that AVG claims it's found this trojan.
> >
> > Sounds like an indication of a problem to me.
> > A false detection is a possibility but there is no way for me to be
> certain.
>
> That c:\null IS a bogus file from an unknown source suggests that there
was
> no false detection.

It does, if you are sure that C:\NULL is not part of anything legitimate or
anything you have done yourself.

>
> > > There have
> > > been no floppy operations/mounts, no CD operations/mounts and no
> downloads
> > > and installs of anything since an hour before shutdown last night and
> now.
> >
> > But you did surf with Internet Explorer?
>
> Yep and other than the possibility that you are a FireFox drum beater,
the
> use of a fully updated IE generally does NOT expose one to such when a
fully
> functional firewall, virus checker and spyware checker are in place.

I don't wish to upset you but it took me a while to stop laughing after
reading that.

>
> > > From the DOS prompt I can see a file C:\NULL that has a 5/5/05 date.
> > Since
> > > 5/5 both a full manual AVG and Trend HouseCall 6 run have been done on
> > this
> > > PC finding nothing.
> > >
> > > So where and how did this file C:\NULL that AVG claims is Trojan horse
> > > Downloader.Generic.ML appear from? Was it really there since 5/5 but
> went
> > > unnoticed by both AVG and Trend HouseCall 6 and then this morning AVG
> > > suddenly downloaded a new definition file which started seeing this
> > trojan?
> >
> > Virus scanners don't have any magical ability to detect trojans, they
have
> > to be told what is a trojan and what isn't via the updates.
>
> Right but 5/5/05 is over 30 days old...am I some special case alpha
> infection point?

Nope, you're just an average Windows user who got the trojan that wasn't
widespread enough to be noticed immediately.

>
> > An anti-virus
> > vendor may manage to do an update in less that a day if the virus/trojan
> is
> > all over the news but it may otherwise take longer. Trojan writers are
not
> > under any obligation to send copies of their trojans to anti-virus
> vendors.
> >
> > > OR did something penetrate all the firewalls and suddenly spawn this
> file
> > > which AVG quickly recognized?
> >
> > I have no idea where C:\NULL came from but if it were on my PC I would
> want
> > to know what it was.
> > If I was sitting at the PC which had C:\NULL on it then I'd look in
> C:\NULL
> > to see what was there.
>
> After one noticed it. I don't inspect c:\ or c:\win or c:\win\system[32]
> hourly to spot undesirable files. That's what I got AVG etc. for.

I don't either, but I don't allow additional executable files on to the
system in the first place, so I don't have to go file spotting very often on
my own machines. I also don't need AVG.

>
> > I'd also find out whether anything in there was referenced during
startup.
> > For that I'd need spybot S&D in advanced mode or
http://www.hijackthis.de/
> > or just regedit.
> >
> > >
> > > What likely happened here?
> >
> > Impossible to say. One possibility is that you got something via an
> > unpatched IE vulnerability.
>
> I was under the impression that there weren't any of these that have
> resulted in actual infections any time recently. Lots of new
> vulnerabilities keep being found and reported and fixed. And that's all
> before there is any infections/penetrations using them and that's what
I've
> been hearing for over a year.

Who have you been hearing this from?
Ask yourself why there is a cumulative update every month.

>
> > Another is that AVG is/was giving a false
> > detection. Another is that I don't have a clue what happened.
> >
> > >
> > > The operation I was in the middle of when AVG popped up was reading a
> text
> > > only no attachment NG message in OE 6.00.2800.1123.
> >
> > Did this message contain a link/url that you happened to click on?
>
> NOPE! I assume that the NG message reading had nothing to do with it but
> then what did??

It is not possible for me to say for certain what did.

If I were you I'd wipe the drive and reinstall the operating system.
There is no other way to be sure that your system isn't compromised.

Jason

>
> > Jason
>
>

Jason Edwards

"Ron Reaugh" <ron-> wrote in message
news:EKYre.963481$...
> It's the file C:\NULL
>
> Suddenly shortly after cold boot my fully updated(WinUp) and patched
W98se
> PC reported the above noted infection. It's Grisoft free AVG with the
> latest updates. This PC is also protected by ZoneAlarm, Belkin WiFi
router
> with firewall, SpyBot(resident). A normal Shutdown was done 12 hours
> earlier with no indication of any problems. There are still no
indications
> of any problems EXCEPT that AVG claims it's found this trojan. There
have
> been no floppy operations/mounts, no CD operations/mounts and no
downloads
> and installs of anything since an hour before shutdown last night and
now.
>
> From the DOS prompt I can see a file C:\NULL that has a 5/5/05 date.
Since
> 5/5 both a full manual AVG and Trend HouseCall 6 run have been done on
this
> PC finding nothing.
>
> So where and how did this file C:\NULL that AVG claims is Trojan horse
> Downloader.Generic.ML appear from?

New malware can download and use old malware. Just a shot in the dark,
what else do you have with that date?

> Was it really there since 5/5 but went
> unnoticed by both AVG and Trend HouseCall 6 and then this morning AVG
> suddenly downloaded a new definition file which started seeing this
trojan?

Possible. Or it could be a false positive. Without the evidence we can't
know.

> OR did something penetrate all the firewalls and suddenly spawn this
file
> which AVG quickly recognized?

Also possible.

> What likely happened here?

Without analysing the file "NULL", and or finding other malware files to
analyse - it is anybody's guess.

> The operation I was in the middle of when AVG popped up was reading a
text
> only no attachment NG message in OE 6.00.2800.1123.

This may be paranoia at work here, but new malware could download many
things undetected at present and throw you a bone (like an old trojan)
to make you think your defenses are adequate and have protected you.
Maybe other things have been date altered to 5/5/5 as well - or looking
at 5/5/5 dated files will jar your memory about what "NULL" is (or was).

Roger Wilco