Troj/Diablo backdoor Trojan horse

Discussion in 'malware problems & news' started by Technodrome, Apr 29, 2002.

Thread Status:
Not open for further replies.
  1. Technodrome

    Technodrome Security Expert

    Joined:
    Feb 13, 2002
    Posts:
    2,140
    Location:
    New York
    Troj/Diablo is a backdoor Trojan horse. If the Trojan server is installed on a computer, it will monitor and log all keyboard keystrokes made by the user.

    The keystrokes are logged into a file which can be send via email or FTP to the potential attacker. The attacker can be notified by ICQ, when log files are uploaded onto an FTP server.

    The filename and extension used by the Troj/Diablo server are configurable. Possible Troj/Diablo file extensions can be:

    EXE, SCR, PIF, COM, CMD and BAT.

    When the Trojan server is run, it copies itself into the Windows Startup folder so that it automatically runs every time Windows is started.

    source: http://www.sophos.com

    Technodrome
     
  2. snowman

    snowman Guest

            TECH

             if you have a moment please...would appreciate your opinion.

             a few days ago I noticed a new exe listing in my start-up.........loaded from registry(machine run)   Command (none)

             I have run Ants several times.....plus ati-virus...everything showing as clean......I have not noticed an unusual outbound traffic   (application based firewall).....have checked the registry but nothing strange seems going on there..........an then took this exe out of start-up......

            since I check my start-up several times each week...I would have noticed this strange exe prior to this............I can force my machine to ask permission before loading all exe's...if it comes to that.

             this isn't alot of info to give you...but all I have.....can you offer any suggestions as to how I could monitor this unknown exe more carefully.....


                             thanks

                             snowman

      P>S      I honestly don't believe this is a trojan....however,, I have never seen an exe listing before that didn't show a "command"
     
  3. Technodrome

    Technodrome Security Expert

    Joined:
    Feb 13, 2002
    Posts:
    2,140
    Location:
    New York
    I assumed that you have run Ad-Ware or similar...

    Before you do anything check Start-Up Applications list and see if anything is matching that app or whatever that is… http://www.pacs-portal.co.uk/startup_pages/startup_full.htm

    There is a small utility that you should try it's called StartupMonitor which notifies you when any program registers itself to run at system startup etc.
    For more info go to http://www.mlin.net/StartupMonitor.shtml

    Snowman you should also check out Startup Control Panel from the same author.http://www.mlin.net/StartupCPL.shtml

    if this doesn't help you, let me know!!!!

    Technodrome
     
  4. snowman

    snowman Guest

            TECH

            much thanks for your reply.......yes I did everything you mentioned with the exception of start-up monitor...I have it but not installed.....

          also checked for the listing you mentioned....its not on my computer........ran a complete registry scan.....

         the exe in question is showing as not being associated with any running application....an yet its in start-up...and it was starting at start-up.......very unusual behavior.

         my e mail program must ask permission.....an I don't use it period......haven't in over two years....so its doubtful that anything would be sent without my noticing the attempt.........anytime I need to send an e mail I use an online website that provides the service....has its own e mail server.

         TECH.....at this point I will sit back and monitor this strange exe......it does not appear to be a threat...whatever it is ..is dormant.......I check the registry never less than once each day....clean it after each un-install...........clean my index.dat...temp folder....my virus scan recently updated....script detector installed.... reg listed therein......windows scripting host was un-installed until two days ago.....proxy prevents scripts.......absolutely no cookies.......  an yet there is that exe...in start-up...

          so as not to burden you time-wise...for the moment I'll just monitor all "actions"  an should I notice anything slightly out of order.......I'll come a-running back here....LOL


            Thank you TECH.....your time was and is appreciated.

                                     snowman
     
  5. snowman

    snowman Guest

             TECH

             I just dl start-up control panal.....thank you for the url.......will install it.


                                   Regards


                                   snowman
     
  6. spy1

    spy1 Registered Member

    Joined:
    Dec 29, 2002
    Posts:
    3,139
    Location:
    Clover, SC
    Hey, snowman! What's the name of the exe you're seeing? Pete
     
  7. snowman

    snowman Guest

              Pete

             The "exe" has no name.......thats whats so strange about this......the "command" which is the program that "it is" or "works with" does not exist!

             all that shows in start-up is plain "exe"


              fortunately whatever this thing is isn't doing anything......unless its in-active because I took it out of start-up an haven't opened the program that would set it off.............so far there has not been even the slightest strange or unusual behavior on my computer.
    ........I have the ye ole trojan "guard" watching...and the ye ole virus scan "watching".....even have the resource meter kicked in to monitor any resource drop...

            in alittle while I will install a couple of new programs an see what they reveal.

            in my start-up there are only the bare essentials...everything else is "on demand"....which is why I noticed this "thing".......

            because I had windows scripting host un-installed perhaps this "thing" was able to get rooted....thats the only explanation I can think of at the moment.

                             snowman
     
  8. snowman

    snowman Guest

                TYPO


          should read:     "not" able to get rooted



                         snowman
     
  9. Technodrome

    Technodrome Security Expert

    Joined:
    Feb 13, 2002
    Posts:
    2,140
    Location:
    New York
    It is probably safe to delete that unknown exe file!!!
    This could be a "junk" from installed programs or uninstalled programs. In any case if there is no command to it, that file is rootless and useless.

    I had one no long time ago which was marked as .~ or something like this. After research I deleted it with no problems.

    Technodrome
     
  10. snowman

    snowman Guest

           TECH

           my friend I think you may just have located the source of this strange exe.........about the same time as I observered this strange exe is the same time I un-installed web t v...........an over-sight on my part was not noticing or paying attention to the fact that web t v is still listed in start-up....(disabled)  obviously it can't actually still be there if its un-installed.....

          for some reason ...perhaps because I did a system restore recently...the listing was re-placed in the start-up.....web tv definitely is un-install.....sp this is a "ghost" listing......an I think...just as you said...that strange "exe" is also a "ghost"........

           I'll delete the silly thing...but it sure caused me alittle more worry than I prefer to endure.

          Thanks Tech....if not for your post I would not have thought of this...was more concerned with the monitoring part...........oh well...its a continued learning experience........which is just a nice way of my saying that I was sleeping on the job.     LOL

                           snowman
     
  11. Technodrome

    Technodrome Security Expert

    Joined:
    Feb 13, 2002
    Posts:
    2,140
    Location:
    New York
    LOL SnowMan

    I am sure glad you got it.  ;)

    Technodrome
     
  12. Gavin - DiamondCS

    Gavin - DiamondCS Former DCS Moderator

    Joined:
    Feb 10, 2002
    Posts:
    2,080
    Location:
    Perth, Western Australia
    Hi everyone,

    TDS has full detection for Keylog.Diablo Keys (and has had for months) :)
     
Loading...
Thread Status:
Not open for further replies.