Guest Sid Elbow Posted January 26, 2008 Posted January 26, 2008 My virus Scanner AVG has just reported a virus in a file that's been siting in a backup directory on my system for just about a year without being previously flagged (I guess yesterday's update got it). What surprised me was that the file reported is an application's autorun.inf which is a text file. When I opened the file in wordpad I saw this [AutoRun] open=RavMon.exe shell\open=´ò¿ª(&O) shell\open\Command=RavMon.exe shell\explore=×ÊÔ´¹ÜÀíÆ÷(&X) shell\explore\Command="RavMon.exe -e" (I hope the strange characters in the 3rd and 5th lines show up). Is it possible that this could act as a virus/malware?
Guest Dave Patrick Posted January 26, 2008 Posted January 26, 2008 Re: Autorun.inf virus This should explain it. http://vil.nai.com/vil/content/v_139985.htm -- Regards, Dave Patrick ....Please no email replies - reply in newsgroup. Microsoft Certified Professional Microsoft MVP [Windows] http://www.microsoft.com/protect "Sid Elbow" wrote: > My virus Scanner AVG has just reported a virus in a file that's been > siting in a backup directory on my system for just about a year without > being previously flagged (I guess yesterday's update got it). > > What surprised me was that the file reported is an application's > autorun.inf which is a text file. When I opened the file in wordpad I saw > this > > [AutoRun] > open=RavMon.exe > shell\open=´ò¿ª(&O) > shell\open\Command=RavMon.exe > shell\explore=×ÊÔ´¹ÜÀíÆ÷(&X) > shell\explore\Command="RavMon.exe -e" > > (I hope the strange characters in the 3rd and 5th lines show up). > > Is it possible that this could act as a virus/malware?
Guest David H. Lipman Posted January 26, 2008 Posted January 26, 2008 Re: Autorun.inf virus From: "Sid Elbow" <here@there.com> | My virus Scanner AVG has just reported a virus in a file that's been | siting in a backup directory on my system for just about a year without | being previously flagged (I guess yesterday's update got it). | | What surprised me was that the file reported is an application's | autorun.inf which is a text file. When I opened the file in wordpad I | saw this | | [AutoRun] | open=RavMon.exe | shell\open=´ò¿ª(&O) | shell\open\Command=RavMon.exe | shell\explore=×ÊÔ´¹ÜÀíÆ÷(&X) | shell\explore\Command="RavMon.exe -e" | | (I hope the strange characters in the 3rd and 5th lines show up). | | Is it possible that this could act as a virus/malware? Yes it is possible it is a Trojan but not a virus. Is there a RavMon.exe on the PC ? If yes... Please submit a sample to Virus Total -- http://www.virustotal.com/flash/index_en.html The submission will then be tested against many different AV vendor's scanners. That will give you an idea what it is and who recognizes it. In addition, unless told otherwise, Virus Total will provide the sample to all participating vendors. You can also submit a suspect, one at a time, via the following email URL... mailto:scan@virustotal.com?subject=SCAN When you get the report, please post back the exact results. -- Dave http://www.claymania.com/removal-trojan-adware.html Multi-AV - http://www.pctipp.ch/downloads/dl/35905.asp
Guest Sid Elbow Posted January 26, 2008 Posted January 26, 2008 Re: Autorun.inf virus David H. Lipman wrote: > From: "Sid Elbow" <here@there.com> > > | My virus Scanner AVG has just reported a virus in a file that's been > | siting in a backup directory on my system for just about a year without > | being previously flagged (I guess yesterday's update got it). > | > | What surprised me was that the file reported is an application's > | autorun.inf which is a text file. When I opened the file in wordpad I > | saw this > | > | [AutoRun] > | open=RavMon.exe > | shell\open=´ò¿ª(&O) > | shell\open\Command=RavMon.exe > | shell\explore=×ÊÔ´¹ÜÀíÆ÷(&X) > | shell\explore\Command="RavMon.exe -e" > | > | (I hope the strange characters in the 3rd and 5th lines show up). > | > | Is it possible that this could act as a virus/malware? > > Yes it is possible it is a Trojan but not a virus. > > Is there a RavMon.exe on the PC ? No ... however the file is part of a bug-fix that I was sent by the tech-support for a Far East MP3/MP4 Player about a year ago. It did scan for a virus or trojan some time ago that was removed which may well have been the Ravmon file. Thanks, Dave. In today's case, it was only the autorun.inf that was flagged which surprised me. I guess AVG just updated their detection for this malware to include the autorun.inf and it's now showing up.
Guest Sid Elbow Posted January 26, 2008 Posted January 26, 2008 Re: Autorun.inf virus Dave Patrick wrote: > This should explain it. > > http://vil.nai.com/vil/content/v_139985.htm Thanks, Dave that does explain it.... see also my reply to DL
Guest David H. Lipman Posted January 26, 2008 Posted January 26, 2008 Re: Autorun.inf virus From: "Sid Elbow" <here@there.com> | | No ... however the file is part of a bug-fix that I was sent by the | tech-support for a Far East MP3/MP4 Player about a year ago. It did | scan for a virus or trojan some time ago that was removed which may well | have been the Ravmon file. | | Thanks, Dave. | | In today's case, it was only the autorun.inf that was flagged which | surprised me. I guess AVG just updated their detection for this malware | to include the autorun.inf and it's now showing up. The INF must be a remanant then and the recent signature update must be generic based upon recent increases in trojans deliberating being installed via the AutoRun capability of removable media. While the INF file isn't malicious in itself, it is a component of the Trojans's infection vector. -- Dave http://www.claymania.com/removal-trojan-adware.html Multi-AV - http://www.pctipp.ch/downloads/dl/35905.asp
Recommended Posts