Re: Is this a virus?

Do you have a question? Post it now! No Registration Necessary.  Now with pictures!

Threaded View

| The file was called ultradvdchcker02.ver, is it a virus and if so why?
| Remaining text is the 'virus',
| reported by AVG:-
|

< snip >

No, not a virus.  AVG simply calls this 'Exploit' with no explanation.
http://www.virustotal.com/analisis/345b500ba8ce2df96319a1134c6d1fb0

--
Dave
http://www.claymania.com/removal-trojan-adware.html
Multi-AV - http://www.pctipp.ch/downloads/dl/35905.asp



Re: Is this a virus?

"David H. Lipman" wrote:

Quoted text here. Click to load it


Perhaps it's alerting on the script at the foot of the page which
looks a bit like an MDAC exploit but isn't. It does a HTTP GET request
for something named like a GUID with '.ippi' and a query string
containing the same GUID appended, returning 0 bytes.

The GUID appears to be random, is present on all the linked pages I
checked, and changes on evey visit. The site (dvd-player-software.com)
contains nothing useful and is just an exercise in sponsored link-
clicking. It's also fussy about what software fetches the pages. I had
to spoof a browser user-agent header to get anything.



Re: Is this a virus?



|
| Perhaps it's alerting on the script at the foot of the page which
| looks a bit like an MDAC exploit but isn't. It does a HTTP GET request
| for something named like a GUID with '.ippi' and a query string
| containing the same GUID appended, returning 0 bytes.
|
| The GUID appears to be random, is present on all the linked pages I
| checked, and changes on evey visit. The site (dvd-player-software.com)
| contains nothing useful and is just an exercise in sponsored link-
| clicking. It's also fussy about what software fetches the pages. I had
| to spoof a browser user-agent header to get anything.
|

You mean..

function createXMLHttpRequest() {
  try { return new ActiveXObject('Msxml2.XMLHTTP'); } catch(e) {}
  try { return new ActiveXObject('Microsoft.XMLHTTP'); } catch(e) {}
  try { return new XMLHttpRequest(); } catch(e) {}
  return null;
}

I thought that this was what was being flagged.

--
Dave
http://www.claymania.com/removal-trojan-adware.html
Multi-AV - http://www.pctipp.ch/downloads/dl/35905.asp



Re: Is this a virus?

"David H. Lipman" wrote:

Quoted text here. Click to load it


Yes. The thing is, there's nothing wrong with doing that in a browser
to find which is implemented and then calling 'open' and 'send' (which
the other function does) on those objects. Operations that should
raise suspicions are the subsequent calls of methods like 'SaveToFile'
and 'ShellExecute', which are absent here.



Site Timeline