Jump to content

Avira Free Antivir suspects 5 *.CAB Files to contain malicious Code

Guest Ulf.Kriemeyer@yahoo.de

By Guest Ulf.Kriemeyer@yahoo.de
in Techno Babble

 Share

Recommended Posts

Guest Ulf.Kriemeyer@yahoo.de

Guest Ulf.Kriemeyer@yahoo.de

Posted
Posted

During yesterday’s search run Avira Free Antivir has moved 5 .CAB

files to the quarantine area because they were suspected to contain

malicious code (‘HEUR/HTML.Malware’).

Unfortunately, each of the 5 files consumes approx. 46 MB (zipped: 45

MB) of space so that I am unable to upload/send them to Avira for

further investigation.

The name of the 5 files is always the same: ‘vs_setup.cab’. As one of

these were located somewhere in the ‘Visual Basic 2008 Express

Edition’ folder (I have been using Visual Express for nearly a year

now and never had the .CAB file been detected before) and 3 others in

a backup folder ‘Windows.old’, I wondered whether it might a false

alarm. However, the fifth file shifted to the quarantine area was

situated in ‘AppData\Local\Temp\’.

In order to prevent any infection of my computer, I would like to

erase the suspected .CAB files from the ‘Temp’ as well as

‘Windows.old’ folders. But I am not 100% sure whether this might

affect proper functionality.

Concerning the file stemming from the ‘Visual Basic’ folder, I would

prefer to use VB for a couple of weeks to find out whether the .CAB

file might be essential for VB to work properly. If not so, I would

delete this file then, too.

Do you think is a good approach or is there any better solution? Any

kind of advice is welcome!

 

Thank you in advance

Ulf

  • Replies 5
  • Created
  • Last Reply

Popular Days

Popular Days

Guest FromTheRafters

Guest FromTheRafters

Posted
Posted

Any kind of advice?

 

Okay, go into the AV's configuration and set it to use the file

extensions list instead of the "smart" one that even bothers to scan

cabinet files.

 

Maybe you can find an AntiVir forum somewhere that can give you a custom

list of extensions that are worthy of being scanned.

 

<Ulf.Kriemeyer@yahoo.de> wrote in message

news:04cccb19-a13f-4949-ab28-ec9d8e490578@h16g2000yqj.googlegroups.com...

During yesterday’s search run Avira Free Antivir has moved 5 .CAB

files to the quarantine area because they were suspected to contain

malicious code (‘HEUR/HTML.Malware’).

Unfortunately, each of the 5 files consumes approx. 46 MB (zipped: 45

MB) of space so that I am unable to upload/send them to Avira for

further investigation.

The name of the 5 files is always the same: ‘vs_setup.cab’. As one of

these were located somewhere in the ‘Visual Basic 2008 Express

Edition’ folder (I have been using Visual Express for nearly a year

now and never had the .CAB file been detected before) and 3 others in

a backup folder ‘Windows.old’, I wondered whether it might a false

alarm. However, the fifth file shifted to the quarantine area was

situated in ‘AppData\Local\Temp\’.

In order to prevent any infection of my computer, I would like to

erase the suspected .CAB files from the ‘Temp’ as well as

‘Windows.old’ folders. But I am not 100% sure whether this might

affect proper functionality.

Concerning the file stemming from the ‘Visual Basic’ folder, I would

prefer to use VB for a couple of weeks to find out whether the .CAB

file might be essential for VB to work properly. If not so, I would

delete this file then, too.

Do you think is a good approach or is there any better solution? Any

kind of advice is welcome!

 

Thank you in advance

Ulf

Guest David H. Lipman

Guest David H. Lipman

Posted
Posted

From: "FromTheRafters" <erratic@nomail.afraid.org>

 

| Any kind of advice?

 

| Okay, go into the AV's configuration and set it to use the file

| extensions list instead of the "smart" one that even bothers to scan

| cabinet files.

 

| Maybe you can find an AntiVir forum somewhere that can give you a custom

| list of extensions that are worthy of being scanned.

 

CAB files are indee worthy of being scanned !

Often malware will come in a .CAB (cabinet files) others may use a different extension

such as DAT and use the EXPAND command to extract the executable from thae CAB file.

 

Others come in the form of self extracting cabinet files.

 

Example:

The file; AntiVirusInstaller.exe

 

Downloaded

 

C:\Documents and Settings\user\Local Settings\Temporary Internet

Files\Content.IE5\BNPHK11H\AV1[2].CAB

Saved as...

