Greetings all.

I downloaded tron.zip fron here: http://www.xxx.com/trojans/tools/remote/

URL refers to trojan download and has been altered for that reason - Forum Admin

The following is the brief description provided at this site:

{QUOTE-> This is a pioneering new remote administration tool. This will allow connections from systems running several versions of ZoneAlarm and Tiny Personal Firewall v2.0.15.0 (the lastest version).
a: Self installing invisible server which starts each time the system boots. b: Randomly named server. c: Will allow connections from systems running several versions of ZoneAlarm and Tiny Personal Firewall v2.0.15.0. d: If an installed TronServer.EXE is deleted under Windows 95/98, after a reboot of the system, lines added to autoexec will reinstall TronServer under another randomly generated name. e: Upload/Download files. f: File commands: copy file, move file, delete file, rename file, size of file. g: Directory commands: dir, cd, cd:, cd\ h: List running processes, kill process, and spawn process. i: Remote system time. j: Type keys for the remote system. k: Capture screen. l: Show picture on screen. m: Play WAV file. n: Open/Close CD-ROM. o: System shut down. (Should be used as last resort - forces a shut down which could damage data). <-QUOTE}

I scanned tron.zip with TDS-3 and it detected nothing; however, when I unzipped tron.zip, TDS-3 positively identified tronserver.exe as "RAT.tron". Since I also have licenced versions of both Tauscan and Trojan Hunter (both are latest versions with data bases updated today), I scanned the unzipped file with them. Both Tauscan and Trojan Hunter failed to identify tronserver.exe as a trojan. Please feel free to draw your own conclusions.

This may seem picky; however, how come there was no detection of the zip file? tron.zip downloads to Windows/Temporary Internet Files. I scanned Temporary Internet files with zip files checked in TDS-3, and tron.zip went undetected. Obviously, I'm missing something.

Hi Bouch,

TDS actually detects this archived (zipped) file, even when renamed:

http://www.wilderssecurity.f2s.com/tdsrattron2.jpg

regards.

paul

You surely must be missing something.

So are you sure you have the latest Radius databases of over 14061 references now and all scan options --inhcluding the zipped-- checked?

Thanks Paul and Jooske!

You're right, of course. I'm still on a steep learning curve with TDS-3. I deleted the unzipped folder containing tronserver.exe and tron.zip from Windows/Temporary Internet files. When I then did a full system scan, TDS-3 made a positive identification (in archive) of tronserver.exe in C:\download\tron.zip. Good stuff. TDS-3 ... what a hunk of software!!!

Bob

I got the download for scanning it and like the screenshot above in Paul's posting.
I wonder if this is the same or equal tool as another "advertised" these days (potext), must read the advertisements better for better impressions.


And TDS is going to be even better.... she whispered respectfully...

A properly updated Trojan Hunter apparently does recognize it.

Take a look at this thread (http://www.dslreports.com/forum/remark,3424816~root=security,1~mode=flat;start=20)

I downloaded the compressed file, and both NAV and NOD32 not unexpectedly declared there was nothing wrong with it.

Being chicken, I didn't feel like experimenting with it in order to find out whether BOClean might detect it wehen it became active.
I did write to Kevin to inquire whether they knew about this one.
I'm sure it'll turn up in the forthcoming trojan definitions, though.
They're usually pretty fast.

I admit I'm tempted by TDS-3, although I am a little scared of being blinded by science when using it. *;D

Hi Tony,

Indeed Magnus did put a database update available (see under "update alerts" forum here) regarding TrojanHunter. he did get a copy somewhat later as it seems.

Quite true: NAV, NOD32 do not catch the nastie - yet. In essense, AVs should be superb in their job, and ATs in theirs. Relying on an AV in order to catch trojans is not providing the needed security in general.

Keving will update de BOClean database; no doubt about that.

As for TDS and the learning curve: Upcoming new v4 comes in different flavours, "easy ones" as well.

regards.

paul

Hi Paul,

I know about the AV's, but I just thought I'd try them on this trojan in order to find out what they'd say.

I'm happy using BOClean, but every now and then I think it would be nice to have a good on-demand scanner as well.

Mind you, not that I feel unprotected running these three apps.
I'm quite a prudent, run-of-the-mill computer user really, and I don't go looking for danger.
As a matter of fact, I can't even remember an occasion when BOClean had to jump in to save the day.

I just get your run of the mill Klez, Loveletter, Magistr thingies, *and nothing really exciting ever comes my way, I'm sorry to say (NOT?)... :D

But about TDS-3, even without using 90% of all the options, I take it you can hopefully just scan a file or scan a drive without having go through the entire user manual first?

