Troj/Diablo backdoor Trojan horse

Troj/Diablo is a backdoor Trojan horse. If the Trojan server is installed on a computer, it will monitor and log all keyboard keystrokes made by the user.

The keystrokes are logged into a file which can be send via email or FTP to the potential attacker. The attacker can be notified by ICQ, when log files are uploaded onto an FTP server.

The filename and extension used by the Troj/Diablo server are configurable. Possible Troj/Diablo file extensions can be:

EXE, SCR, PIF, COM, CMD and BAT.

When the Trojan server is run, it copies itself into the Windows Startup folder so that it automatically runs every time Windows is started.

source: http://www.sophos.com

Technodrome

 

        TECH

         if you have a moment please...would appreciate your opinion.

         a few days ago I noticed a new exe listing in my start-up.........loaded from registry(machine run)   Command (none)

         I have run Ants several times.....plus ati-virus...everything showing as clean......I have not noticed an unusual outbound traffic   (application based firewall).....have checked the registry but nothing strange seems going on there..........an then took this exe out of start-up......

        since I check my start-up several times each week...I would have noticed this strange exe prior to this............I can force my machine to ask permission before loading all exe's...if it comes to that.

         this isn't alot of info to give you...but all I have.....can you offer any suggestions as to how I could monitor this unknown exe more carefully.....


                         thanks

                         snowman

  P>S      I honestly don't believe this is a trojan....however,, I have never seen an exe listing before that didn't show a "command"

 

I assumed that you have run Ad-Ware or similar...

Before you do anything check Start-Up Applications list and see if anything is matching that app or whatever that is… http://www.pacs-portal.co.uk/startup_pages/startup_full.htm

There is a small utility that you should try it's called StartupMonitor which notifies you when any program registers itself to run at system startup etc.
For more info go to http://www.mlin.net/StartupMonitor.shtml

Snowman you should also check out Startup Control Panel from the same author.http://www.mlin.net/StartupCPL.shtml

if this doesn't help you, let me know!!!!

Technodrome

 

        TECH

        much thanks for your reply.......yes I did everything you mentioned with the exception of start-up monitor...I have it but not installed.....

      also checked for the listing you mentioned....its not on my computer........ran a complete registry scan.....

     the exe in question is showing as not being associated with any running application....an yet its in start-up...and it was starting at start-up.......very unusual behavior.

     my e mail program must ask permission.....an I don't use it period......haven't in over two years....so its doubtful that anything would be sent without my noticing the attempt.........anytime I need to send an e mail I use an online website that provides the service....has its own e mail server.

     TECH.....at this point I will sit back and monitor this strange exe......it does not appear to be a threat...whatever it is ..is dormant.......I check the registry never less than once each day....clean it after each un-install...........clean my index.dat...temp folder....my virus scan recently updated....script detector installed.... reg listed therein......windows scripting host was un-installed until two days ago.....proxy prevents scripts.......absolutely no cookies.......  an yet there is that exe...in start-up...

      so as not to burden you time-wise...for the moment I'll just monitor all "actions"  an should I notice anything slightly out of order.......I'll come a-running back here....LOL


        Thank you TECH.....your time was and is appreciated.

                                 snowman

 

         TECH

         I just dl start-up control panal.....thank you for the url.......will install it.


                               Regards


                               snowman

 

Hey, snowman! What's the name of the exe you're seeing? Pete

 

          Pete

         The "exe" has no name.......thats whats so strange about this......the "command" which is the program that "it is" or "works with" does not exist!

         all that shows in start-up is plain "exe"


          fortunately whatever this thing is isn't doing anything......unless its in-active because I took it out of start-up an haven't opened the program that would set it off.............so far there has not been even the slightest strange or unusual behavior on my computer.
........I have the ye ole trojan "guard" watching...and the ye ole virus scan "watching".....even have the resource meter kicked in to monitor any resource drop...

        in alittle while I will install a couple of new programs an see what they reveal.

        in my start-up there are only the bare essentials...everything else is "on demand"....which is why I noticed this "thing".......

        because I had windows scripting host un-installed perhaps this "thing" was able to get rooted....thats the only explanation I can think of at the moment.

                         snowman

 

            TYPO


      should read:     "not" able to get rooted



                     snowman

 

It is probably safe to delete that unknown exe file!!!
This could be a "junk" from installed programs or uninstalled programs. In any case if there is no command to it, that file is rootless and useless.

I had one no long time ago which was marked as .~ or something like this. After research I deleted it with no problems.

Technodrome

 

       TECH

       my friend I think you may just have located the source of this strange exe.........about the same time as I observered this strange exe is the same time I un-installed web t v...........an over-sight on my part was not noticing or paying attention to the fact that web t v is still listed in start-up....(disabled)  obviously it can't actually still be there if its un-installed.....

      for some reason ...perhaps because I did a system restore recently...the listing was re-placed in the start-up.....web tv definitely is un-install.....sp this is a "ghost" listing......an I think...just as you said...that strange "exe" is also a "ghost"........

       I'll delete the silly thing...but it sure caused me alittle more worry than I prefer to endure.

      Thanks Tech....if not for your post I would not have thought of this...was more concerned with the monitoring part...........oh well...its a continued learning experience........which is just a nice way of my saying that I was sleeping on the job.     LOL

                       snowman

 

LOL SnowMan

I am sure glad you got it.  

Technodrome

 

Hi everyone,

TDS has full detection for Keylog.Diablo Keys (and has had for months)