C:\Documents and Settings\All Users\Application Data\AV1\AV1.cab

 

Then ran the command...

cmd.exe /C expand "C:\Documents and Settings\All Users\Application Data\AV1\AV1.cab"

"C:\Documents and Settings\All Users\Application Data\AV1\AV1.exe"Then ran the command...

"C:\Documents and Settings\All Users\Application Data\AV1\AV1.exe" autostart

 

--

Dave

http://www.claymania.com/removal-trojan-adware.html

Multi-AV - http://www.pctipp.ch/downloads/dl/35905.asp

Guest FromTheRafters

Guest FromTheRafters

Posted
Posted

"David H. Lipman" <DLipman~nospam~@Verizon.Net> wrote in message

news:u5eCLQHlJHA.4344@TK2MSFTNGP04.phx.gbl...<span style="color:blue">

> From: "FromTheRafters" <erratic@nomail.afraid.org>

>

> | Any kind of advice?

>

> | Okay, go into the AV's configuration and set it to use the file

> | extensions list instead of the "smart" one that even bothers to scan

> | cabinet files.

>

> | Maybe you can find an AntiVir forum somewhere that can give you a

> custom

> | list of extensions that are worthy of being scanned.

>

> CAB files are indee worthy of being scanned !

> Often malware will come in a .CAB (cabinet files) others may use a

> different extension

> such as DAT and use the EXPAND command to extract the executable from

> thae CAB file.</span>

 

Shouldn't the 'on access' scanner catch them when they are extracted? Or

is this all done inside a process like the extraction from java jars? If

e-mail scanning is over the top redundant, isn't scanning within

containers also?

<span style="color:blue">

> Others come in the form of self extracting cabinet files.

>

> Example:

> The file; AntiVirusInstaller.exe</span>

 

Yeah, but that's an exe - and we know exes should be scanned.

<span style="color:blue">

> Downloaded

>

> C:Documents and SettingsuserLocal SettingsTemporary Internet

> FilesContent.IE5BNPHK11HAV1[2].CAB

> Saved as...

> C:Documents and SettingsAll UsersApplication DataAV1AV1.cab

>

> Then ran the command...

> cmd.exe /C expand "C:Documents and SettingsAll UsersApplication

> DataAV1AV1.cab"

> "C:Documents and SettingsAll UsersApplication DataAV1AV1.exe"Then

> ran the command...

> "C:Documents and SettingsAll UsersApplication DataAV1AV1.exe"

> autostart</span>

 

Years ago I suggested that all files should be scanned because malware

could take the form of text in a text file. While the text file itself

wouldn't be dangerous, I suggested that known malware could be encoded

within, and a command or a program could decode and execute the malware.

I was told by several experts that it would be the program or the

command that would need to be detected - not the text file as the text

file in question only contains the malware - and there exists a

prerequisite malware to remove it from its container and execute it -

why is this so different?

 

I can understand content in an archive being a threat, if the extracted

malware doesn't get written to a file (thus avoiding a scan) before

being executed like, if I understand it correctly, Java does or did. I'm

sure I'm not telling you anything new, but the fact that I can write a

script to send a text file to debug and execute it does not mean that

..txt should be on a list of extensions to scan - it is the script that

should be detected as malware.

 

If I'm wrong in this, then it brings me around full circle to what I was

proposing ten years ago.

Guest David H. Lipman

Guest David H. Lipman

Posted
Posted

From: "FromTheRafters" <erratic@nomail.afraid.org>

 

| "David H. Lipman" <DLipman~nospam~@Verizon.Net> wrote in message

| news:u5eCLQHlJHA.4344@TK2MSFTNGP04.phx.gbl...<span style="color:blue"><span style="color:green">

>> From: "FromTheRafters" <erratic@nomail.afraid.org></span></span>

<span style="color:blue"><span style="color:green">

>> | Any kind of advice?</span></span>

<span style="color:blue"><span style="color:green">

>> | Okay, go into the AV's configuration and set it to use the file

>> | extensions list instead of the "smart" one that even bothers to scan

>> | cabinet files.</span></span>

<span style="color:blue"><span style="color:green">

>> | Maybe you can find an AntiVir forum somewhere that can give you a

>> custom

>> | list of extensions that are worthy of being scanned.</span></span>

<span style="color:blue"><span style="color:green">

>> CAB files are indee worthy of being scanned !

