RAT.Dua ti choi

Discussion in 'malware problems & news' started by scartissu, Jan 11, 2003.

Thread Status:
Not open for further replies.
  1. scartissu

    scartissu Registered Member

    Joined:
    Nov 12, 2002
    Posts:
    19
    Location:
    Canada
    What is thiso_O I ran a reg scan in tds-3 and this showed up..I can't find any info on it...not in english anyway :doubt: then next time i reboot i see a download.dat icon on my desktop??
    thnx 4 any info..in advance

    http://members.shaw.ca/akeru2/myegg_sm.gif
     
  2. Jooske

    Jooske Registered Member

    Joined:
    Feb 12, 2002
    Posts:
    9,713
    Location:
    Netherlands, EU near the sea
    Heard more people about this name but not with the icon you mention.
    I don't have it with the last update, scanning all startup scans, reboored, scanning again a full system scan, but nothing.
    I know there is looking into it, did not see the results yet in the private forum or here.
    We'll keep in touch.
     
  3. scartissu

    scartissu Registered Member

    Joined:
    Nov 12, 2002
    Posts:
    19
    Location:
    Canada
    hi Jooske..I am not sure if the icon is part of the registry key.could be a coincidence..
    RegVal Trace: RAT.Dua ti choi: HKEY_LOCAL_MACHINE
    File: Software\Microsoft\Windows\CurrentVersion\Run [Taskmonitor=C:\WINDOWS\taskmon.exe]

    I would like to see what this "Dua ti choi" is doing,if anything.(I don't see any ports open in netstat that aren't supposed to be.) anyhoo.. deleted the offensive buggar. wonder how it got there ?? I have regpro running.. and have tds-3 do the reg&filetrace as part of the default...eheh.
    I saw a mention to port 911 but thats Dark Shadow i believe.
    K thnx jooske.
     
  4. beetlejuice

    beetlejuice Registered Member

    Joined:
    Oct 12, 2002
    Posts:
    8,523
    I found this thing too. Just wondering if it's the real deal of a false positive? o_O Steve
     
  5. Jooske

    Jooske Registered Member

    Joined:
    Feb 12, 2002
    Posts:
    9,713
    Location:
    Netherlands, EU near the sea
    If i had found it i certainly would have sent it as a sample to DCS labs for investigation.
    Still waiting for reactions; nobody else had the download.com icon as far as i saw comments so for the moment i keep that as a coincidente, until further comments.
     
  6. Jooske

    Jooske Registered Member

    Joined:
    Feb 12, 2002
    Posts:
    9,713
    Location:
    Netherlands, EU near the sea
    Unfortunately i don't understand Vietnamese, the language those pages are in, but i wondered from the little bits i think to undrrstand if it might be vietnamese for sub7?
    If so our scanners should protect us; did you try online scans as well?
     
  7. scartissu

    scartissu Registered Member

    Joined:
    Nov 12, 2002
    Posts:
    19
    Location:
    Canada
    i did a online scan and the deleted reg key of dua ti choi didn't show up but I'll be hung out to dry if a surpernova.e worm didn't show up..it was never executed so i remain safe and sound workstation 4 the moment :) A while back(bout a month) I was concerned over my net connection being capped by my ISP because i couldn't seem to stay connected for very long(sometimes 5 min...to 1hr..depend on usage.) if i was just wandering the weeb my conn. stayed up 4 up to an hour..as soon as I put some pressure on the modem ie..d/l a file. it rarely finished before i lost connection..maybe 1 min. to 5 min. tops..turned out to be modem kaput :eek: ..but I did some d/ling sans safety net...just to see iffin my connection would fail(yes it did).I think thats how these nasties got on my sys..
     
  8. beetlejuice

    beetlejuice Registered Member

    Joined:
    Oct 12, 2002
    Posts:
    8,523
    I'm almost thinking that it might be a false detection. After waiting for more info, I ran a regedit and nothing by that name was found. I then deleted the thing through TDS. I then opened TDS to run another scan and it is still showing up.
    Steve
     
  9. scartissu

    scartissu Registered Member

    Joined:
    Nov 12, 2002
    Posts:
    19
    Location:
    Canada
    I suspect you may be right beetlej same thing happens to me when i delete in tds-3 then rescan..notice tho, that it points to taskmon.exe..Y do u suppose it does that?
     
  10. Jooske

    Jooske Registered Member

    Joined:
    Feb 12, 2002
    Posts:
    9,713
    Location:
    Netherlands, EU near the sea
    I still wonder why some have it and others not even from the same download locations.
    If you pronounce it with some accent for me it sounds like "That'll teach you!"
    I do hope it's a false positive but surely would threat it like a real one and trying to hunt and zip or quarantine it.
    As i see the story of it coming back after reboot, try to reboot as little as possible, scan of course and keep looking for strange processes and connections, close or kill (netstat or port explorer) all unknown traffic, in the scanning of files look for modifications, such things.
    I wonder about that added registry key. If it says it's there but is not in reality it should certainly be a false positive.
    Did not find translation engines for vietnamese, dictionaries yes, but that is so many words to go through..........
    The nasty is over 6 months old, so protection against it is certainly in the TDS primaries.
     
  11. Paul Wilders

    Paul Wilders Administrator

    Joined:
    Jul 1, 2001
    Posts:
    12,472
    Location:
    The Netherlands
    Sounded very familiar - here is the answer to your question - from Mr. Wayne Langlois himself ;).

    regards.

    paul
     
  12. scartissu

    scartissu Registered Member

    Joined:
    Nov 12, 2002
    Posts:
    19
    Location:
    Canada
    Well that's just ducky ..I can stop and smell the roses again :) a big thanx to all who responded. I will disable Taskmon.exe . I was under Bills spell ...that it is a nessesary program. my bad.
    G'night
     
  13. Jooske

    Jooske Registered Member

    Joined:
    Feb 12, 2002
    Posts:
    9,713
    Location:
    Netherlands, EU near the sea
    Late morning coffee here :)
    Sorry for not posting the pages with the screenshots i found googling, as i can't know if those and URLs mentioned from there are within our TOS.
    If somebody reads vietames, we'll probably all be interested in some interesting snips from the info provided there.
     
  14. Paul Wilders

    Paul Wilders Administrator

    Joined:
    Jul 1, 2001
    Posts:
    12,472
    Location:
    The Netherlands
    Things do happen - you're welcome ;).

    regards.

    paul
     
  15. Jooske

    Jooske Registered Member

    Joined:
    Feb 12, 2002
    Posts:
    9,713
    Location:
    Netherlands, EU near the sea
    Gavin just posted in the private forum the trace will be gone in tonights update. That'll teachyou :D gone.
     
Thread Status:
Not open for further replies.