data folder and virus

telex · Post by **telex** » Fri Feb 13, 2004 7:33 am

Is it possible that I get a virus inside the "data" directory from newspro?

A few days ago I found a backdoor-virus inside "data". Are there only header information saved or body information to?

alex · Post by **alex** » Fri Feb 13, 2004 10:20 am

if these are newspro created files - *.dat, *.npr or newsgroup files - no way, these are not executable files. also newspro don't keep decoded attachments there.

as to virus inside attachments you downloaded - if you download an infected executable, yenc format is quite straightforward so the virus signature may remain there unchanged, but the virus cannot be activated until you decode and run the file.

telex · Post by **telex** » Fri Feb 13, 2004 11:58 am

here is my norton anti virus log:( I only download movie files as *.cue and *.bin..

Date: 10.02.2004, Time: 17:47:02,
The compressed file Christina_Aguilera.scr within C:\Dokumente und Einstellungen\******\Eigene Dateien\Data\4276031.npr is infected with the Backdoor.SDBot.Gen virus.
The file was quarantined.

alex · Post by **alex** » Fri Feb 13, 2004 12:14 pm

virus cannot be inside a movie file, probably the signature of the virus (the sequence of bytes which antivirus tries to match to determine whether there is a virus) is present within the movie data, basically movie files are compressed - that means nearly random data.

better not allow antivirus to mess with .npr files, these are just article sources (unless it understands usenet encodings which is unlikely); the same even stronger applies to .dat files since they are constantly changing and meaningless checking them all the time may affect performance.

telex · Post by **telex** » Fri Feb 13, 2004 3:35 pm

I only can say what I saw.

I discovered the backdoor because of a lot of notification of my firewall. Then I have made a virus scan and found the backdoor.

After or before I quarantined the file --- newspro has made a reset.
All newsgroups were empty.

slotboxed · Post by **slotboxed** » Fri Feb 13, 2004 10:53 pm

there is no rule in usenet that says a filename has to match a subject line or vice versa. you may have thought you were only downloading a movie, but one of the pieces could very well have been a virus.

MikeStammer · Post by **MikeStammer** » Sat Feb 14, 2004 2:43 am

scr files are executable since they are screen savers typically. Since they are small they were most likely in one .npr file and when it was accessed norton scanned it and saw the scr file. you will get these if you blindly download from Usenet. NewsPro didnt do anything wrong!!