-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
Hi Thomas,
On 25 December 2000 at 02:43:04 +0800 (which was 18:43 where I
live) Thomas Fernandez wrote and made these points:
TF> It was suddenly announced by PC-Cillin as being active - while I was
TF> offline.
TB cannot have activated it. Only the OS or a browser could have done
that.
TF>>> activity on port 8431, and closed that port for further
TF>>> investigation after Christmas.
MDP>> This is unrelated to the Trojan you mention.
TF> Ach so. Do you mean the port activity being unrelated to the
TF> runme.hta file?
Yes.
MDP>> Okay - so the trojan had *arrived* on your machine as an
MDP>> attachment and reported as *present* by PC-Cillin. This does
MDP>> *not* yet constitute an "infection".
TF> Hmm. I think we mean the same thing. That trojan was present on my
TF> PC, so I call my PC "infected".
I have copies of selected viral infections in hermetically sealed
archive areas out of morbid curiosity, They exist on my PC but **not**
as infections. A virus only becomes an infection by being active, not
merely by being present.
MDP>> A virus can be spotted in a file on your hard drive without ever
MDP>> having been run or activated. This is what I believe has
MDP>> happened to you here.
TF> I didn't run a virus check, but I have this permanent "Real-Time
TF> Scan" ticked. Therefore, the trojan had been activated.
Activated or created on disk in a file? There's a difference.
MDP>> TB has, in fact, "saved your bottom".
TF> Has it? The "infected" file was in a TB subdirectory.
The file may have been infected but your PC and OS is *not* until the
file is executed either by the OS (in Explorer or as a Shell Execution
by another app ... and TB won't do this with explicitly being told to
do so) or by a browser VM in response to the receipt of JavaScript on
a web page you have received, either by browsing to it or as an
attachment. Again, direct execution is involved.
TF>>> So this is some malware that becomes active through some trigger
TF>>> other than double-clicking on it, and thus TB cannot prevent it.
MDP>> It doesn't need to. You don't get *infected* by a virus until it
MDP>> is executed. This is a fact.
TF> It has been executed.
I disagree.
TF> Not triggered by me double-clicking on it.
Then it has *not* been executed, merely stored.
MDP>> I disagree. I haven't been caught by a virus since using TB. I
MDP>> use my own intelligence to know what attachments may be infected
MDP>> and virus scan them independently if dubious.
TF> I agree with you, but I have *not* double-clicked on anything. And I
TF> disagree that an AV program is superfluous.
<snip>
MDP>> As you can see, it is a javaScript virus - ergo it must be executed by
MDP>> a Java VM to cause an infection.
TF> Got it. However, PC-Cillin reported the infected file to be in a TB
TF> subdirectory. What do you make out of this?
I think I've spelled it out about. PC-Cillin just spotted the file
being created because you received it. That doesn't make it executed
nor does it make your PC infected.
- --
Cheers,
.\\arck
________________________________________________________________
[ Marck D. Pearlstone | Moderator TBUDL / TBBETA ]
[ PGP Key ID: 0x929DCDA0 | www: http://www.silverstones.com ]
[ PGP Key: http://www.silverstones.com/MarckPGP.asc ]
[ Any opinions are my own and not those of RIT labs ]
________________________________________________________________
TB! v1.48f S/N 14F4B4B2 on Windows NT 5.0 Build 2195 Service Pack 1
-----BEGIN PGP SIGNATURE-----
Version: PGP 6.5.8 Secured
Comment: PGP Sealed for freshness
iQA/AwUBOkfxJjnkJKuSnc2gEQKBRACdH+LyJVG1bMgsMSUf1F8PCfRV2zAAn2Ew
9ij+yL01NDPVOScrA+bushc5
=A/zE
-----END PGP SIGNATURE-----
--
--------------------------------------------------------------
View the TBUDL archive at http://tbudl.thebat.dutaint.com
To send a message to the list moderation team double click here:
<mailto:[EMAIL PROTECTED]>
To Unsubscribe from TBUDL, double click here and send the message:
<mailto:[EMAIL PROTECTED]>
--------------------------------------------------------------
You are subscribed as : archive@jab.org
