Strange trojan detection depends on how file is extracted

Discussion in 'other software & services' started by HandsOff, Feb 14, 2005.

Thread Status:
Not open for further replies.
  1. HandsOff

    HandsOff Registered Member

    Sep 16, 2003
    Bay Area, California
    I just got around to installing a program I downloaded a while ago. It was compressed and had to be extracted. It was the type of compression called "SFX - Rar acrchive". this type of file has the extension .exe and is self-extracting (you do not need any unzipping / unRaring software to extract it). As it happens I have WinRAR installed, and I use it to extract everything. Thats why I am in the habit of using the context menu (right clicking) and selecting the "extract files here" option, rather than double clicking the file when I see the familiar Rar icon. Okay, now comes the weird part:

    I don't THINK it should matter whether I right click and say extract here, or simply double click the file's icon since it is selfextracting, however:

    -if I use the right click method, the installation goes apparently smoothly

    -if I double click the icon, then my trojan scanner immediately detects and cleans the file saying that it is a trojan.

    Anyone care to venture a guess why the different outcomes?

    what makes it even stranger is that in the second scenario, aside from the actions of the anti-Trojan program, I notice that Javacool's SpywareGuard resident scanner has been shut off. If I go to the options menu and enable it, it is functional again.

    I did this two or three times because I was interested in seeing if I could find anything running, or any changes in autoloading programs, and hijack this, ect...I am pretty sure there is nothing running. the same behavior happened every time.

    Why would the trojan only be launched if I double click it? Did it intentionally target SWGuard? These are my questions!

    - HandsOff
Thread Status:
Not open for further replies.