rec.autos.simulators

The virus name is PM Trojan (TIM). The filename is f1rsedit163.exe.
The older 1.50 version was also a Trojan.

Here is the logfile entry:
The file F1rsedit163.exe in the compressed file
C:\SCRATCH\F1RS\f1rsedit.zip
is infected with the PM Trojan (TIM) virus.
No action was taken.

Here is the information about the virus which is provided by
Norton AV:

"This trojan attempts to steal PWL and ICQ passwords from
the users system. An animated program is executed to appear
as if nothing harmful is happening".

Strangely after the program is installed the exe is not infected.
Anyone know what is up with this????

--

Header address intentionally scrambled to ward off the spamming hordes.

cisko [AT] ix [DOT] netcom [DOT] com

Philster

As it turns out the file in question is the setup/install file for F1RS Edit
1.63.
The actual installed f1rsedit.exe is not infected. So if I believe the info
that
Norton 5.0 provided, the trojan virus scans you HD for PWL and IQC
password files as it is doing the install of F1RSedit... Presumably if this
really is a virus the person who programmed it is good enough to hide
the virus for quite a long time.

Here is the author... My old copy of version 1.5 also claimed to have the
virus.

F1RS Editor V1.5
----------------

Author: Arturo Baz

Webpage: http://www.ozemail.com.au/~bazar/
Date: Mar 98

--

Header address intentionally scrambled to ward off the spamming hordes.

cisko [AT] ix [DOT] netcom [DOT] com

Not to mention www.f1racingsim.com!

and in any case, most of the anti-virii clods are *hopeless*

/me gives much love to McAfee, who thoughfully began declaring any installer
created with WISE ver 3 a trojan horse, thereby causing 100's of calls on back
catalouge titles...

Z.

Please remove NOSPAM from my email address when replying.

But if this isn't a virus, how did it get into the installer - no-one
would be stupid enough to deliberately put it into their installer
(would they?).

I was assuming that the trojan horse had been inserted into the
installer by a virus, even if the trojan horse itself couldn't spread on
its own.

Sounds like a load of gibberish - ignore me, I'm just rambling now...
;-)

I believe there's a web site somewhere devoted to exposing the devious
dealings of anti-virus companies - I seem to remember McAfee's name
cropping up a *lot* more often than anyone else's.  Sadly I can't
remember where the site was.

Again, you're talking about a virus not a trojan horse.

Well, in my case, they'd just added trojan horse support to the McAfee
Virus-scan. and it was setting off on some versions Wise, which is about the
2nd most popular installer after Installshield.

Calls to Mcafee finally got someone to admit "we suck" and gave advice to
delete trojans.dat as it was detecting many many false alarms.

Z.

Please remove NOSPAM from my email address when replying.

I did contact Rick and after an initial period of confusion he is now
on the case. Interestingly he used McAfee AV and there was no
virus found. Maybe Norton is just better :-) Anyway he is looking
into it. Imagine all of those ICQ and PWL files that have been
compromised. Rick said the number of times that file has been
downloaded numbers in the thousands.

I quarantined the virus and sent it to Norton for analysis. At first
my request for analysis was denied because the file is a known
virus and that is that! However I sent it anyway and got the following
response:

Dear Greg Cisko
We have analyzed your submission.  The following is a report of our
findings for each file you have submitted:

filename: C:\Scratch\F1rs\virus\F1rsedit163.exe
machine: CISKO
result: This file is infected with PM Trojan (TIM)

The attached file is a self extracting zip containing updated virus
definitions for Norton AntiVirus to successfully detect and repair
this virus.

Developer notes:
C:\Scratch\F1rs\virus\F1rsedit163.exe is infected by a non-repairable virus
or a Trojan Horse.  You should delete this file and replace it if
neccessary.

Should you have any questions about your submission, please contact
technical support at the appropriate number listed below and give them
the tracking number in the subject of this message.

-----------------------------------------------------------------------
This message was generated by SARC automation.

Symantec worldwide technical support numbers
--------------------------------------------
USA           (+1)   541 465 8420
UK            (+44)  0171 616 5813
FRANCE        (+33)  1 64 53 80 63
GERMANY       (+49)  069 6641 0353
HOLLAND       (+31)  071 408 3952
SOUTH AFRICA  (+27)  11784 9856
SWEDEN        (+46)  8 735 5024
ITALY         (+39)  0 542 28062
SWITZERLAND   (+41)  12 12 1847
BELGIUM       (+32)  27 131 701
NORWAY        (+47)  23 05 33 30
DENMARK       (+45)  35 44 57 20
SPAIN         (+34)  9 1662 5255
AUSTRIA       (+43)  150 137 5023
AUSTRALIA     (+61)  2 9850 1050
HONG KONG     (+852) 2528 6206
KOREA         (+82)  2 3420 8650
MALAYSIA      (+60)  3 704 9273
NEW ZEALAND          0800 442 795
SINGAPORE     (+65)  239 2099
TAIWAN        (+886) 2 2739 6068

I then called Norton and talked with customer support. The file is
infected and that is that!!!

