Jump to content

Dropper.Gen (trojan) downloaded from this Forum


JRF

Recommended Posts

Not sure if this is normal , so understand this post as an alert to the Mod .

I use to track this Suggestion Forum , and got an email about a new topic :

the email body (and the topic , of course) contains a link that downloads LnKnZOte.rar.part ,

blocked by Avira (9.0.0.407/eng.8.2.1.3/vir3=7.1.5.149) as a TR/Dropper.Gen(Trojan) .

This is the copy of the email , DO NOT ACTIVATE THE LINK (HTTP://....=6166) BELOW :

----- Original Message -----

From: "Malwarebytes Forum" <no-reply@malwarebytes.org>

Date: Mon, 24 Aug 2009 12:21:47 +0000

Subject: Forum Subscription New Topic Notification ( Malwarebytes Forum )

JRF, sony_georgiev has just posted a new topic entitled "Suggestion" in forum "Comments and Suggestions".

----------------------------------------------------------------------

Now with manual scan of archived RAR file I see that, MB scan 1 file only.

In archive are 9 files... + settings of deep level scan up to 10 levels.

And please add

forums/index.php?act=attach&type=post&id=6166

to signature update.

----------------------------------------------------------------------

The topic can be found here:

http://www.malwarebytes.org/forums/index.php?showtopic=22469

Link to post
Share on other sites

Hello, the link is an attachment for database update and detections.

The user should have used to compress with a password, so it wouldn't be detected. Ignore or deny access. A moderator will take care of this.

Link to post
Share on other sites

To JRF -

Did your normal anti virus inform you as you opened the link or was it too late ?? -

Avira tends to notify me as I open anything like this and quarantines it prior to letting it in -

I have been hit by a few on Yahoo (it can be bad) but I seem to get by - Even though I run a MBAM scan all I find is the quarantined item in Avira -

Link to post
Share on other sites

To noknojon -

Thanks for your interest .

As I said Avira blocked the file , asked me for an action , and I chose to delete it .

Details :

I get all my emails via POP Peeper 3.5 , which I use to run with Message Viewing = Rich Text (i.e. links are showed , but no HTML is executed without consent , so my computer is hardly going to be infected by any email content) .

Clicking the link (which I carelessly understood from the text as an article) , the download was in fact done by my default browser (Firefox 3.5.2) to a temp area , then Firefox presented the usual popup asking if the file should be opened|saved|canceled .

That was when Avira blocked all the operation , including the Firefox popup buttons .

.....................

Yes , I use to update/quick-run MBAM daily , but normally keep Avira's Quarantine empty .

Link to post
Share on other sites

Archived

This topic is now archived and is closed to further replies.

  • Recently Browsing   0 members

    No registered users viewing this page.

Back to top
×
×
  • Create New...

Important Information

This site uses cookies - We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.