Hallo Marck,
On Mon, 25 Dec 2000 17:03:57 +0000 GMT (26/12/2000, 01:03 +0800 GMT),
Marck D. Pearlstone wrote:
TF>> OK, here we go: I got infected by the JS_SEEKER.A trojan
MDP> Infected? I don't think so...
It was suddenly announced by PC-Cillin as being active - while I was
offline.
TF>> (File Name: RUNME.HTA - what does an .HTA extension normallly
TF>> do?). I got suspicious two days ago when I suddenly had unusual
TF>> activity on port 8431, and closed that port for further
TF>> investigation after Christmas.
MDP> This is unrelated to the Trojan you mention.
Ach so. Do you mean the port activity being unrelated to the runme.hta
file?
MDP> Okay - so the trojan had *arrived* on your machine as an attachment
MDP> and reported as *present* by PC-Cillin. This does *not* yet constitute
MDP> an "infection".
Hmm. I think we mean the same thing. That trojan was present on my PC,
so I call my PC "infected".
MDP> A virus can be spotted in a file on your hard drive without ever
MDP> having been run or activated. This is what I believe has happened
MDP> to you here.
I didn't run a virus check, but I have this permanent "Real-Time Scan"
ticked. Therefore, the trojan had been activated.
MDP> TB has, in fact, "saved your bottom".
Has it? The "infected" file was in a TB subdirectory.
TF>> So this is some malware that becomes active through some trigger
TF>> other than double-clicking on it, and thus TB cannot prevent it.
MDP> It doesn't need to. You don't get *infected* by a virus until it is
MDP> executed. This is a fact.
It has been executed. Not triggered by me double-clicking on it. I am
the only one who has access to my TB.
TF>> I repeat: TB does not substitute a regularly updated anti-virus
TF>> program.
MDP> I disagree. I haven't been caught by a virus since using TB. I use my
MDP> own intelligence to know what attachments may be infected and virus
MDP> scan them independently if dubious.
I agree with you, but I have *not* double-clicked on anything. And I
disagree that an AV program is superfluous.
MDP> This Trojan was first reported in October, so it's not that new. It is
MDP> known as the "seeker" trojan and is relatively harmless.
It was not detected by the virus scan I ran two days ago after I saw
this anomalous connection to port 8431. I also have no more unusual
activity on that port after having run the virus scan after upgrade.
MDP> Here is the vulnerability report relating to this Trojan:
Thanks for this info. I'm gonna hunt for the other files.
While it mentions "adult sites", I wish to report that I have not
visited one for a couple of months, but people who have access to my
computer might have. - Oh what a lame excuse. Unfortunately true. Do I
have to activate "parents supervision" on my box? ;-)
MDP> As you can see, it is a javaScript virus - ergo it must be executed by
MDP> a Java VM to cause an infection.
Got it. However, PC-Cillin reported the infected file to be in a TB
subdirectory. What do you make out of this?
--
Cheers,
Thomas.
A day without sunshine is like, night.
Message reply created with The Bat! 1.48f
under Chinese Windows 98 4.10 Build 1998
using an Intel Celeron 366Mhz, 128MB RAM
--
--------------------------------------------------------------
View the TBUDL archive at http://tbudl.thebat.dutaint.com
To send a message to the list moderation team double click here:
<mailto:[EMAIL PROTECTED]>
To Unsubscribe from TBUDL, double click here and send the message:
<mailto:[EMAIL PROTECTED]>
--------------------------------------------------------------
You are subscribed as : archive@jab.org
