Does TDS detects "trojan downloader"s?

[ronny]

I ask this because i did a test with a friend. We noticed that TDS didn't detect :
Trojan Downloader(59904).Win32.INService.h
Trojan Downloader(258 ).Win32.Small.gl

Dr.Web, Kaspersky, Housecall found the 2. e-Trust found the 2nd one, Small.gl.
I don't know how i can see which trojans TDS detects .
Are these downloaders perhaps no real trojans? So is that the reason they are not detected? Or am i completely wrong
Thanks for the help!

[Pilli]

Hi Ronny, To see TDS primary list go to Help - Primary list.

Make sure you have downloaded the latest radius file from here: http://tds.diamondcs.com.au/index.php?page=update

Some downloaders are harmless and some TDS3 detects, I am not sure about your two but no doubt Gavin would be interested in analysing them, so please submit@diamondcs.com.au

Thanks Pilli

[Jooske]

Some files exist with several names, and like Pilli said, maybe the downloader was not nasty enough to be added?

[ronny]

Thanks a lot Pilli , of course i looked everywhere in TDS except there

They seem not to be included in TDS's list, or perhaps they where there with a different name or "not nasty" enough like Jooske said

I found the following information for the 2 on Trend Micro's website:
For the first one:"This Trojan downloader is either dropped by another malware, or is manually installed by the user.
Upon execution, it opens an Internet Explorer browser and downloads files from the following Web sites:
http://stat7.z-s<BLOCKED>t.com/ps
http://stat8.z-s<BLOCKED>t.com/ps
The said URLs respectively point to two malicious files, detected by Trend Micro as the following:
TROJ_ISTBAR.Q
ADW_PURITYSCAN.F. "

For the second one :"This Trojan downloader connects to the following URL:
http://www.slot<BLOCKED>.com/ist/softwares/bundlers/
It then downloads the file BUNDLER_REGULAR.EXE from this site and installs it in the Windows Temp directory using the following name:

BUNDELRNETSCAPE.EXE
This file is detected by Trend Micro as TROJ_ISTBAR.EH.
This Trojan is created in Visual C++ and arrives as a UPX-compressed file. "

But still not clear to me if they are really dangerous.Leave that decision to people like you who really know that kind of things.Is that not one of the reasons i am visiting this forum , learning from the specialists .

They need all the help they can get, so sen em off ...

[ronny]

Quote:

Originally Posted by wildrover

They need all the help they can get, so sen em off ...

Ok files send to Diamondcs for analysis. I hope it's not a waste of Gavin' s time.

[Pilli]

Thanks Ronny, Hopefully it will not be long before Gavin has an answer.

[Jooske]

Don't be shy submitting files as it's never waste of time: better many times a known file or even an innocent file then one time getting infected by something nasty and we'll need all together lots of time to get you clean and safe again!

[pitti]

I discovered 4 trojandownloaders on a virus scan but my software wouldn't delete them. I have multiple security programs and didn't realize I was missing trojan coverage so I downloaded this program to try. It didn't identify any of the files.
I've searched on the internet and there are several different forms of the trojandownloaders. They have slightly different names and they attack different parts of windows.
I ended up using kapersky to get rid of these files. Pest patrol also recognizes them.
My version was called this:

trojandownloader.win32.inservice

I'm not a regular user of this software and was just trying it out to see if I wanted to buy it. It's failure to identify infected files doesn't inspire much confidence.

[Pilli]

Hi pitti, Did you download the latest Radius file from here: http://tds.diamondcs.com.au/index.php?page=update and put it in the main TDS3 folder?
Did you open Scan control and enable all the boxes?
Did you set the Generic detection to it's highest setting?
Were you running a resident Anti-virus scanner when you did the TDS3 full system scan?

Some downloaders are not Trojans or are not considered dangerous.
If you still have copies of any of the files please zip and send to submit@diamondcs.com.au for analysis.

HTH Pilli

[Jooske]

Hi there pitti,
With all Pilli's good questions, let me guess if you used AVG?
AVG has the habit hiding files for other scanners, especially if you also keep the resident protection on. If you have AVG running, please open the GUI, uncheck all the marks and close it again.
Now you should see more in scans with other scanners.
There might be more scanners doing the same, but especially AVG is famous for that.
Also make sure in your folder options your settings are to show all hidden files and extensions.

Ronny,
as you can search in the HJT forum here you'll see those files you mention a lot in the infected HJT logs, so i really do hope you did not get infected yourself!

[pitti]

I run avast as my resident antivirus software- it reported no problems. I usually do an extra scan monthly with AVG and that's how I detected the trojans.

I did download the update, check all the boxes etc. The one thing I missed was turning off avast. Would that stop the detection of trojans?

[Gavin - DiamondCS]

Those are adware downloaders, but as long as your antivirus handled it thats a good start. We appreciate submissions of anything new which isn't detected - so send them in !

Please note that if your antivirus detects a trojan then it will lock the file so nothing can access it, not even TDS. This can often be the reason for a non detection

Edit: INService is one name that I do remember, so it should be detected

[tutankamon]

Hi all,
I had downloaded some freeware icons recently, I downloaded into my DOWNLOAD folder on C drive, scanned with Norton AV nothing reported! (I have TDS3 to run on start up, and then minimise to system tray.) It was not until later in the evening that I maximised TDS and found to my horror that it reported "Positive ident Trojan Dropper Win32.Small.gt" embedded in the 3 files of icons I had downloaded earlier, I zipped them and submitted them. then deleted the files, also the files in my download folder. I have run a full system scan since and everything seems ok now. My questions are:- Were the trojans "trapped" by TDS, I mean were they still operating? Why didn`t TDS maximise and warn me? I realise that I should have selected the "Scan with TDS" option, while the files were still in the download folder, before opening them. Could this be another feature for TDS4 or TDS4 Pro?

[ronny]

Quote:

Originally Posted by Gavin - DiamondCS

We appreciate submissions of anything new which isn't detected - so send them in !

I will.

Quote:

Originally Posted by Gavin - DiamondCS

Please note that if your antivirus detects a trojan then it will lock the file so nothing can access it, not even TDS. This can often be the reason for a non detection

Ok, now i understand why TDS didn't detect it, my e-trust realtime scanner was first lol and had already cleaned the bad guys-girls.
But as long it was zipped , it still was there because Housecall and Kaspersky could detect it.I guess that if i executed it ( if my realtime virusscanner would be disabled), TDS would detect & clean it.
It certainly feels good to be so well protected.
Thanks again Gavin and you all there at TDS-3 for your excellent support.