I do have a hard time really believing it, but hey anything is possible.

--

Header address intentionally scrambled to ward off the spamming hordes.

cisko [AT] ix [DOT] netcom [DOT] com

fault*

The virus scanner is at fault??? Are you making this up as you
are going? Holy shit pal. Perhaps we would all be better off if
NAV did not look for malicious programs? I don't really give
one shit whether it is officially called a virus or trojan horse or
Worm.ExploreZip. If it is mailcious I want to know about it.

Duh. However...

Assuming this is no big deal, exactly what proof do you have that
the installer for F1RS Edit version 1.63 does not have this malicious
program? Speculating like you are doing is no proof.

Maybe they do suck? I have no such problems with Norton AV. The only
exception is the one incident with F1RS Edit 1.63.

--

Header address intentionally scrambled to ward off the spamming hordes.

cisko [AT] ix [DOT] netcom [DOT] com

Who's speculating? It's apparent you don't understand quite what Norton is
telling you.

A "Trojan horse" is a seemingly normal program, that would wipe your head
drive, or delete some data when executed, becuase you *thought* it was another
file or somethign of use.  This is not a "virus".

A virus (normally) one loaded into memory, replicates itself, either in empty
space of files (like win.cih) or in the boot sectors of floppy's, HD's, etc,
so it spreads, and does malicious damage to files, system, etc.

So it's apparent you do.

All these AV programs do is look for known "problem strings" in code, and
report on matches. They're not absolute.

Z.

Please remove NOSPAM from my email address when replying.

A Trojan Horse is a program that passes itself off as another with the
intention of causing harm to either your system or it's integrity. Examples
are the now generally defunct "Format" Trojan that wiped your HD and things
like Back Orifice and NetBus. These are just files disguised to look as
other files in order to get you to run them.

A virus is a self replicating program that can do similar things to trojans
but generally hides itself in another file rather than taking the whole
thing over. Win.CIH and Melissa are these.

Thus if a program that WORKS as this installer is supposeded to do (no I
haven't downloaded it because I don't have F1RS installed any more) then it
*cannot* be a virus. Is this hard for you to understand? If it *was* a
trojan it would fail to work as intended (witness the "screensaver
installer" that was actually BO that was doing the rounds) and either do
damage immediately or hide itself somewhere waiting for whatever trigger it
needs.

Proof? Well as the AV program calls it a trojan yet it works the evidence
is that it is not a trojan. A virus perhaps but not a trojan. However if,
as some people mentioned, the installed files and any programs run after
the installer don't make the AV program b0rk then the chances are the
program has made a mistake.

It's not impossible that a proper program would contain enough similarities
to a known virus or trojan that a heuristic check wouldn't query them as
potential hazards. I know this is the case because the documentation for my
AV software at the office says this is the case.

What Zonkie did not say was that it wasn't infected at all, what he said
was that it was almost certainly NOT a trojan horse.

As for McAfee, they did admit their technology was to fault but providing
you were sure a program wasn't a trojan then you could tell the software to
ignore it and run it anyway. The reason I deleted trojans.dat (as did
Zonkie i would imagine) is that the number of times this installer was run
or tested a day made it a serious annoyance to members of staff. I would
advise calling your software supplier if you have doubts about the trojan
alert as they tend not to publicise obvious flaws on their websites.

*phew*

If you can see a hole in my argument please feel free to point it out :)

M

A trojan can be any program which does something unexpected by the
user. It could be good or bad. Perhaps you fellas should read the TROJAN
chapter in "Maximum Security: A Hackers Guide to Protecting Your
Internet Site and Network". I have and there is no proof that F1RS Edit 1.63
does not steal ICQ and WIndows password files. You have some other info
wioth regards to that? I would like to hear it.

I know what the hell a virus is. And perhaps I should have rephrased
the subject to reflect that F1RS Edit is a trojan not a virus. In fact I
will.

My Apologies,

I sent the file to Norton for analysis and even talked on the phone with
one of their engineers. They insist the file contains the trojan which
steals ICQ and Win passwords. You have some other helpful information
on this???

--

Header address intentionally scrambled to ward off the spamming hordes.

cisko [AT] ix [DOT] netcom [DOT] com

What the hell do you mean by this? Just because it works, it is not a
Trojan??? Perhaps you need to read the Trojan chapter in "Maximum
Security: A Hackers Guide to Protecting Your Internet Site and Network"
too. The install program can still function normaly and in the mean time
steal the password files without the user knowing it. This the exact
definition
of what a trojan does. It is anything the user is unaware of, good or bad.
In this case bad.

Wrong. The trojan is in the installer program, not the resulting F1RSEdit
EXE after the install.

Sure no problem.

--

Header address intentionally scrambled to ward off the spamming hordes.

cisko [AT] ix [DOT] netcom [DOT] com

--

Header address intentionally scrambled to ward off the spamming hordes.

cisko [AT] ix [DOT] netcom [DOT] com