Avira Free Antivir suspects 5 *.CAB Files to contain malicious Code

During yesterday’s search run Avira Free Antivir has moved 5 *.CAB
files to the quarantine area because they were suspected to contain
malicious code (‘HEUR/HTML.Malware’).
Unfortunately, each of the 5 files consumes approx. 46 MB (zipped: 45
MB) of space so that I am unable to upload/send them to Avira for
further investigation.
The name of the 5 files is always the same: ‘vs_setup.cab’. As one of
these were located somewhere in the ‘Visual Basic 2008 Express
Edition’ folder (I have been using Visual Express for nearly a year
now and never had the *.CAB file been detected before) and 3 others in
a backup folder ‘Windows.old’, I wondered whether it might a false
alarm. However, the fifth file shifted to the quarantine area was
situated in ‘AppData\Local\Temp\’.
In order to prevent any infection of my computer, I would like to
erase the suspected *.CAB files from the ‘Temp’ as well as
‘Windows.old’ folders. But I am not 100% sure whether this might
affect proper functionality.
Concerning the file stemming from the ‘Visual Basic’ folder, I would
prefer to use VB for a couple of weeks to find out whether the *.CAB
file might be essential for VB to work properly. If not so, I would
delete this file then, too.
Do you think is a good approach or is there any better solution? Any
kind of advice is welcome!

Thank you in advance
Ulf

Any kind of advice?

Okay, go into the AV's configuration and set it to use the file
extensions list instead of the "smart" one that even bothers to scan
cabinet files.

Maybe you can find an AntiVir forum somewhere that can give you a custom
list of extensions that are worthy of being scanned.

<Ulf.Kriemeyer@yahoo.de> wrote in message
news:04cccb19-a13f-4949-ab28-ec9d8e490578@h16g2000yqj.googlegroups.com...
During yesterday’s search run Avira Free Antivir has moved 5 *.CAB
files to the quarantine area because they were suspected to contain
malicious code (‘HEUR/HTML.Malware’).
Unfortunately, each of the 5 files consumes approx. 46 MB (zipped: 45
MB) of space so that I am unable to upload/send them to Avira for
further investigation.
The name of the 5 files is always the same: ‘vs_setup.cab’. As one of
these were located somewhere in the ‘Visual Basic 2008 Express
Edition’ folder (I have been using Visual Express for nearly a year
now and never had the *.CAB file been detected before) and 3 others in
a backup folder ‘Windows.old’, I wondered whether it might a false
alarm. However, the fifth file shifted to the quarantine area was
situated in ‘AppData\Local\Temp\’.
In order to prevent any infection of my computer, I would like to
erase the suspected *.CAB files from the ‘Temp’ as well as
‘Windows.old’ folders. But I am not 100% sure whether this might
affect proper functionality.
Concerning the file stemming from the ‘Visual Basic’ folder, I would
prefer to use VB for a couple of weeks to find out whether the *.CAB
file might be essential for VB to work properly. If not so, I would
delete this file then, too.
Do you think is a good approach or is there any better solution? Any
kind of advice is welcome!

Thank you in advance
Ulf

From: "FromTheRafters" <erratic@nomail.afraid.org>

| Any kind of advice?

| Okay, go into the AV's configuration and set it to use the file
| extensions list instead of the "smart" one that even bothers to scan
| cabinet files.

| Maybe you can find an AntiVir forum somewhere that can give you a custom
| list of extensions that are worthy of being scanned.

CAB files are indee worthy of being scanned !
Often malware will come in a .CAB (cabinet files) others may use a different extension
such as DAT and use the EXPAND command to extract the executable from thae CAB file.

Others come in the form of self extracting cabinet files.

