Opinions? Is this a virus/trojan or not?

Discussion in 'malware problems & news' started by Mike_Healan, Apr 20, 2003.

Thread Status:
Not open for further replies.
  1. Mike_Healan

    Mike_Healan Registered Member

    Joined:
    Mar 6, 2002
    Posts:
    302
    Location:
    USA
    http://www.spywareinfoforum.com/articles/av/six_buttons_from_hell.php

    Originally intended for last week's newsletter, but I decided it was too much of a rant. But I see a lot of people agreeing with me on it.

    As far as I'm concerned, it doesn't replicate itself, so it is not a virus. It doesn't raid the address book, so it's not a worm. It doesn't run as a server or a client, so it's not a trojan.

    Given that, it is inappropriate for all of these av companies to target it. They are doing real damage to that company's reputation by blatantly lying (in my opinion) about there being a virus or trojan in that program

    What's your opinion?
     
  2. controler

    controler Guest

    Hi Mike

    I have to dissagree with the definition of a virus as being ONLY a file that replicates itself. Who in their right mind would give that meaning to a virus?
    I myself and this is just me now, would call any harmfull file a virus.
    Example = a BAT file or even a non replicating VB script file. It does not replicate itself but it sure can delete your whole hard drive.
    The harm I can see in this file would be that it crashes Windows, thus
    adding the possiablitity of damaging any database files you may have open ect. Damage is still done.
     
  3. Paul Wilders

    Paul Wilders Administrator

    Joined:
    Jul 1, 2001
    Posts:
    12,472
    Location:
    The Netherlands
    Interesting indeed.

    Well, Grisoft surely is wrong in their statement; can't believe they actually did.

    It depends IMHO. In case a finger print comes that close to a viral finger print, there's reason to - at least - heuristics from an antivirus popping up. Grisoft/AVG isn't the only one alerting here - for one and the same reasons.

    As for antiviruses targetting advertising spyware: IMO that's not their business at all. Complementary antispyware software is a blessing in this context.

    As for targetting an email worm popping up a license first: for the sake of all reading this, could you be specific in regard to the worm and the antivirus companies, for the sake of readers? ;). As for my opinion: entering a twiglight zone here.

    You address several issues here - therefore several opinions are asked for. I for one like to see some more info to address them all.

    regards.

    paul
     
  4. Mike_Healan

    Mike_Healan Registered Member

    Joined:
    Mar 6, 2002
    Posts:
    302
    Location:
    USA
    I was referring to the friendgreeting worm last year. Once infected, it mailed itself out to every contact in the address book with a message promising an e-card on the web site it linked to. To view this e-card, you would have to install an activex plugin, agree to a click-through license saying what it would do, and then it reproduce again from the new victim's address book.

    License or no license, it replicated by mailing itself to all of the victim's address book contacts. That is an email worm. If simply popping up a click-through agreement gets a virus past anti-virus software, they'll all have them sooner or later. These people know that no one reads those things, especially if they're being scammed into thinking a friend just sent them an e-card.

    To the best of my knowledge, all AV companies initially refused to target it because of that license. I was outraged at that.

    Agreed, but if they're going to detect things outside of their little area, why not target something truly malicious? Like xupiter and orbit explorer? I see many of them targeting certain browser hijackers, but if they're not going to detect something truly malicious such as xupiter or prolivation, then there is no excuse for targeting something like this script template.
     
  5. Paul Wilders

    Paul Wilders Administrator

    Joined:
    Jul 1, 2001
    Posts:
    12,472
    Location:
    The Netherlands
    Thanks for the adittional info, Mike.

    Although I fully agree as for the tactics used, license or no license is a major issue here IMHO. From a legal point of view, anyone has a choice wether or not to accept or deny installing the activex plugin.

    No offense, but: why?. In case for example the same would go for installing an Optix Pro, Assasin, or whatever malware server, and someone would agree: isn't that the essence: people having their own responsibility to agree/disagree what is installed on their system? I'm with you as for protection against scam, tricking etc. At the same time, I do believe everyone is responsible for their own decisions.

    Their area is far from "little" ;) - and far from targetting "truly malicious". IMHO antiviruses should target what they are designed for; al other targets are "extra's" - no more, no less. As for targetting this script template: as stated before, Grisoft is wrong in their statement, other antiviruses detect a finger print that's very close to a malicious one, and pop up an alert. By design, that's a good thing. It's up to the antivirus software user to make up a decision - putting the file up for examination by the software designer or deciding him/herself.

    regards,

    paul
     
  6. Mike_Healan

    Mike_Healan Registered Member

    Joined:
    Mar 6, 2002
    Posts:
    302
    Location:
    USA
    Alright, fair enough. But,

    1st Page also has a license, and unlike the worm mentioned above, this is legitimate software which happens to come with a template that pastes a javascript disliked by AV companies. McAfee does now target the worm, although they put a disclaimer up saying that it's not a virus. I'm not sure about other companies. If a having a license excuses a worm from detection, why doesn't it excuse this text file? Should Evrsoft hire blackhats to write their EULA before it satisfies AV companies since that is what has worked in the past?

    1st Page does not use deception in any manner. It does not lie to the person installing the program. If you happen to find that template while looking at the other javascripts, it explains exactly what it does.

    Its intent is not to do something malicious or destructive. The developer didn't place it there to for backdoor access to the computer, to destroy the user's hard drive, or make it replicate itself. You can't "infect" yourself with this simple text file. Unless you invoke it yourself from within the program, it will never do anything, and even then all it does is paste text into a page template.

    Friendgreeting is a malicious email worm that scams each user into infecting every other user, and a license excused it from detection. Suppose I mail a batch file to 5000 people that writes a copy of itself and emails itself out to their contacts then formats their hard drive, but only *after* they agree to a long license. Are AV companies going to ignore that while they shore up detection rules for this trick javascript in 1st Page?

    EDIT:

    Sorry for the rant, but I am disgusted with those AV companies for leaving their users defenseless as they did.
     
Loading...
Thread Status:
Not open for further replies.