trojan.prova

Discussion in 'malware problems & news' started by SkyBlue, Jun 24, 2003.

Thread Status:
Not open for further replies.
  1. SkyBlue

    SkyBlue Guest

    Here is the deal, I contracted my first cute little trojan virus.

    Not good. But luckily its payload was not destructive on my computer because it doesnt function properly under nt/2000/xp. However, my virus scanner, NAV2003, detected the executable that would have torn up my system a little bit had I been on 98 or something. Anyhow, my question to you all is this...

    I am extremely careful and do not download anything I do not consider safe. I constantly do backups/images. And run and update my virus scanners and spyware removers consistently. The only variable is my wife. She gets on the computer every once in awhile and looks at her emails, which she uses outlook to download. Or goes to various websites to view clothing catalogs.

    This virus/trojan I got is called by NAV "trojan.prova" apprently it is an executable that hides itself as a macromedia flash icon.

    This is where I am confused.

    Here is the quote:
    "The main Trojan file is an executable that contains all other components of the Trojan. The main executable appears as a Macromedia Flash icon and is larger than 1 MB in size. When the Trojan is executed it will create many component files. Here is a list of the files that the Trojan creates and what each file does:"

    This MAcromedia Flash icon, what is it? I know what Macromedia flash files and are, but an icon, is it clickable?

    Also, does it have to be downloaded, or could you visit a webpage that used macromedia flash to produce lets say a cartoon, and have the icon imbedded in the page, and click it and presto, its on your system?

    I am confused as to how I contracted this trojan. Could it be possible that when my wife downloaded her emails via outlook, which she has mucho spam, one of the 100 emails contained the trojan? She said she did not download anything, but I know, and I dont use outlook, when you do however that the emails are downloaded onto your system, but are the acutual "attachments" automatically downloaded into your computer?

    Any advice would be great.

    I'll tell you what I did though, and give me advice as if there are other precautions I should take as well.

    1) NAV "auto delete the infected files", I then rebooted, and scanned again, and it discovered nothing.

    2) I used NAV's removal procedures to check the registry and for other files on the system this trojan creates, yet I found none of them. I think this is due to the trojan not functioning properly on an XP system.

    3) I removed system restore, so that it erased all my restore points, rebooted, then made a new restore point.

    4) I then imaged my HD over the old image on my hidden partition that I use drive image 2003 to make. Thus eliminating the possibility that the trojan could be on my image file on that partition.

    - I do however have 2 images stored on CDRW's. I always scan for viruses before I burn images, so I think I'll keep these in case I ever need them in an emergency, even if they do contain the trojan, I can remove it after I restore the image again.

    Thanks for any help guys,

    Sky
     
  2. Dan Perez

    Dan Perez Retired Moderator

    Joined:
    May 18, 2003
    Posts:
    1,495
    Location:
    Sunny San Diego
    Hi SkyBlue,

    Welcome to the board.

    The icon mentioned here is merely the picture that would be shown if you had the trojan file in your email (or if you saved it to your computer) and has nothing else to do with Macromedia Flash as the file itself is not a Flash file but merely a "normal" exe file. Just having it in your email would not, in and of itself, cause the infection. Someone would have had to click on it. This is why more and more AntiVirus products include lower level protection for email. They monitor the network ports through which your email program (whether Outlook, Outlook express, Eudora, etc) gets the email from the mailserver and if a virus is detected in the stream of data it removes it (or quarantines it or renames it, whatever you have set as the default option) before it even reaches your mailbox. There is a growing list of products that provide this sort of protection along with the normal resident scanner but the only one I know of off-hand is the one I use :) which is NOD32

    http://www.eset.com/

    Hope this helps.

    Regards,

    Dan
     
  3. SkyBlue

    SkyBlue Guest

    Thanks, I'll check that out. I also think AVG virus scanner has an active email scanner as well. Maybe I should switch to that, but would it catch trojans as well? I think that is the catch. I am just fortunate I didnt have something worse.

    Sky
     
  4. Dan Perez

    Dan Perez Retired Moderator

    Joined:
    May 18, 2003
    Posts:
    1,495
    Location:
    Sunny San Diego
    Glad to help.

    I never used AVG but took a quick look at their site and it *appears* as if their email scanner is just able to scan within certain email databases. Almost all AVs can do this but what I was writing of earlier is something different. That scanning is done before it reaches the email application (though it also does scan once it hits the email). Don't get me wrong, I am not trying to sell you NOD, I am pretty sure other AVs do this as well I just though it best to distinguish between the two tupes of email scanning.)

    Regards,

    Dan
     
  5. illukka

    illukka Spyware Fighter

    Joined:
    Jun 23, 2003
    Posts:
    633
    Location:
    S.A.V.O
    hi
    you could always get a dedicated anti-trojan on your system, like tds or trojan hunter. both offer free trials... neither has email scanning but provide real time protection against trojans. check out www.misec.net/trojanhunter or www.diamondcs.com.au
     
Thread Status:
Not open for further replies.