Example:
The file; AntiVirusInstaller.exe

Downloaded

C:\Documents and Settings\user\Local Settings\Temporary Internet
Files\Content.IE5\BNPHK11H\AV1[2].CAB
Saved as...
C:\Documents and Settings\All Users\Application Data\AV1\AV1.cab

Then ran the command...
cmd.exe /C expand "C:\Documents and Settings\All Users\Application Data\AV1\AV1.cab"
"C:\Documents and Settings\All Users\Application Data\AV1\AV1.exe"Then ran the command...
"C:\Documents and Settings\All Users\Application Data\AV1\AV1.exe" autostart

--
Dave
http://www.claymania.com/removal-trojan-adware.html
Multi-AV - http://www.pctipp.ch/downloads/dl/35905.asp

"David H. Lipman" <DLipman~nospam~@Verizon.Net> wrote in message
news:u5eCLQHlJHA.4344@TK2MSFTNGP04.phx.gbl...
> From: "FromTheRafters" <erratic@nomail.afraid.org>
>
> | Any kind of advice?
>
> | Okay, go into the AV's configuration and set it to use the file
> | extensions list instead of the "smart" one that even bothers to scan
> | cabinet files.
>
> | Maybe you can find an AntiVir forum somewhere that can give you a
> custom
> | list of extensions that are worthy of being scanned.
>
> CAB files are indee worthy of being scanned !
> Often malware will come in a .CAB (cabinet files) others may use a
> different extension
> such as DAT and use the EXPAND command to extract the executable from
> thae CAB file.

Shouldn't the 'on access' scanner catch them when they are extracted? Or
is this all done inside a process like the extraction from java jars? If
e-mail scanning is over the top redundant, isn't scanning within
containers also?

> Others come in the form of self extracting cabinet files.
>
> Example:
> The file; AntiVirusInstaller.exe

Yeah, but that's an exe - and we know exes should be scanned.

> Downloaded
>
> C:\Documents and Settings\user\Local Settings\Temporary Internet
> Files\Content.IE5\BNPHK11H\AV1[2].CAB
> Saved as...
> C:\Documents and Settings\All Users\Application Data\AV1\AV1.cab
>
> Then ran the command...
> cmd.exe /C expand "C:\Documents and Settings\All Users\Application
> Data\AV1\AV1.cab"
> "C:\Documents and Settings\All Users\Application Data\AV1\AV1.exe"Then
> ran the command...
> "C:\Documents and Settings\All Users\Application Data\AV1\AV1.exe"
> autostart

Years ago I suggested that *all* files should be scanned because malware
could take the form of text in a text file. While the text file itself
wouldn't be dangerous, I suggested that known malware could be encoded
within, and a command or a program could decode and execute the malware.
I was told by several experts that it would be the program or the
command that would need to be detected - not the text file as the text
file in question only *contains* the malware - and there exists a
prerequisite malware to remove it from its container and execute it -
why is this so different?

I can understand content in an archive being a threat, if the extracted
malware doesn't get written to a file (thus avoiding a scan) before
being executed like, if I understand it correctly, Java does or did. I'm
sure I'm not telling you anything new, but the fact that I can write a
script to send a text file to debug and *execute* it does not mean that
..txt should be on a list of extensions to scan - it is the script that
should be detected as malware.

If I'm wrong in this, then it brings me around full circle to what I was
proposing ten years ago.

From: "FromTheRafters" <erratic@nomail.afraid.org>

| "David H. Lipman" <DLipman~nospam~@Verizon.Net> wrote in message
| news:u5eCLQHlJHA.4344@TK2MSFTNGP04.phx.gbl...
>> From: "FromTheRafters" <erratic@nomail.afraid.org>

>> | Any kind of advice?

>> | Okay, go into the AV's configuration and set it to use the file
>> | extensions list instead of the "smart" one that even bothers to scan
>> | cabinet files.

>> | Maybe you can find an AntiVir forum somewhere that can give you a
>> custom
>> | list of extensions that are worthy of being scanned.

>> CAB files are indee worthy of being scanned !
>> Often malware will come in a .CAB (cabinet files) others may use a
>> different extension
>> such as DAT and use the EXPAND command to extract the executable from
>> thae CAB file.

| Shouldn't the 'on access' scanner catch them when they are extracted? Or
| is this all done inside a process like the extraction from java jars? If
| e-mail scanning is over the top redundant, isn't scanning within
| containers also?