And I also assume that TDS-3 users are entitled to a free upgrade to TDS-4 when it's issued.

If that's the case, I might well give it a try.

{QUOTE-> I might well give it a try. <-QUOTE}
Just because it's got bells and whistles, you don't have to be musical....

{QUOTE->
Just because it's got bells and whistles, you don't have to be musical....
<-QUOTE}

Ha! *;D

And I just might feel like taking music lessons in the future, of course... ;)

Meanwhile, about this trojan, *I mailed Kevin at BOClean support about it, and I got this response:

Needless to say, already covered in BOClean's update overnight ... I took a look at it myself. Heh. What a *LAMEASS* pile of ... ummm.

Doesn't even have an "explorer" so the kids can waft around the disk, a number of really poorly crafted "tools" and of course the obligatory "shut down a few firewalls" but unlike what we're seeing out there that really IS a threat, this one doesn't replace their screens with new ones inside the trojan so you never know your protection went poof on you. Nor does it have the "spot-killer" which repeatedly hammers away at any attempts to restart same (assuming it wasn't completely destroyed and all hooks to go back to the vendor's site and get fixed up again are gone and blocked below the winsock) ... in the greater scheme of things that we deal with day in and day out, this one's pretty pathetic.

But we covered it anyway like so many other pathetic toys. Thanks much for turning it in. *:)

Music from TDS?
Yes!
some scripting, at least you must have heard it singing "happy birthday to you" in one of the scripts, and yes, you can set up something to make it singing on your birthday. And you can use the jukebox script.
For the scanning was one easy configuration script as well, posted it even in one of the threads over here, i'm working on a HTML / vbs version to make it more easy and voice controlled, so what you know already to configure under the configuration tab, to put the sockets on automated and to configure the scan at wish with all you like to scan, including your whole network and your neighbors and people in the chatbox you're visiting, whatever you like and remote controlled from your wireless phone maybe if you like, yes it's all there, but not in that script :)
More explanations in the helpfile, which is a real interesting manual, with screenshots, explanation everywhere, and it seems to be growing all by itself, discovering more each time when searching something.

Dank je, Jooske (yes, that's right, yet another Dutchie here... :D)

Well, I've started by downloading the helpfile, and as soon as I've memorized that, *I'll fearlessly dive into the deep end, and maybe download a trial version.

I'll keep you posted!

Cheers, *Tony

Hey Tony,

You will not regret it; as you know I too run the excellent combo TDS-3 - BOClean (one for on-demand, one for resident).
(BTW: you were not the only one who sent it Kevin *;) )

Groetjes, Jan.

The helpfile is of so much more help with TDS if you can see what you're doing and hear, taste and sniff it and just do it :)
There are some screenshots in the manual.
Don't even pretent to ever learn it all by heart, as over 300 pages and a still growing number and all you can renew with the new version, etc etc. I just know where to find it if needed and i enjoy the new finds when digging again.
By that time, imagine, i'll have to renew several scripts and wave files, where it explains TDS-3 and "Welcome to TDS-3" etc etc etc
But by that time you'll wanting to be able to play "jingle bells" scripts you discovered by long you need a registered version for that, in the meantime discovering so many reasons why you don't even want to consider to be any single day without your most preferred and beloved program and the whole registered operators family with that, and the many more options a registered operator has..... or would you really like to study the TDS-4 manual first to hurt yourself any longer with all the gems and diamonds you don't have that moment?
Ahhh TDS............... what a gem !
Wished i could include some nice sexy TDS screenshot of some configuration or a trojan detection, whatever.
Pssst: some script includes my voice!

This was about tron, i remember, ok, TDS does detect it very well, as we see Paul's screenshot as well.

Lots of Fun with your TDS manual study! I prefer it digital.
Lof lof :)

Well, you guys almost managed to convince me already, I must say.

The promise of hearing Jooske's voice alone already makes me feel like rushing out and buying the product, skipping the trial version altogether! *;)

When is TDS-4 scheduled to be presented to the hungry masses?

If it's only a month or so, I might wait for the latest and greatest.

No reason to wait for that either, as we beta testing team are not in the stage of beta testing the whole product yet, nor do we really know details.
And: upgrading will be free of charge, so why wait?
I always love to play around and see the new toys included. Or maybe a whole reorganisation of all there is, extra tools, different ways........
You might like to look once you're there getting the TDS trial the WormGuard trial as well.
The registration doesn't cause new downloads, only including the keyfile which diamond key will unlock some former limitations to even more functionality, like the exec protection and being able to run all the scripts and other things Wayne might not have told us.
Take your time and have a nice look at it, as the trials are for free, even if you don't download them via my hop-clickbank URL :) which i don't post here <<wide grin>> just click www.tds.diamondcs.com.au and enjoy the real world of security the happy way.
Happy? Yes, because we are in the drivers seat and there's always nice family members in the passengers places around. That's what we have the TWO forums for, and not to forget the large educative manual and euhm.. TDS itself waking us up with friendly calling our name and some tips of the day, etc etc etc etc and whatever we have it doing beside the original included tasks via our own scripts!

