Mystery Doomjuice caught

Discussion in 'Trojan Defence Suite' started by Possum, Mar 2, 2004.

Thread Status:
Not open for further replies.
  1. Possum

    Possum Registered Member

    Joined:
    Mar 1, 2004
    Posts:
    7
    :eek: I am more than a little mystified. I have TDS running at startup, regularly updated. I also use Port Explorer, an anti-spam filter, firewall regularly updated (ZAP), plus AV regularly updated. I never open mail attachments and I don't view email in HTML format (I don't use Outlook) , so I consider myself pretty much in "paranoid protection" mode :cool:

    So, as far as I know, I never had a problem with MyDoom. However, one morning to my surprise, TDS warned me of a change in my registry - and on checking I found the DoomJuice B entry NeroCheck=C:\WINDOWS\system32\NeroCheck.exe in my registry. It had been there since it's "dropping" date of 12th Feb.

    TDS deleted the key for me, but I am mystified as to how this MyDoom b variant could have arrived into my registry, when I never had the original MyDoom ? If anybody has any ideas, I'd be much enlightened...

    I'm running WinXP Home Edition.

    ps hope TDS is the right forum for this. I don't have WormGuard as yet, but am seriously considering it :D
     
  2. Jooske

    Jooske Registered Member

    Joined:
    Feb 12, 2002
    Posts:
    9,713
    Location:
    Netherlands, EU near the sea
  3. Pilli

    Pilli Registered Member

    Joined:
    Feb 13, 2002
    Posts:
    6,217
    Location:
    Hampshire UK
    Possum, A false positve I believe, update your radius file and all should be well again :)
     
  4. tutankamon

    tutankamon Registered Member

    Joined:
    Jul 10, 2003
    Posts:
    170
    Location:
    Lancashire U.K.
    HI possum,
    A quick question, you seem to be paranoid on protection, do you have Registry Protector (free from DiamondCS?
     
  5. Possum

    Possum Registered Member

    Joined:
    Mar 1, 2004
    Posts:
    7
    Hi Jooske : Thanks for the forum link re WormJuice - yes, it sounds exactly the same - except that TDS found the registry entry, deleted it, and I haven't seen it since. Maybe it was a false positive - except that I did see the key in my Registry, which kind of freaked me out. If I still had this file, I'd submit it, but it has now gone. Regular checks with TDS have since come up clean. If it wasn't a false positive, I'm still wondering how it arrived.

    Just wondering now, with TDS and Port Explorer, am I going overboard in thinking of getting Worm Guard and Process Guard as well? Would Process Guard be superfluous if I already use TDS, which does a process scan? You Diamond folks have such great products I seem to want everything
    :D
     
  6. Pilli

    Pilli Registered Member

    Joined:
    Feb 13, 2002
    Posts:
    6,217
    Location:
    Hampshire UK
    Hi Possum, Yo wrote:
    Process Guard protects running processes using a special driver and stops many new threats, rootkits for example, from shutting down, suspending etc any protected process. The driver works at the lowest possible level in your system, no other protection can do this.

    Use the link in my signature below to read all of the facts.
     
  7. Jooske

    Jooske Registered Member

    Joined:
    Feb 12, 2002
    Posts:
    9,713
    Location:
    Netherlands, EU near the sea
    The products are great, indeed, i have all that can run on myu win98se system and as soon as i have win2000 and XP installed (when.. if... ) i'll make sure to have the others too asap! They all work in addittion to each other. Looking forward to next products as well again!
     
  8. Robyn

    Robyn Registered Member

    Joined:
    Feb 1, 2004
    Posts:
    1,189
    I backed up my registry key when TDS reported the worm but when I received the all clear I imported the key again as I asked others who had Nero and discovered it was meant to be there. As soon as TDS updated the database Nerocheck.exe is no longer in the alert screen. I am not sure if Nero will re-create the key when you use it but just in case you find it again it is safe; believe me I was in a panic the weekend I discovered mine :oops:
     
  9. Jooske

    Jooske Registered Member

    Joined:
    Feb 12, 2002
    Posts:
    9,713
    Location:
    Netherlands, EU near the sea
    Can imagine the panic, of course!
    Let's all agree in such cases to please submit the finds to submit@diamondcs.com.au even if we hope it is a false positive; if i had seen it i would even get back to an older system restore point to see if i had the nasty there to be able to submit it to make sure it is there :)
    If it was there, i suppose TDS scan would find it in older system restore points, or is that not possible with this one?
    In fact i never delete a find without sending it to TDS or it should be a very well known thing. As long as i'm in doubt either zip the file or rename the extension adding something behind it, so it's easy to find back while it can't run.
    Changed registry keys i don't remember so i wouldn't exactly know what to do with them, backup like you did i suppose just in case.
     
  10. Pilli

    Pilli Registered Member

    Joined:
    Feb 13, 2002
    Posts:
    6,217
    Location:
    Hampshire UK
    Hi possum, Can you please post the contents of your scandump.txt that is found in your main TDS3 folder, it would be interesting to see what the key says.

    Thanks. Pilli

    For all dubious files please send to: submit@diamondcs.com.au Thanks. :)
     
  11. Possum

    Possum Registered Member

    Joined:
    Mar 1, 2004
    Posts:
    7
    Hi Pilli : This key does not figure in my scandump.txt at all o_O I have never checked my scandump file up until now - and I see there is only one entry in it, an old one which has nothing to do with the false doomjuice alert. :rolleyes: I wonder why the false alert does not figure...
     
  12. Pilli

    Pilli Registered Member

    Joined:
    Feb 13, 2002
    Posts:
    6,217
    Location:
    Hampshire UK
    Hi Possum, Makes you wonder whether something else deleted the key, did uou scan with any other tools?
     
  13. Possum

    Possum Registered Member

    Joined:
    Mar 1, 2004
    Posts:
    7
    Hi again Pilli - No I only scanned with TDS. When the suspicious entry came up I had a second look at it via Regedit. Then I went back to TDS and asked TDS to delete the key. Maybe I was supposed to save or something first? I then went back to Regedit again, and saw that the key had disappeared. (I'm fairly new to TDS and am still familiarising myself with the setup)

    Btw, my main TDS files are all situated within the PCProtector folder - I guess - hope - this is where they should be :rolleyes:
     
  14. Jooske

    Jooske Registered Member

    Joined:
    Feb 12, 2002
    Posts:
    9,713
    Location:
    Netherlands, EU near the sea
    You do know you have to make the scandump.txt manually by right-clciking on an alarm and choose that save function? It copies the whole current alert window overwriting the former results.
     
Thread Status:
Not open for further replies.
  1. This site uses cookies to help personalise content, tailor your experience and to keep you logged in if you register.
    By continuing to use this site, you are consenting to our use of cookies.