Trojan clarification

[Calm n Collected]

If I understand corrrectly, trojans don't replicate like viruses. One
virus program
said I had one, though the zip file in question didn't have any
executable programs in it.

Thanks.

 

[null]

If I understand corrrectly, trojans don't replicate like viruses.
Correct.

One
virus program
said I had one,

One what? Virus or Trojan?

though the zip file in question didn't have any
executable programs in it.

Both viruses and Trojans are programs, which means executeable files
or runnable code. It would be unusual indeed if a antivirus program
false alarmed on data files.

You should post post far more detail. Which antivirus? Exactly what
kind of file(s) did the av alert on? What did the alert message say?


Art
http://www.epix.net/~artnpeg

 

[Calm n Collected]

One what? Virus or Trojan?


Both viruses and Trojans are programs, which means executeable files
or runnable code. It would be unusual indeed if a antivirus program
false alarmed on data files.

You should post post far more detail. Which antivirus? Exactly what
kind of file(s) did the av alert on? What did the alert message say?

I can't remember all the files but some were .class files. It said it
found a trojan.

The program is AntiVir and after a pretty rigorous test against Fprot,
it has been uninstalled. The program is from Germany like my mom and
they are generally
excellent programmers.

I hope the file it deleted doesn't force me to have to re-install NS
7.02.

 

[null]

I can't remember all the files but some were .class files. It said it
found a trojan.

Java active (executeable) files then. No big surprise there.

The program is AntiVir and after a pretty rigorous test against Fprot,
it has been uninstalled. The program is from Germany like my mom and
they are generally
excellent programmers.

I hope the file it deleted doesn't force me to have to re-install NS
7.02.

Hope you learned a lesson about allowing a av to delete before you
find out what's going on. You should always get multiple "opinions"
from other scanners. There are file upload sites such as:

http://www.virustotal.com/flash/index_en.html

If a av appears to be false alarming, you send a sample to the vendor
so he can correct the problem. False alarms are not terribly unusual
nowdays because of the difficuties with Trojan detection.

And being prejudiced in favor of some av because it's been developed
in a certain favorite country is completely irrational


Art
http://www.epix.net/~artnpeg

 

[Roger Wilco]

Correct.

The AV industry will call most non-replicating malware a trojan although it is not entirely correct that
trojans don't replicate. Many self-replicators spend a part or phase of their existence as trojans.

Both viruses and Trojans are programs, which means executeable files
or runnable code. It would be unusual indeed if a antivirus program
false alarmed on data files.

Not really, mail client indexed database files (.dbx, .pst, .mbx, etc...) are often alerted to. E-mail scanners
are designed to detect malware in data. Where exactly does one draw the line between data and code?

 

[null]

The AV industry will call most non-replicating malware a trojan although it is not entirely correct that
trojans don't replicate. Many self-replicators spend a part or phase of their existence as trojans.

True, but you could also argue that all malware, including file
viruses, are Trojans. The fact that a virus dropper is usually
considered to be a Trojan is beside the point here, and really has
nothing to do with what the OP was asking.

Not really, mail client indexed database files (.dbx, .pst, .mbx, etc...) are often alerted to. E-mail scanners
are designed to detect malware in data. Where exactly does one draw the line between data and code?

You can blame that mess on M$. By "data" I had in mind ANSI text,
picture image files, audio files, movie files, and the like. Of
course, you can scan them for embedded malicious code if you want.
But they're unlikely to be a threat to the average user.


Art
http://www.epix.net/~artnpeg

 

[Roger Wilco]

True, but you could also argue that all malware, including file
viruses, are Trojans. The fact that a virus dropper is usually
considered to be a Trojan is beside the point here, and really has
nothing to do with what the OP was asking.

The OP asked for "clarification" according to the subject line (Trojan clarification). Saying "right" or "wrong" in response to:

"If I understand corrrectly, trojans don't replicate like viruses."

....doesn't do much to clarify any confusion the OP experiences while investigating malware.

You can blame that mess on M$. By "data" I had in mind ANSI text,

ASCII text - ANSI chars can be malicious.

picture image files,

A recent vulnerability will allow this data type to be used as an exploit trojan container - GDI Plus DLL?

audio files, movie files, and the like. Of
course, you can scan them for embedded malicious code if you want.
But they're unlikely to be a threat to the average user.

The OP's zip question also indicated he held the belief that trojans shouldn't have been detected because the contained
files weren't "executable programs". You seem to agree with that viewpoint, but many exploit trojans exist as data files
and only "execute" with the help of broken software. If you choose not to scan them for malicious code that's fine with
me too.

 

[Gnome de Plume]

the word trojan is often used as a synonym for remote administration
tool, that is, one used by blackhats. Norton i believe calls nmap and
scanners "hack tools." obviously some AV detects rootkits as well.

trojan technically is something that is slipped past a user, whether by
internet explorer exploit, or bound to legitimate binaries.

i prefer the use of trojan to mean non-replicating RAT.

you can certainly bind an autorooter to downloaded binaries, but you can
just as easily propogate it from your own machine. an autorooter is
hybrid worm / trojan.

michael

 

[Gnome de Plume]

A recent vulnerability will allow this data type to be used as an exploit trojan container - GDI Plus DLL?

yes. GDI+.

a winamp skin sounds harmless but there was an exploit for this.
there's also been holes in Windows Media Player. one of Guninski's
exploits showed the hazard of "text" (really HTA's) files when viewed in
Explorer and Internet Explorer. all of this has been patched, but it
doesn't preclude future vulnerabilities.

michael

 

[Calm n Collected]

Java active (executeable) files then. No big surprise there.


Hope you learned a lesson about allowing a av to delete before you
find out what's going on. You should always get multiple "opinions"
from other scanners. There are file upload sites such as:

Thanks for the encouraging words. I forgot you have never made a mistake.

http://www.virustotal.com/flash/index_en.html

If a av appears to be false alarming, you send a sample to the vendor
so he can correct the problem. False alarms are not terribly unusual
nowdays because of the difficuties with Trojan detection.

And being prejudiced in favor of some av because it's been developed
in a certain favorite country is completely irrational

Not hardly Art. You must not like Germany.

 

[Roger Wilco]

the word trojan is often used as a synonym for remote administration
tool, that is, one used by blackhats.

True, some say RAT(blackhat) is Remote Access Trojan while RAT(whitehat) is Remote Administration Tool. The program
itself can be identical in both cases.

Norton i believe calls nmap and

scanners "hack tools." obviously some AV detects rootkits as well.

trojan technically is something that is slipped past a user, whether by
internet explorer exploit, or bound to legitimate binaries.

i prefer the use of trojan to mean non-replicating RAT.

I would prefer that a backdoor be called a backdoor and leave the term "trojan" for programs that apply misguided confidence
in their execution in the traditional manner as it was associated with the city of Troy. But my preferences are unrealistic
due to the existence of "trojan" in the popular lexicon just meaning "non-replicating virus" as the OP has suggested.