Anybody Met Nancy?

Found an unfamiliar jpg file in a folder that I was hunting out some work in. The filename Nancy.jpg caught my eye as it was clearly out of place. After the extension, in top right of its tile was a weird looking “…scr”

I right click scanned with Avast - No threat found.

I did the same with Malwarebytes anti malware and it identified a trojan.

I immediately told Mbam to bin the little weasel.

Referring to the forum instructions here, I realised I had no info so I restored from the mbam quarantine and got the attached screen shots of the original file in the folder and the other information I thought helpful.

I then requarantined the file with mbam

I am concerned that Avast didn’t detect this, and I couldn’t find any direct reference to this in a forum search. the attachments are screenshots from the above process.

I noticed an improvement in loading speed of Firefox immediately afterwards, it was down to about 1/3 of what it’s been over last couple of months. I have no idea of the source of the file.

I am running a xpc shuttle with intel quad core processor, 4Gb memory, 500Gb hard drive. Windows XPPro MCE, Firefox and windows, Avast, MBAM etc are all automatically updated. I run Noscript in Firefox which I use majority of the time. I am becoming a more regular user of Chrome alongside firefox. I am involved in online marketing so I receive a hell of a lot of email from sometimes spammy sources. I hope that gives a clear enough picture of the environment in which this file was found.
Ray

upload the file to www.virustotal.com and test it with 43 malware scanners
when you have the result, copy the URL in the address bar and post it here

careful with thread titles, could easily be confused with spam ;D

That was my first thought ;D

Ooops - that’s the trouble with an innocent mind! ::slight_smile:

The URL is

http://www.virustotal.com/file-scan/report.html?id=097892443ce32834cb76485d7bedd376c9ad3047225b8a2e6f5891afa123f1de-1285198526

About 7 of the scanners seemed to be suspicious of it - one of them suggests the file is damaged. I’m off to quarantine it again.

Only 4 of the scanners say anything and the one suggesting its damaged makes 3. The 3 are either using heuristic or generic detections, which are more prone to mis-detection.

However, I’m always suspect of the double file extension (file type) an a file name, as it is frequently used to deceive. So nancy.jpg.scr I would find suspicious without scanning and nancy.jpg…scr with the two periods in there as well would only boost that suspicion; when you also throw a space in before those two periods nancy.jpg …scr, I couldn’t be more suspicious.

So if I wasn’t entirely sure of a) its origin and b) its legitimacy it would have been long gone.

VirusTotal - Nancy.jpg …scr - 5/43
http://www.virustotal.com/file-scan/report.html?id=097892443ce32834cb76485d7bedd376c9ad3047225b8a2e6f5891afa123f1de-1285618164

So Avira say clean, McAfee does not detect it anymore, Norman and Panda have added detection and Malwarebytes still detect it as Trojan.Extension.Exploit …

Hi Cosmicray,

This could become an issue as described here: http://www.symantec.com/security_response/writeup.jsp?docid=2010-021223-0550-99&tabid=2
Worm like malcode according to here: http://www.prevx.com/filenames/1442705724575168218-X1/DVC2DIMAGEN002.JPEG.SCR.html & http://vil.nai.com/vil/content/v_100982.htm
also seen as bugbeard worm here: http://www.trendmicro.co.jp/vinfo/virusencyclo/default5.asp?VName=worm_bugbear.d&Vsect=T
Could be a scr file for screen-saver use, or could be this worm with a Mother’s name as “Nancy” is:
http://www.f-secure.com/v-descs/mimail_q.shtml

So I would not be lenient, and flag it,

pol