>> Often malware will come in a .CAB (cabinet files) others may use a

>> different extension

>> such as DAT and use the EXPAND command to extract the executable from

>> thae CAB file.</span></span>

 

| Shouldn't the 'on access' scanner catch them when they are extracted? Or

| is this all done inside a process like the extraction from java jars? If

| e-mail scanning is over the top redundant, isn't scanning within

| containers also?

<span style="color:blue"><span style="color:green">

>> Others come in the form of self extracting cabinet files.</span></span>

<span style="color:blue"><span style="color:green">

>> Example:

>> The file; AntiVirusInstaller.exe</span></span>

 

| Yeah, but that's an exe - and we know exes should be scanned.

<span style="color:blue"><span style="color:green">

>> Downloaded</span></span>

<span style="color:blue"><span style="color:green">

>> C:Documents and SettingsuserLocal SettingsTemporary Internet

>> FilesContent.IE5BNPHK11HAV1[2].CAB

>> Saved as...

>> C:Documents and SettingsAll UsersApplication DataAV1AV1.cab</span></span>

<span style="color:blue"><span style="color:green">

>> Then ran the command...

>> cmd.exe /C expand "C:Documents and SettingsAll UsersApplication

>> DataAV1AV1.cab"

>> "C:Documents and SettingsAll UsersApplication DataAV1AV1.exe"Then

>> ran the command...

>> "C:Documents and SettingsAll UsersApplication DataAV1AV1.exe"

>> autostart</span></span>

 

| Years ago I suggested that all files should be scanned because malware

| could take the form of text in a text file. While the text file itself

| wouldn't be dangerous, I suggested that known malware could be encoded

| within, and a command or a program could decode and execute the malware.

| I was told by several experts that it would be the program or the

| command that would need to be detected - not the text file as the text

| file in question only contains the malware - and there exists a

| prerequisite malware to remove it from its container and execute it -

| why is this so different?

 

| I can understand content in an archive being a threat, if the extracted

| malware doesn't get written to a file (thus avoiding a scan) before

| being executed like, if I understand it correctly, Java does or did. I'm

| sure I'm not telling you anything new, but the fact that I can write a

| script to send a text file to debug and execute it does not mean that

| .txt should be on a list of extensions to scan - it is the script that

| should be detected as malware.

 

| If I'm wrong in this, then it brings me around full circle to what I was

| proposing ten years ago.

 

 

I just leave this a simple response.

 

Scanning Archive file types should be enabled.

 

--

Dave

http://www.claymania.com/removal-trojan-adware.html

Multi-AV - http://www.pctipp.ch/downloads/dl/35905.asp

Guest John

Guest John

Posted
Posted

Avira Antivir is one of AV software that gives us very high detection rate.

The downside is there are lots of false positives every now and then.

 

I'm an Antivir user (free version). Occasionally, I do get false

(HEURistics) warnings when manually scanning my HD which I manually respond

with "Ignore". What's interesting is that after a couple more virus

definition updates, the (false) warnings disappear on its own.

 

 

<Ulf.Kriemeyer@yahoo.de> wrote in message

news:04cccb19-a13f-4949-ab28-ec9d8e490578@h16g2000yqj.googlegroups.com...

During yesterday’s search run Avira Free Antivir has moved 5 .CAB

files to the quarantine area because they were suspected to contain

malicious code (‘HEUR/HTML.Malware’).

Unfortunately, each of the 5 files consumes approx. 46 MB (zipped: 45

MB) of space so that I am unable to upload/send them to Avira for

further investigation.

The name of the 5 files is always the same: ‘vs_setup.cab’. As one of

these were located somewhere in the ‘Visual Basic 2008 Express

Edition’ folder (I have been using Visual Express for nearly a year

now and never had the .CAB file been detected before) and 3 others in

a backup folder ‘Windows.old’, I wondered whether it might a false

alarm. However, the fifth file shifted to the quarantine area was

situated in ‘AppData\Local\Temp\’.

In order to prevent any infection of my computer, I would like to

erase the suspected .CAB files from the ‘Temp’ as well as

‘Windows.old’ folders. But I am not 100% sure whether this might

affect proper functionality.

Concerning the file stemming from the ‘Visual Basic’ folder, I would

prefer to use VB for a couple of weeks to find out whether the .CAB

file might be essential for VB to work properly. If not so, I would

delete this file then, too.

Do you think is a good approach or is there any better solution? Any

kind of advice is welcome!

 

Thank you in advance

Ulf

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.

Guest
Reply to this topic...

×   Pasted as rich text.   Paste as plain text instead

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.

×
 Share
Go to topic listing
×
×
  • Create New...