Trojan horse Downloader.Small.57.BA

Hi,

AVG detected "Trojan horse Downloader.Small.57.BA" on my system a few days ago. It only infects html or htm files that contain javascript and that were created on my system but not all of them (so far). Besides, I had saved various html files with Java from various origins on the net in the past and none of them have been infected (so far).

Also, after AVG detects and erases ALL infected html files, the infection continues on files newly created. So there exist in the system an infecting agent that AVG does not detect.

One nasty behaviour of that pest: when a html file gets infected and you get the AVG warning box and you choose "Ignore" in order to view the source, then you find out that the source is not available. When you drag (or send) the infected file into notepad you get a box saying that you are not authorized to see the source. Also, when you try to upload it to virusscan.jotti.org, you get a box saying that the file cannot be opened. Finally, if you insist, the pest simply erases the contents and all what remains of the file is a squeleton of html head /head body /body /html.

I have been fighting that pest for almost one week now and nothing detects anything (AdAware, Spybot, CounterSpy, BitDefender, Panda, HijackThis,). Can't use AVG Anti-Spyware since I have W98. So far only the Grisoft AV detects something and, yet, not the pest itself but the result of its actions (infection of html files with Java). I would very much appreciate any guidance you could give me.

I followed all your instructions religiously with no particular difficulty except the usual blue screens, courtesy of Bill, and the lazyness of the DNS of my tropical internet provider which obliged me to repeat your procedure twice. All logs are attached. Only Panda detected something (in its first run): 4 cookies that were subsequently erased by CCleaner in the second run. That did not stop the pest. Uol is a trustworthy webmail service I use and I had cookies from Tribalfusion and
2o7 before, without consequences. I rather suspect an invasion via the MSN chat my kid uses (a lot).

Additional info:

Windows 98 SE

AVG 7.5.432 268.17.12/653

No other antivirus installed

Other protection software: Spybot (last current version)

AVG Resident Shield message: "Threat Detected! While opening file: (path/filename) Trojan horse Downloader.Small.57.BA

No email client used

Firewall: Kerio

Internet connection: broadband by NET/Embratel (Virtua) Brazil

 

More logs

 

Run HijackThis. Click the 'Do a system scan only' button. Place a checkmark in the box next to the following lines:

Click on the 'Fix checked' button. Wait for HijackThis to finish; close HijackThis.

Otherwise your logs are clean. I've read thru your thread at AVG; honestly I had a hard time following rdsok's replies.

When exactly did this behavior begin? Right after a signature update?

Update AVG's signatures and run a system scan.

 

I know exactly what the two lines:

O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Restrictions present
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present

are.

They come from Spybot>Tools>IE tweaks and correspond to the locking of IE homepage and the locking of internet settings from within IE (to prevent my kid to monkey around with them). I had already "fixed" them and all it does is make IE go back to the defaults, having to reselect the boxes in Spybot (which makes the lines reappear in HJT) but the trojan is still here.

So I only "fixed" the "O13 - WWW. Prefix: http://" line. Trojan still here. Rebooted. Run another HJT scan. Line did not reappear. Trojan still here.

AVG support: yep... at least I tried to remain polite till the end.

Beginning of behaviour: I run a scheduled AVG update every day at 00:00hrs and a subsequent scheduled AVG test at 02:00hrs. However, blue screens and other hang ups sometimes defeat it. So the last clean AVG test was on Jan 19th and the first AVG test detecting a threat was on Jan 21st. There was a Windows hicup on Jan 20th. Now it is hard to tell whether AVG's detection was because of an invasion or because of AVG having included that trojan in its database update. Only Grisoft could tell. What I can say is that I did sometimes access some of my html files on my HDs in the days before (to copy codes) and the source was available, hence the files were not infected yet. Not knowing about Grisoft database updates details, I would say that the invasion is not older than the beginning of January.

