trojan droppers not scanned

Discussion in 'Trojan Defence Suite' started by zak_dashiell, Mar 6, 2003.

Thread Status:
Not open for further replies.
  1. zak_dashiell

    zak_dashiell Registered Member

    Joined:
    Mar 18, 2002
    Posts:
    45
    hello,

    i finally think i found out the source of the optix pro problem (from a previous post). it was from TrojanDropper.Win32.EESbinder.

    My question is: is TDS3 not capable of detecting this dropper? or is it really excluded since it is not a trojan?

    i was trialing kaspersky and did a full system scan. it caught this dropper from one of the files. this had been on my hdd for at least 4 months now :eek: and all along not detected by TDS3. i scanned it selectively with TDS3 but it claimed to be clean... unless this is false positive by kaspersky o_O
     
  2. Mr.Blaze

    Mr.Blaze The Newbie Welcome Wagon

    Joined:
    Feb 3, 2003
    Posts:
    2,842
    Location:
    on the sofa
    :Dgood qustion

    what say you wayne and gav
     
  3. Jooske

    Jooske Registered Member

    Joined:
    Feb 12, 2002
    Posts:
    9,713
    Location:
    Netherlands, EU near the sea
    Hi Zak_dashiell
    with the possibility it might be a false positive, can you please zip the file ad send to the DCS lab via submit@diamondcs.com.au to get an answer soon?
    Thanks!


    Edited:
    long ago when i did a first time scan with AVP/KAV on highest sensitivity and heuristics on etc i found the strangest alerts after mcafee had completely messed up my system. The most intriguing finds i asked the AVP labs for opinions and in fact all was well. Anyway i chose then for a complete new install of everything on a formatted hd and the same software installed on it without mcafee of course, same scans and far less finds, only the few their lab already told they were ok. No new problems since.
    This was before i knew TDS (told you it was LONG ago!) so i can not say if TDS would have found the same or not :)
     
  4. Gavin - DiamondCS

    Gavin - DiamondCS Former DCS Moderator

    Joined:
    Feb 10, 2002
    Posts:
    2,080
    Location:
    Perth, Western Australia
    Hi zak_dashiell,

    This is a dropper (binder) that is detected by TDS, with 4 variants detected. It is possible you have a less common variant, so I would like to take a look - gavin@diamondcs.com.au

    Of course I trust your databases are updated :)
     
  5. zak_dashiell

    zak_dashiell Registered Member

    Joined:
    Mar 18, 2002
    Posts:
    45
    hello jooske,

    one unrelated observation: i keep getting timed out as i log in :(

    back to my question: i guess this would end and answer my question :D because i cannot send you the file anymore since i had already deleted it. one thing though, i went to "primary list" and cannot find this dropper there.
     
  6. Jooske

    Jooske Registered Member

    Joined:
    Feb 12, 2002
    Posts:
    9,713
    Location:
    Netherlands, EU near the sea
    Hi again, had not noticed Gav posting at the same time and even giving the personal emailbox! wow!
    You don't have it in the tempfiles or system restore or wherever? Gav will be most happy if you're able to locate it anywhere still somehow.
    For the names: possible, some nasties go by several names.


    For the timing out: i logged in and chose for "always stay logged in" so i don't need to login again nor do i get timed out. Could be an option?
     
  7. Wayne - DiamondCS

    Wayne - DiamondCS Security Expert

    Joined:
    Jul 19, 2002
    Posts:
    1,533
    Location:
    Perth, Oz
    zak, are you using a recent database? The latest one can always be downloaded at http://tds.diamondcs.com.au/radius.td3
    As Gavin mentioned, there are 4 variants of this that TDS detects, so either you have a rare variant that we don't have, or you're using an old database ... :)
    Either way, simply email the file to support@diamondcs.com.au and we'll analyse it for you

    Best regards,
    Wayne
     
  8. zak_dashiell

    zak_dashiell Registered Member

    Joined:
    Mar 18, 2002
    Posts:
    45
    yes my TDS3 database was updated (unless you mean the 5mar2003 update)...

    i have already deleted the file but i will try to check my hdd if i still can find it...
     