Thanks Jooske,

I'll probably down TDS-3 in the course of this weekend.

I may even purchase it right away, as I'm convinced that if I'm to go for an on-demand anti-trojan, there's probably no need to look any further than TDS-3, with all its configurable bells and whistles.

As you see, I've become a believer already...;)

I'm interested in Worm Guard as well, but good grief, does one really need Nod32, NAV, BOClean, NIS, TDS-3 and Worm Guard.
And yes, I know it's a superior product, but what if I'm never going to get to use it because all my other stuff clobbers the occasional nasty first.

Let's start with TDS-3, and we'll see what we'll do after that.

Groetjes, * Ton

Hi again Ton,
NIS and WG 3 don't go well together, but v4 won't be a problem i guess/hope. We are promissed TDS and WG 4 will make of other developers green with envy and jobless, as well will be their products i might suppose with that.
Girls like diamonds, so i like to use all of their gems
http://www.diamondcs.com.au/web/img/diamond.gif * * http://www.diamondcs.com.au/web/img/dcslogo.gif
and boys like girls, even more with diamonds, so a perfect combination, isn't it?
As we know the DCS gems are top of the security business we keep laughing and happy, discovering new abilities, even in our own scripting!
Leuk he?:)
Groetjes,
Jooske

:)

Jooske,

Are there known issues with NIS and TDS-3 that you're aware of??

{QUOTE-> :)

Jooske,

Are there known issues with NIS and TDS-3 that you're aware of?? <-QUOTE}

As far as NIS 1.0 is concerned: none.
With respect to the newer versions: AFAIK: no

Thanks!

I'm running NIS 4.0, but as I'd use TDS-3 strictly for on demand scanning, *I don't think anything much could happen that I wouldn't be able to correct by disabling NIS for a moment.

You can probably count on me being a frequent visitor to the TDS-3 board.

I can only advise everyone there to brace themselves for a lot of stupid questions... :D

Which of the TDS-3 boards Tony? This Only Official Public DCS / TDS Forum or the Registered Operators Only Private Forum.
I'm in both frequenting :)
You know, we love stupid questions, as the only stupid questions are the one's not asked at all, so we can all learn from them and from all the others which are asked even more all together!
Looking forward to learning lots more!

Ya stupid questions are good because they make us look smart when we know the answer. Smart questions are sometimes bad because they are often too hard to answer ;)

{QUOTE-> Which of the TDS-3 boards Tony? This Only Official Public DCS / TDS Forum or the Registered Operators Only Private Forum.
I'm in both frequenting :)
You know, we love stupid questions, as the only stupid questions are the one's not asked at all, so we can all learn from them and from all the others which are asked even more all together!
Looking forward to learning lots more! <-QUOTE}

This one, I guess, as it's the only one I'm aquainted with.

Besides, I "do" 2 Dutch and 5 American boards, and I'm not really looking to add any more to those (for the moment, that is... ;D)

{QUOTE-> Posted by: UNICRON Posted on: Today at 6:09pm
Ya stupid questions are good because they make us look smart when we know the answer. Smart questions are sometimes bad because they are often too hard to answer <-QUOTE}

No prob: I'll try to avoid the smart ones, then... *8)

{QUOTE-> A properly updated Trojan Hunter apparently does recognize it.
<-QUOTE}
Tony, just for the record, at the time that I performed the scan with Trojan Hunter, TH was "properly" updated in the sense that all updates available at that time were installed. Magnus had yet to issue an update that allowed TH to detect tronserver.exe. By the way, IMHO Magnus is justly deserving of a hearty "atta boy" for releasing the update within two hours of the file's submission. As of now (well, about 5 minutes ago), Tauscan has yet to be updated to detect this trojan.

