NZB worm?

[myidisbb]

one of my NG files that is a NZB got popped by NOD32 as it was finish downloading.

it says, "probably a variant of VBS/Fixer.A worm"

[Samurai]

Probably a false positive. Where did you download it from?

If it's just the NZB, upload it to RapidShare.de and I'll check it out myself.

[myidisbb]

Probably a false positive. Where did you download it from?

If it's just the NZB, upload it to RapidShare.de and I'll check it out myself.

okay turn nod32 off d/l nzb and rar it. up it. pm sent with link.

im guessing clicking on the nzb like normal would active it if its a worm. so following that i should be able to open with notepad and be safe. but i would still not know what i was looking at.

[nsane]

just right click > open with > choose program > notepad and look for something like this...

...if that's there it's just a bunch of XML, no fuckin way you could get infected by opening it with a NG program ;)

[Samurai]

I just checked the rar you sent me. It only contained a PAR2 file, which was clean. You did say it was the NZB right?

As nsane stated above, an NZB is basically an XML (text) with no real threat to your system. The only thing I can think of is when you open it up using a NG app, and the app itself is infected?

[Lite]

XML CAN pose a threat to the system providing its executed in the "correct" environment.

[Samurai]

Such as a NG app like I stated above?

It's just like opening a .doc in Word. Except the headers and text are used by an NG app like NewsLeecher. I would highly doubt it could manifest itself without manually abusing it.

[myidisbb]

Such as a NG app like I stated above?

It's just like opening a .doc in Word. Except the headers and text are used by an NG app like NewsLeecher. I would highly doubt it could manifest itself without manually abusing it.

dang it i think i rar the wrong one as you said its a par. i had nod32 off ill try to get it again

edit when i have nod32 off it does not copy the nzb to the download folder. im now running virusscan of the harddrive to make sure it not there.

i have nzb the nzb file and rar it. im going to pom you the link in a bit and im guessing you have to actually downlaod the nzb file from the rar nzb. sorry about this.

virusscan c:drive and nothing.

i made an export nzb of the nzb in newsgroups and rar it.

http://rapidshare.de/files/11659956/bleach..._a_nzb.rar.html

delete link if not allowed here.

when you unrar the rapidshare file you will get a nzb that is for getting the actaully nzb in newsgroups. i was unable to see the file when it was downloaded from newsgroups with nod32 off.

[myidisbb]

little update

i figure out i could restore it with nod32 quartine and then turn nod32 off. after doing that i found i got access denied if i try using notepad. and access denied if i try to rar it. and when trying to upload just the stored nzb rapidshare says 0 Kb size, even though it clearly says 843Kb.

with quartine file deleted and nod32 off i try to donwload the file again. still doesnt showup anywhere afterwards. oh well. sent the quartine to eset and tlet them look.

virus scan and spysweeper c: and nothing comes up.

[nsane]

Such as a NG app like I stated above?

that's what i was saying, most NG apps only parse the NZBs for group locations, file/post lengths, etc. and list them in a download manager type thing. they never actually execute anything, so it's impossible to get infected loading it up in grabit or whatever :D

but i get what lite's saying, it's like certain javascript functions can be used to create and execute EXE files from a regular HTML document...if the files stored locally (ie. ran from your HDD and not a webpage). an email virus spread like that a while back, everyone was like 'how could a html file infect me...click click...fucked' :D