win32:sdbot-2325 [trj]

beethoven · #1 September 6th, 2005, 04:37 AM

I hope it's not too late to expect some assistance here in this forum.
I just did a scan with avast and was told that a trojan horse was found: Win32:SdBot-2325 [Trj]. What startles me is that the file in question is: "Program Files\TDS3\xDynamic\TDS.fps\DCSFPS13.bak".
While I have been using TDS3 on two other pc, this particular pc only ever had the trial version. It is not heavily used on the net and I am wondering if this is not a fp.

Anyone still out there dealing with TDS3 issues?

Pilli · #2 September 6th, 2005, 05:04 AM

Hi beethoven,

Quote:

just did a scan with avast and was told that a trojan horse was found: Win32:SdBot-2325 [Trj]. What startles me is that the file in question is: "Program Files\TDS3\xDynamic\TDS.fps\DCSFPS13.bak".

Looks like a backup file, simply delete it. Not sure what it is but may be some sort of recptacle for TDS3 scans. Anyway not that important now

HTH Pilli

Jooske · #3 September 6th, 2005, 06:28 AM

If that is the only alarm it is a bit strange. That folder contains copies or critical system files from which they are replaced in case of missing or damaged files. So the original should (have been)/be alarmed on too.
If you still have the file check it another time at one of the online file scanners.

"fps" does not stand for "false positives" !

beethoven · #4 September 6th, 2005, 07:18 AM

Quote:

If you still have the file check it another time at one of the online file scanners

Avast had moved the file and changed the file ext, so it took me a while to locate it again. Once I did, the alert came back immediately. I then moved the file to quarantine (or the chest) as Avast calls it. Neither Jotti or kapersky online raised any alarm when submitting it.

Quote:

So the original should (have been)/be alarmed on too

Nope, it was just this one file.

Quote:

"fps" does not stand for "false positives" !

Jooske · #5 September 6th, 2005, 07:40 AM

That fps folder.

Submit the file to Gavin on the submit address in my signature for second opinion, with a link to this thread.

Was it the first time avast alarmed on it?

Submit a copy to avast and tell them it looks like a false positive, since it is a copy of the original file elsewhere on your system on which is no alarm.
Maybe avast alarms as it is in another location then the windows or system(32) directory where it probably belongs.
But you want that file there since it enables TDS to take good care for it.

Look in the file properties: was it modified recently? If not, it must be a false positive.

#6 September 6th, 2005, 08:07 AM

In TDS-3 fps means File Protection System.

See the subject File Protection System in the Help-file.

Quote:

File Protection for TDS-3 - DCSFPS2
TDS-3 now has an additional system on-board to ensure that its critical files are never deleted or corrupted. This file protection system, code-named DCSFPS2 for short, allows TDS-3 to maintain a database of secured backups of critical files. If it ever detects that a critical file has been deleted or corrupted, TDS simply gets DCSFPS2 to restore the file from its secured backup stores.

As a real-world example, the Update feature of any anti-virus/anti-trojan system is an important capability. In TDS-3, if the Update system is ever deleted or corrupted, TDS-3 will simply restore a known-good backup of the Update files, alert you with a message, and then things proceed as normal with the Update facility launching.

As an additional security measure, while DCSFPS2 is active (eg. whenever TDS-3 is running) its secured backup files are locked, preventing both read and write access.

The DCSFPS2 system is fully automatic and transparent to the user - it takes care of everything, and the only time you'll ever hear from it is when it has restored a backup from its secured stores.

beethoven · #7 September 6th, 2005, 09:05 AM

Quote:

Submit the file to Gavin on the submit address in my signature for second opinion, with a link to this thread.

done

Quote:

Was it the first time avast alarmed on it?

Yes and only for the bak file within the TDS folder.

As to a submission to Avast - will do so once I have figured out their submission address.

Thanks Jooske

and also thanks Fanj for the explanation of fps - it's always good to learn something new, though in this case I was merely talking about a false positive without reference to the file protection system.

Gavin - DiamondCS · #8 September 10th, 2005, 12:37 PM

Oh.. its UNRAR.DLL ? 31kb and if you send it to my profile email I can verify that

Most likely a recent trojan has unpack routines built in or even uses a free RAR library which was then badly selected as detection signatures. Signatures are best selected from unique code not things like this

#9 September 10th, 2005, 01:07 PM

Was there any feedback on this? I have the same report and also wanted to know if it was a false positive. In my case it first appeared in unzip.dll.

Gavin - DiamondCS · #10 September 10th, 2005, 01:33 PM

Yes.. that would be a DEFINITE false alarm ! report to vendor so they can fix it

beethoven · #11 September 10th, 2005, 10:09 PM

Great - thanks Gavin

#12 September 11th, 2005, 11:02 AM

Thank you

Thread Tools	Search this Thread
Show Printable Version Email this Page	Search this Thread: Advanced Search