Windows 2000 Autorun.inf virus

  • Thread starter Thread starter Sid Elbow
  • Start date Start date
S

Sid Elbow

My virus Scanner AVG has just reported a virus in a file that's been
siting in a backup directory on my system for just about a year without
being previously flagged (I guess yesterday's update got it).

What surprised me was that the file reported is an application's
autorun.inf which is a text file. When I opened the file in wordpad I
saw this

[AutoRun]
open=RavMon.exe
shell\open=´ò¿ª(&O)
shell\open\Command=RavMon.exe
shell\explore=×ÊÔ´¹ÜÀíÆ÷(&X)
shell\explore\Command="RavMon.exe -e"

(I hope the strange characters in the 3rd and 5th lines show up).

Is it possible that this could act as a virus/malware?
 
This should explain it.

http://vil.nai.com/vil/content/v_139985.htm


--

Regards,

Dave Patrick ....Please no email replies - reply in newsgroup.
Microsoft Certified Professional
Microsoft MVP [Windows]
http://www.microsoft.com/protect

"Sid Elbow" wrote:
> My virus Scanner AVG has just reported a virus in a file that's been
> siting in a backup directory on my system for just about a year without
> being previously flagged (I guess yesterday's update got it).
>
> What surprised me was that the file reported is an application's
> autorun.inf which is a text file. When I opened the file in wordpad I saw
> this
>
> [AutoRun]
> open=RavMon.exe
> shell\open=´ò¿ª(&O)
> shell\open\Command=RavMon.exe
> shell\explore=×ÊÔ´¹ÜÀíÆ÷(&X)
> shell\explore\Command="RavMon.exe -e"
>
> (I hope the strange characters in the 3rd and 5th lines show up).
>
> Is it possible that this could act as a virus/malware?
 
From: "Sid Elbow" <here@there.com>

| My virus Scanner AVG has just reported a virus in a file that's been
| siting in a backup directory on my system for just about a year without
| being previously flagged (I guess yesterday's update got it).
|
| What surprised me was that the file reported is an application's
| autorun.inf which is a text file. When I opened the file in wordpad I
| saw this
|
| [AutoRun]
| open=RavMon.exe
| shell\open=´ò¿ª(&O)
| shell\open\Command=RavMon.exe
| shell\explore=×ÊÔ´¹ÜÀíÆ÷(&X)
| shell\explore\Command="RavMon.exe -e"
|
| (I hope the strange characters in the 3rd and 5th lines show up).
|
| Is it possible that this could act as a virus/malware?

Yes it is possible it is a Trojan but not a virus.

Is there a RavMon.exe on the PC ?

If yes...
Please submit a sample to Virus Total --
http://www.virustotal.com/flash/index_en.html
The submission will then be tested against many different AV vendor's scanners.
That will give you an idea what it is and who recognizes it. In addition, unless told
otherwise, Virus Total will provide the sample to all participating vendors.

You can also submit a suspect, one at a time, via the following email URL...
mailto:scan@virustotal.com?subject=SCAN

When you get the report, please post back the exact results.

--
Dave
http://www.claymania.com/removal-trojan-adware.html
Multi-AV - http://www.pctipp.ch/downloads/dl/35905.asp
 
David H. Lipman wrote:
> From: "Sid Elbow" <here@there.com>
>
> | My virus Scanner AVG has just reported a virus in a file that's been
> | siting in a backup directory on my system for just about a year without
> | being previously flagged (I guess yesterday's update got it).
> |
> | What surprised me was that the file reported is an application's
> | autorun.inf which is a text file. When I opened the file in wordpad I
> | saw this
> |
> | [AutoRun]
> | open=RavMon.exe
> | shell\open=´ò¿ª(&O)
> | shell\open\Command=RavMon.exe
> | shell\explore=×ÊÔ´¹ÜÀíÆ÷(&X)
> | shell\explore\Command="RavMon.exe -e"
> |
> | (I hope the strange characters in the 3rd and 5th lines show up).
> |
> | Is it possible that this could act as a virus/malware?
>
> Yes it is possible it is a Trojan but not a virus.
>
> Is there a RavMon.exe on the PC ?

No ... however the file is part of a bug-fix that I was sent by the
tech-support for a Far East MP3/MP4 Player about a year ago. It did
scan for a virus or trojan some time ago that was removed which may well
have been the Ravmon file.

Thanks, Dave.

In today's case, it was only the autorun.inf that was flagged which
surprised me. I guess AVG just updated their detection for this malware
to include the autorun.inf and it's now showing up.
 
From: "Sid Elbow" <here@there.com>


|
| No ... however the file is part of a bug-fix that I was sent by the
| tech-support for a Far East MP3/MP4 Player about a year ago. It did
| scan for a virus or trojan some time ago that was removed which may well
| have been the Ravmon file.
|
| Thanks, Dave.
|
| In today's case, it was only the autorun.inf that was flagged which
| surprised me. I guess AVG just updated their detection for this malware
| to include the autorun.inf and it's now showing up.

The INF must be a remanant then and the recent signature update must be generic based upon
recent increases in trojans deliberating being installed via the AutoRun capability of
removable media. While the INF file isn't malicious in itself, it is a component of the
Trojans's infection vector.


--
Dave
http://www.claymania.com/removal-trojan-adware.html
Multi-AV - http://www.pctipp.ch/downloads/dl/35905.asp
 
Back
Top