>> Others come in the form of self extracting cabinet files.

>> Example:
>> The file; AntiVirusInstaller.exe

| Yeah, but that's an exe - and we know exes should be scanned.

>> Downloaded

>> C:\Documents and Settings\user\Local Settings\Temporary Internet
>> Files\Content.IE5\BNPHK11H\AV1[2].CAB
>> Saved as...
>> C:\Documents and Settings\All Users\Application Data\AV1\AV1.cab

>> Then ran the command...
>> cmd.exe /C expand "C:\Documents and Settings\All Users\Application
>> Data\AV1\AV1.cab"
>> "C:\Documents and Settings\All Users\Application Data\AV1\AV1.exe"Then
>> ran the command...
>> "C:\Documents and Settings\All Users\Application Data\AV1\AV1.exe"
>> autostart

| Years ago I suggested that *all* files should be scanned because malware
| could take the form of text in a text file. While the text file itself
| wouldn't be dangerous, I suggested that known malware could be encoded
| within, and a command or a program could decode and execute the malware.
| I was told by several experts that it would be the program or the
| command that would need to be detected - not the text file as the text
| file in question only *contains* the malware - and there exists a
| prerequisite malware to remove it from its container and execute it -
| why is this so different?

| I can understand content in an archive being a threat, if the extracted
| malware doesn't get written to a file (thus avoiding a scan) before
| being executed like, if I understand it correctly, Java does or did. I'm
| sure I'm not telling you anything new, but the fact that I can write a
| script to send a text file to debug and *execute* it does not mean that
| .txt should be on a list of extensions to scan - it is the script that
| should be detected as malware.

| If I'm wrong in this, then it brings me around full circle to what I was
| proposing ten years ago.


I just leave this a simple response.

Scanning Archive file types should be enabled.

--
Dave
http://www.claymania.com/removal-trojan-adware.html
Multi-AV - http://www.pctipp.ch/downloads/dl/35905.asp

Avira Antivir is one of AV software that gives us very high detection rate.
The downside is there are lots of false positives every now and then.

I'm an Antivir user (free version). Occasionally, I do get false
(HEURistics) warnings when manually scanning my HD which I manually respond
with "Ignore". What's interesting is that after a couple more virus
definition updates, the (false) warnings disappear on its own.


<Ulf.Kriemeyer@yahoo.de> wrote in message
news:04cccb19-a13f-4949-ab28-ec9d8e490578@h16g2000yqj.googlegroups.com...
During yesterday’s search run Avira Free Antivir has moved 5 *.CAB
files to the quarantine area because they were suspected to contain
malicious code (‘HEUR/HTML.Malware’).
Unfortunately, each of the 5 files consumes approx. 46 MB (zipped: 45
MB) of space so that I am unable to upload/send them to Avira for
further investigation.
The name of the 5 files is always the same: ‘vs_setup.cab’. As one of
these were located somewhere in the ‘Visual Basic 2008 Express
Edition’ folder (I have been using Visual Express for nearly a year
now and never had the *.CAB file been detected before) and 3 others in
a backup folder ‘Windows.old’, I wondered whether it might a false
alarm. However, the fifth file shifted to the quarantine area was
situated in ‘AppData\Local\Temp\’.
In order to prevent any infection of my computer, I would like to
erase the suspected *.CAB files from the ‘Temp’ as well as
‘Windows.old’ folders. But I am not 100% sure whether this might
affect proper functionality.
Concerning the file stemming from the ‘Visual Basic’ folder, I would
prefer to use VB for a couple of weeks to find out whether the *.CAB
file might be essential for VB to work properly. If not so, I would
delete this file then, too.
Do you think is a good approach or is there any better solution? Any
kind of advice is welcome!

Thank you in advance
Ulf