Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Trojan.bat.restart.a


  • Please log in to reply
9 replies to this topic

#1 johndrew

johndrew

  • Members
  • 30 posts
  • OFFLINE
  •  
  • Local time:09:55 AM

Posted 21 August 2006 - 05:24 AM

Hello the forum,

I recently downloaded OS 98SE updates for a friend burned them to a CD and gave them to him. I kept the original files on my HDD in case he needed further copies as he does not have a burner and only a dial-upconnection.

Yesterday did an online scan with BitDefender which claimed to find trojan.bat.restart.a in file wupg98en-jul.exe (this file being one of the upgrades for 98SE).

I scan my machine regularly (and on the day after the download of the file) with AVG (free), Defender, Ad-Aware, SpyBot S&D ans a-squared free. None of these showed a problem. I also ran SysClean with the latest update and that picked up nothing.

Is this likely to be a false positive or could his system be at risk?

Many thanks for any advice in advance.

BC AdBot (Login to Remove)

 


#2 Enthusiast

Enthusiast

  • Members
  • 5,898 posts
  • OFFLINE
  •  
  • Location:Florida, USA
  • Local time:03:55 AM

Posted 21 August 2006 - 07:35 AM

Did you download this from Microsoft?

If so, the chances of it being malware are very slim.

Run a few of the following online scans using Internet Explorer to make sure:

Trend Micro antivirus and malware scan:
http://housecall-beta.trendmicro.com/en/st...orp.asp?id=scan

Etrust Anti-virus web scanner
http://www3.ca.com/securityadvisor/virusinfo/scan.aspx.

Avast Online scan
http://onlinescan.avast.com/

F Secure online scan
http://support.f-secure.com/ols/start.html

Ewido Online scan
http://www.ewido.net/en/onlinescan/


Trojan scans
Sygate Trojanscan
http://scan.sygatetech.com/pretrojanscan.html


Windows Security Trojanscan
http://windowsecurity.com/trojanscan
See instructions for it here:
http://www.windowsecurity.com/trojanscan/trojanscan.asp

Parasite scan from Aumha:
http://www.aumha.org/a/noads.php
or here:
http://www.aumha.org/win5/a/noads2.htm

#3 johndrew

johndrew
  • Topic Starter

  • Members
  • 30 posts
  • OFFLINE
  •  
  • Local time:09:55 AM

Posted 21 August 2006 - 08:18 AM

Thanks for coming back Enthusiast.

No I didn`t get it from Microsoft.

The source for the download was an article in PC Advisor (October 2006 Page 92) which recommended a couple of source sites. I trust the magazine and therefore the recommened sites. I think I used exuberant ( I could be wrong) the other site recommended was www.wupg98.co1.at equally I may have used that.

I use XP Pro SP2 but a friend asked that I download it for him. As I said he only has a dial-up which is quite slow for larger files. My concern is that I burned the CD and passed it to him before I found the malware. I don`t want to do him damage.

I`m pretty certain I have no infection at the moment. As I said it was BitDefender online scan that raised the trojan in the OS 98SE upgrade file. It reported it had `deleted the file` - presumably meaning the trojan file. It recorded nothing anywhere else.

I didn`t mention it before but I also run Kerio firewall, which seems to help, and there is no indication of strange outgoing requests from that.

#4 Enthusiast

Enthusiast

  • Members
  • 5,898 posts
  • OFFLINE
  •  
  • Location:Florida, USA
  • Local time:03:55 AM

Posted 21 August 2006 - 08:26 AM

Well, a couple more scans wouldn't hurt, and you should inform your friend to run a scan on the cd before he installs it or on his computer if he already has.

I have a suspicion that it is a false positive, but it never hurts to make certain.

#5 johndrew

johndrew
  • Topic Starter

  • Members
  • 30 posts
  • OFFLINE
  •  
  • Local time:09:55 AM

Posted 21 August 2006 - 08:57 AM

Hi again Enthusiast.

I`m rather glad you also support my suspicions. I do my best to ensure my system is clean but....

I shall ensure he scans the CD. I`ve already sent a message warning of the possibility of malware.

I tried to use Housecall but for some reason it can`t do the business. Probably my firewall (Kerio) I`ll have another try later.

Are you aware of any files that this trojan may leave behind that could give a clue as to whether it was a true or false indication?

#6 Enthusiast

Enthusiast

  • Members
  • 5,898 posts
  • OFFLINE
  •  
  • Location:Florida, USA
  • Local time:03:55 AM

Posted 21 August 2006 - 10:40 AM

You need to use Internet Explorer with Active X enabled for all of those scans to work.

Active X settings IE

In Internet Explorer click on the “tools” tab
Click on “Internet Options”
Click the “Security” tab
Click “Custom Level”

Under Active X Controls and Plugins

Download Signed Active X Controls
Choose “prompt”

Download Unsigned Active X Controls
Choose disable

Initialize and Script Active X controls not marked as safe
Disable

Run Active X controls and plugins
Enable

Script Active X Controls marked as safe
Enable

When you are just beginning the scan look for a yellow bar under the top menu bar that alerts you to allow the Active X plugin to be downloaded.

Edited by Enthusiast, 21 August 2006 - 10:42 AM.


#7 johndrew

johndrew
  • Topic Starter

  • Members
  • 30 posts
  • OFFLINE
  •  
  • Local time:09:55 AM

Posted 21 August 2006 - 10:57 AM

I use Firefox generally but thought IE was set correctly for these to work. I have run Housecall in the past and of course BitDefender yesterday. I check and give it another go.

Thanks for all your help.

#8 johndrew

johndrew
  • Topic Starter

  • Members
  • 30 posts
  • OFFLINE
  •  
  • Local time:09:55 AM

Posted 22 August 2006 - 03:35 AM

System checked (probably more than thoroughly) clean as a whistle. The other scans found nothing so I can only assume that either the first scan was right when it claimed to find malware in the OS 98SE update file or it was a false positive. To me the latter seems more likely (or is that wishful thinking).

#9 Albert Frankenstein

Albert Frankenstein

  • Members
  • 2,707 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Michigan, USA
  • Local time:04:55 AM

Posted 22 August 2006 - 06:33 AM

I found the following page regarding this particular trojan:

http://www.viruslist.com/en/viruses/encyclopedia?virusid=32880

As many viruses and worms are modifications of earlier versions, it may help you to check the descriptions of similar programs.

Trojan.BAT.Reboot.a (Kaspersky Lab) is also known as:
Bat/rb2 (McAfee),
BAT.Trojan (Symantec),
Troj/Bat-RB2 (Sophos),
Trojan:BAT/Reboot* (RAV),
BAT_REBOOT.A (Trend Micro),
BAT/Reboot@troj (FRISK),
Trojan.BAT.Reboot.A (SOFTWIN),
Trojan Horse (Panda),
BAT/Reboot.A (Eset)


ALBERT FRANKENSTEIN
I'M SO SMART IT'S SCARY!


Currently home chillin' with the fam and my two dogs!


#10 johndrew

johndrew
  • Topic Starter

  • Members
  • 30 posts
  • OFFLINE
  •  
  • Local time:09:55 AM

Posted 22 August 2006 - 10:27 AM

Many thanks for that ALBERT FRANKENSTEIN.

Obviously not a false positive then but equally not well known.

I can`t say that I`m sorry to see the back of it. But I would like to know how it passed all my malware scans and was only picked up by an online check by BitDefender. Probably because it was an archive file and my checkers don`t go into them.




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users