hello everybody,

I am testing tds-3 atm (latest updates installed) and was wondering if it is supposed to catch this trojan: Backdoor.Win32.Rbot.gen

or is it even a trojan? anyway, my firewall caught it in the act while trying to connect to 195.210.247.23:6662

the only program that even detected (nod32, antivir etc. didn't) that it was indeed a trojan was kaspersky

do I miss something?

cheers

There are a lot of variants of this malware TDS3 does detect a lot of them see the TDS3 help - Primaries list.
When you do a full scan with TDS3 you should disable your AV scanner or run TDS3 in Safe mode.

For manual removel try this link:
http://www.viruslist.com/en/viruses/encyclopedia?virusid=56713

HTH Pilli

Therer are somewhere in the region of 2000 different versions of Backdoor.Win32.Rbot & SDbot

The only Antivirus that I know of at this time that has a generic detection of them is Kapersky and that does sometimes give a false alarm as some versions of it are very close to legitimate programs

Almost all other antiviruses & antitrojans rely on signatures for specific versions so many will get through

If your firewall is enabled it shoould warn you and block anything from happening

thankyou Pilli and dvk01 for the fast response.

I had no problem removing it for I keep a clean updated system image that I just re-play on the system partition - problem solved ;)

I also don't run any real time anti virus scanners - it's on demand only. I run tds in safe mode and still no result. don't get me wrong, tds has a good reputation, I just wanted to know if there is a particular reason why this very very dangerous trojan (after all, it's possible to upload "things" onto your harddrive!!! imagine what harm can be done to you ...) wasn't detected. and yes, 2000 or more variants are a lot, but I rather wait 5 more minutes before the scan has finished ...

and regarding kasperski, I use it for years now, and never had any false alarm (touch wood!)

funny enough, the trojan file was injected into setup.exe of a trial Ad-Aware SE version ...

cheers

If you downloaded the adaware version from one of the authorised sites I find it hard to believe it was really infected

If it came from a non approved download site then anything is possible

Adaware SE doesn't have trial versions just the free full version or the paid for Pro or plus versions

Please pm with the link to the download so I can get it checked out and if it was a genuine Adaware version I will get it pulled immediately by the adaware developers

Thanks for the reply Martin,
ProcessGuard stops .dll injection and many other methods that the latest dangerous Trojans used such as rootkits.
Also remember that TDS3 users will get a free upgrade to TDS4 which will include new technologyto fight Trojans.
Please take time to read about ProcessGuard on these forums.

Cheers. Pilli

dvk01, well, I never said I dl it from an authorized link. I got it from an admin friend for testing. I don't know where he got it from. but that only shows: Trust No One :(

thanks Pilli for the info :) I going to give it a try on one of our test machines ...

Hi Martin,

If I'm allowed to add a little bit to above postings:
if you still have that file, you could send it (if possible zipped) to Gavin:
submit at diamondcs.com.au

Thanks !

@ FanJ

yes, no problem. I just sent it :)

cheers

Please also note that TDS-3 Process Memory Scan should detect most variants of any IRC Bot. Thanks for sending, will check this one shortly