Help?

mystifiednewbie · Jun 23, 2004

Hi,

I put up an xp system onto the net, that was only protected by sygate free firewall (no antivirus), and noticed that I had an unknown service navscan32.exe running on the sytem. Recognised this only cos the firewall asked for permission to open up an irc channel to a xxx.biz site.

Searching the system for this file, came across a file called navscan32.exe - 360f0aec.pf in windows\prefetch; googling got me the only sane reference from sophos av site - who called it a "W32/SDBOT-DO" variant. At that point I kept the original file, but deleted the registry entries as they suggested.

Then downloaded TDS-3 (eval version) and installed onto the infected system, as is. Did not update databases, did not update radius files or anything. Ran a full system scan twice, including drives, memory processes et al. It comes up clean, every time.

- Is this expected behaviour of TDS-3?
- Should I be doing something else as well?

Thanks in advance

LowWaterMark · Jun 23, 2004

You did not update the radius database? Is there a reason for not doing so? Definitions are a critical part of any anti-trojan product (or anti-virus product, for that matter). By not updating, you dramatically weakened TDS's effectiveness. I'm not saying TDS would necessarily find all infections, and TDS is not a replacement for an anti-virus product, but using it the way you did really isn't giving it much of a chance to help you.

the mul · Jun 23, 2004

Here is the latest RADIUS database

1. Close TDS if it is running.

2. Download the latest RADIUS database: http://www.diamondcs.com.au/tds/radius.td3 (Important: Right-click and choose Save Target As)

3. Save the downloaded radius.td3 file to your TDS directory, over-writing the existing radius.td3

You can then start TDS and it will load the new database.

The MUL

mystifiednewbie · Jun 23, 2004

No particular reason, thought it had that latest database in it; doing the update now. and will repeat the actions.

BTW: the worm was in the system before I installed TDS-3

mystifiednewbie · Jun 23, 2004

... database update solved the problem; recognised the file as "DDoD.RaT.iBot.c";
Apologies for the dumb (in hindsight) post - shoulda updated first

Tnx for your help

Jooske · Jun 23, 2004

Hope you're clean now; did TDS find more?

Did i understand correctly in files with normal legal names like "nav" which normally would have been parts of Norton Anti Virus were the infections?

No "suspicious" files detected? Those are the kinds we advice to submit to submit@diamondcs.com.au except for files only suspicious because of dual extensions.

TDS is an extra very important extra layer in defense, besides other av/at scanners like norton, kav, NOD32: this last one is an anti-virus in the first place but covers lots of worms and trojans too -- see the special NOD32 forum here -- while TDS is for trojans in the first place and covers worms, keyloggers, dialers, adware and spyware detection, trojan downloaders, etc etc etc

Log in or Sign up

Help?

mystifiednewbie Guest

LowWaterMark Administrator

the mul Registered Member

mystifiednewbie Guest

mystifiednewbie Guest

Jooske Registered Member

Log in or Sign up

Help?

mystifiednewbie Guest

LowWaterMark Administrator

the mul Registered Member

mystifiednewbie Guest

mystifiednewbie Guest

Jooske Registered Member

Useful Searches