Ran AVG last night with the most recent update (268.17.12/654), safe mode, no internet, all files selected (and not only infectible ones). Result: clean.

Any suggestion?

Thanks for your help!

 

One more remark for those having the same problem (and this is not a bump):

It is still possible to maintain a site wth an infected system by creating files with a .txt extension, FTP them and THEN change the extension to .html ON THE HOST thru a FTP command.

The real trouble is that we don't know what more this pest can do beyond defacing html files. Something else might be kept dormant and triggered some time in the future...

 

This appears to be a problem with the AVG definitions (False Positive). Since the alerts did not occur until you updated the definitions, and all other logs were clean, and then stopped after you downloaded new definitions.

 

Sorry, I was not clear enough: when I say that the last AVG test was clean I mean that AVG did not detect anything (because all infected files that had appeared since previous test were already put in the vault by AVG resident shield or erased), but the infecting agent is still here somewhere. Suffice to request some of my hosted files with IE or Opera to get an alert from AVG resident shield (but this does not happen with Firefox). Then, if you choose "heal", AVG moves the infected file from the browser's cache to the vault and a subsequent AVG test will be clean. But if you choose "ignore" then you can see that something IS wrong with the file: the source code is not available and if you insist in opening the file in notepad, for example, then it auto-destroys, or the infecting agent destroys it, and all the content is gone. All that remains is HTML HEAD /HEAD BODY /BODY /HTML (but with the brackets). So it can't be a false positive because something really did happen to the file. I did not want to use "ignore" too much to analyze further because of fear that something might spread and harm the system.

 

More info:

According to Free AVG support the resident shield is responsible for the blocking (and subsequent defacing?) of the detected infected file even if "ignore" is selected. I thought the "pest" was doing it.

The shield must be deactivated, then the source code of any browser-requested file that the shield would declare "infected" is available as usual and it shows nothing weird (as in Firefox). So it might well be a false positive after all but I would prefer the proper Grisoft to say so to be convinced and feel safe. What would be your opinion?

 

AVG is identifying the content of the html file as malicious, when you open the file and destroying the content. Am I understanding this correctly?

If AVG is destroying your HTML files, or at least some of them; have you, analyzed your code, in the flagged files, for any commonality; that would caused AVG to alert on the files and then destroy the content?

I am fairly confident this is a false positive, and you may need to work through this with AVG. However, painfully that may be. You have to keep in mind that there is a language barrier when dealing with AVG. English is not their native language.

 

According to rdsok of Free AVG support, and extrapolating his short comment:

when a file requested by a browser arrives in the cache and if AVG resident shield identifies it as malicious, you can choose between "heal" and "ignore" on the alert box. If you choose "heal" the file is moved to the vault and an AVG test will declare the system clean. If you choose "ignore" the file stays where it is (and an AVG test will declare the system infected) BUT it seems that the resident shield nevertheless flags the file and prohibits you to open it (quoting rdsok: "AVG was what continued to block it even after you selected Ignore") and further destroys it if you insist.

Now, if you deactivate the resident shield before requesting a file that AVG would consider malicious, then the file can be opened in a browser, its source code is available with a text editor and everything is absolutely normal. The source is exactly as I once wrote it.

I did not find anything specific in the files that AVG considers malicious (about 240). They are all htm or html files, they all contain javascript and they all have been created on my system. But there are about 20 files, with the same characteristics, that AVG does not consider malicious. I really cannot see what differentiates the "malicious" batch from the non "malicious" one. There is not a single line of code that is repeated exclusively in the "malicious" batch. Some files are old, others are recent, some big, some small, etc

I also think more and more that it is a false positive and though I value AVG very much I guess I will have to switch to another AV software until Grisoft solves the problem to make my handling of html files less cumbersome. Which free one would you recommend?

 

Avast Home Edition is another excellent, free, Anti-Virus solution.

I recommend that you continue working with Grisoft on this issue. AVG may be flagging the Java Script in the HTML files as malicious.