When is a virus not a virus...?

Ok, here's a wierd one...

I got another one of those "This is a Micro$oft Update" e-mails seemingly trying to trick me into running the .exe attachment and infect my system.

Ho hum, thinks I, and I'm about to delete it when I suddenly realise that the message *doesn't* have a Norton AV warning of deletion in place of the attachment.

So I think "hello, that's odd" and get NAV to scan the attachment. To which it replies "it's clean".

Now this is strange, because it sure as hell *looks* like it's suspicious.

So I save the file, quarantine it, and send it off to Symantec for checking and get the reply back saying "this has been checked and it's the same as the official version of the install9.exe program"

This strikes me as totally bizarre. Someone sends out something that *looks* like a virus type message, but it's got perfectly legitimate content (and no other attachments), so what on *Earth* is the point?

Is someone *trying* to do me a favour by helping me to install updates on my system? (Not that I'd trust it anyway!) Is it a virus that's just really well concealed? (It doesn't seem to be)

Anyone got any ideas on this?

[andygrif]

It could well be that Norton haven't identified it yet as a virus. It's worth sending them the email along with the attachment to do some testing on.

[Russ]

Or possibly it's someone trying to trick you in to thinking you've been sent something nasty without actually getting in to trouble themselves?

[Defiant]

Hmm I'm always seeing people posting questions about virus's and for some reason its nearly always regarding Norton

[zovat]

Quote:

Originally Posted by andygrif

It could well be that Norton haven't identified it yet as a virus. It's worth sending them the email along with the attachment to do some testing on.

True, but Symantec said it was clean - and they are pretty quick at identifying virii once they are released...

Does seem strange though- Microsoft have never (to my knowledge) sent out any updates by Email.

Hmmm - a bit of googling tells me that this looks rather like the swen worm : see symantec's page - bit wierd that symantec said it looked ok though....

[MadGamer]

Quote:

Originally Posted by zovat

True, but Symantec said it was clean - and they are pretty quick at identifying virii once they are released...

Does seem strange though- Microsoft have never (to my knowledge) sent out any updates by Email.

Hmmm - a bit of googling tells me that this looks rather like the swen worm : see symantec's page - bit wierd that symantec said it looked ok though....

M$ do have this stated on their website somewhere. You are right, they never send out emails containing patches.

[MadGamer]

Quote:

Originally Posted by Graham

Ok, here's a wierd one...

I got another one of those "This is a Micro$oft Update" e-mails seemingly trying to trick me into running the .exe attachment and infect my system.

Ho hum, thinks I, and I'm about to delete it when I suddenly realise that the message *doesn't* have a Norton AV warning of deletion in place of the attachment.

So I think "hello, that's odd" and get NAV to scan the attachment. To which it replies "it's clean".

Now this is strange, because it sure as hell *looks* like it's suspicious.

So I save the file, quarantine it, and send it off to Symantec for checking and get the reply back saying "this has been checked and it's the same as the official version of the install9.exe program"

This strikes me as totally bizarre. Someone sends out something that *looks* like a virus type message, but it's got perfectly legitimate content (and no other attachments), so what on *Earth* is the point?

Is someone *trying* to do me a favour by helping me to install updates on my system? (Not that I'd trust it anyway!) Is it a virus that's just really well concealed? (It doesn't seem to be)

Anyone got any ideas on this?

For someone to install updates for you, they would need access to your system.

[Chris W]

Quote:

Originally Posted by Graham

<snip>
Anyone got any ideas on this?

Have you tried running an online scan of the file with a different AV program, eg http://housecall.trenmicro.com/

MB

[greencreeper]

Might be softening you up for the kill If someone's sent a non-nasty email and they run the attachment without problems, then they're more likely to run subsequent attachments and advise friends/relatives that those emails really are harmless.

[Xaccers]

It could be a dialer rather than a virus
You know, the sort of thing that installs itself and tries to get your modem to call a premium rate number.
Its not a virus, so NAV wouldn't flag it up, tho it's still not a nice bit of software to have.

Quote:

Originally Posted by andygrif

It could well be that Norton haven't identified it yet as a virus. It's worth sending them the email along with the attachment to do some testing on.

Quote:

Originally Posted by Xaccers

Its not a virus, so NAV wouldn't flag it up

"So I save the file, quarantine it, and send it off to Symantec for checking and get the reply back saying "this has been checked and it's the same as the official version of the install9.exe program"

I can't see why they'd say this if it wasn't kosher, but it's just really odd.

Quote:

Originally Posted by monkeybreath

Have you tried running an online scan of the file with a different AV program, eg http://housecall.trenmicro.com/

Thanks, but that address comes up "not found".

[Tezcatlipoca]

Quote:

Originally Posted by Graham

Thanks, but that address comes up "not found".

Try http://housecall.trendmicro.com/

[greencreeper]

Quote:

Originally Posted by Xaccers

It could be a dialer rather than a virus
You know, the sort of thing that installs itself and tries to get your modem to call a premium rate number.
Its not a virus, so NAV wouldn't flag it up, tho it's still not a nice bit of software to have.

I wonder what happens when a dialler tries dialling on a system without DUN installed, like most broadband connected PCs?? Crash the system maybe, or will Windows auto-install DUN??

[MadGamer]

Check for any spyware.