{QUOTE-> URL refers to trojan download and has been altered for that reason - Forum Admin
<-QUOTE}
While I certainly understand why this action might be taken, it didn't seem out-of-line for me to provide the link. It appeared in the DSL Security Forum and, as of this moment, it still appears there unaltered. I used Tauscan for about two years before significantly upgrading my AT to TDS-3 and, in all that time, it never detected a single trojan on my system (unlike NAV in the case of viruses). Now it might appear that I'm bashing my own good fortune but not at all. Because it never detected a single trojan, there was always this lingering doubt in my mind as to whether it was effectively doing its job. Because I was able to download this trojan and watch TDS-3 detect it in short order (while others failed to do so at the same point in time), I am now convinced that TDS-3 is effectively doing its job. I now know that I made a worthwhile investment when I became a licenced TDS Operator. It was a realization that I wanted other TDS users to experience. In some ways, I wish that there was a test bed of trojans (modified so as to be rendered harmless if that's feasible) for this purpose. Regretably, if there is such a resource, I haven't been able to locate it. Regards. *

Hi guys,
so nice you don't make it always so difficult that i can seem at least a little smart knowing some answers in the discussions :)
And i don't even eat smarties, prefering M&Ms!
I doubted at the link as well, altering it or not, as this site's TOS is not to allow any link to real warez and trojans and thus i left that part the responsibility of the board owner.
But i had in the meantime downloaded the thing to be able to do the testing you did, but i did not unzip it as it was detected as it was already, like Paul's screenshot.

Gradually i am building my own test zoo from the nasties that come to my system and some i forwarded to the DCS lab and keep a copy. Very seldom i would download a sample myself, although it is recommended when we run into a nasty to keep a zipped copy of it just in case and we might like to submit a sample to the DCS lab. On the DiamondCs site are some samples, like i remember a test file in the Mirclean script and some more. If you get Gibson's Leaktest it will be detected as a demo, etc. I do in between some online scan when i think of it, at housecall, panda or bitdefender, just as all have other methods of detection and i know of course my test zoo and don't allow them to clean that valuable collection out.


I know the feeling of never detecting a thing so i ever went to housecall for an online scan my first days of learning some about security and was shocked about the many finds, including CIH which mcafee had not found at all. So byebye m.a. Nice to beta test several to see what suits you best. Without WormGuard and TDS i would not be so confident and quiet at all i suppose.

Convinced TDS is doing it's job? And it's getting even better soon!

Hi Jooske!

Nice of you to respond with your comnments. As you know more than most, the job of any AT is to identify and remove trojans. It's the raison d'etre for TDS-3 and its competitors, and why nice folks like you and me purchase a licence to use it.

When I purchase any product, the first thing that I want to do is watch it successfully perform the task that I purchased it to undertake. IMHO, that certainly doesn't make me unique. Two months passed in the case of TDS-3 (two years in the case of Tauscan!), and I had yet to see TDS-3 demonstrate its capacity to perform the task that it was purchased to perform: namely, detect a real trojan (not Steve's Leaktest which, as you know, TDS-3 identifies as "not a real trojan") and remove it.

Now, I'm sure that all the folks at DiamondsCS (Wayne, Gavin etc.) are among the best examples of humanity to be found anywhere on the planet and, if they tell me that TDS-3 is the best product available to detect and remove trojans, I should accept their statements as gospel without question. Yeh but .... I may be Canadian Jooske but, in this regard anyway, I'm from Missouri. Show me! I wanna see it happening! Am I the only one who thinks this way? I may be wrong, but I doubt it in this case. That is why this experience with tron.zip (containing the nasty tronserver.exe) was so gratifying for me (I'm almost retired so it doesn't take much these days lol). I posted the link so that others might enjoy the same gratification. Perhaps this was an error in judgement on my part but I have a tendency to think not.

While I both understand and accept Paul's action in rendering the link non-functional (he's the owner, he calls the shots and that's as it should be), I remain unconvinced that it was necessary. Based on the information that was provided, it was about as close as a home pc user will likely come these days to a controlled situation IMO. Oh well, water under the bridge as the cliche goes.

The trojan you are chatting about is a common one.
All the trojan making software uses compresed exe
then binds them.

The sites I have been to have some new stuff comming down the pike. Their kick is to always stay one step ahead of trojan scanners.
These guys are releasing software that alows you to name your own server. You then have the chioce of adding the entry to the run, run once , and one hidden
;) The only way these trojans can start is through one of the known startups in Windows.
If thier new version only loasts a day without detection, That is long enough to do massive damage
to government agencies around the globe.
Don't sweat the little stuff..

Hi Bouch and all,

The reason why we do not allow malware URLs being posted is twofold:

a) the same causing me to critized Gibson over on GRC say one year ago for posting such a link - resulting in many, many people without proper defenses installed becoming infected (and my person being flamed all over GRC - grin);

b) the reason as stated by Controler:

{QUOTE-> If thier new version only loasts a day without detection, That is long enough to do massive damage <-QUOTE}

Although I can see why anyone with good and updated defenses installed feels the wish to check his/hers defenses using a "real one", our policy as stated in the TOS is for good reasons: we do want to avoid in any circumstance unprotected/badly protected systems becoming infected.

regards.

paul *

Thanks Paul. Understood.