  9. zak_dashiell

    zak_dashiell Registered Member

    Joined:
    Mar 18, 2002
    Posts:
    45
    hello Gavin,

    zip attachment on your mailbox.

    thanks
     
  10. Jooske

    Jooske Registered Member

    Joined:
    Feb 12, 2002
    Posts:
    9,713
    Location:
    Netherlands, EU near the sea
    You're wonderfull ZD! good you found it, thanks in name of the wellbeing of the whole internet community!
    Looking forward to Gavin's comments!
     
  11. Wayne - DiamondCS

    Wayne - DiamondCS Security Expert

    Joined:
    Jul 19, 2002
    Posts:
    1,533
    Location:
    Perth, Oz
    Thanks zak, Gavin has just knocked off for the day but he'll take a look at it first thing in the morning, and if it indeed isn't detected it will be added to tomorrows database update

    Thanks again,
    Wayne
     
  12. zak_dashiell

    zak_dashiell Registered Member

    Joined:
    Mar 18, 2002
    Posts:
    45
    you're welcome, Jooske!

    but you shouldn't be thanking me... I should be thanking YOU all... without you all, i wouldn't have heard of TDS3, NOD32, Outpost, SpyBot S&D, iespyad, and Kaspersky...

    and i will be less informed (ignorant?) about how i can protect my system...
     
  13. zak_dashiell

    zak_dashiell Registered Member

    Joined:
    Mar 18, 2002
    Posts:
    45
    you're welcome, Wayne...

    and thank you too for the quick response
     
  14. Jooske

    Jooske Registered Member

    Joined:
    Feb 12, 2002
    Posts:
    9,713
    Location:
    Netherlands, EU near the sea
    Hm ZD, where did we do such successful promotions? Just for curiosity! :D
    I learn by the day too, reading here and the links people provide and questions asked, problems people run into and seeing them helped out, with which knowledge we can help others again.
    We learn things can be (ab)normal windows behavior or some malicious process might be behind it, what to look for, not to panic but knowing which steps to take, etc.
    Which alerts to take serious (i do each one in first instance of course) etc etc.
     
  15. Gavin - DiamondCS

    Gavin - DiamondCS Former DCS Moderator

    Joined:
    Feb 10, 2002
    Posts:
    2,080
    Location:
    Perth, Western Australia
    Hi zd,

    Thanks, a new modified variant, will add this now. I assume you didnt actually get infected by the trojan it would have(?) dropped, but I will analyse its behaviour and make sure whatever it contains is also detected :)
     
  16. zak_dashiell

    zak_dashiell Registered Member

    Joined:
    Mar 18, 2002
    Posts:
    45
    Thanks a lot Gavin

    Yes, i was actually infected by it (remember the optix pro problem from my previous post that you were helping me on?).

    Please analyse its behaviour so other users of TDS will not experience what i had (especially the newbies like myself).

    Can i assume now that if i am going to scan the compressed form that it will be detected by TDS3? I shouldn't have any problem when it is run since TDS3 will surely prevent it or catch it.
     
  17. zak_dashiell

    zak_dashiell Registered Member

    Joined:
    Mar 18, 2002
    Posts:
    45
    hello,

    i have downloaded the update 8Mar2003, scanned the infected file (compressed EXE) but TDS won't still detect it. i also scanned the partition and folder where it is located but still TDS won't detect it :(

    what am i doing wrong?
     
  18. Gavin - DiamondCS

    Gavin - DiamondCS Former DCS Moderator

    Joined:
    Feb 10, 2002
    Posts:
    2,080
    Location:
    Perth, Western Australia
    I dont think there was any problem in the detection.. I emailed you back about the trojan, it drops Optix Pro 1.2 which is already detected. You should receive a variant alarm on scanning.

    BTW most TrojanDropper sigs in TDS are detected as Binded.<dropper name> so if you are checking, see the Primary List.. yes TDS detects a lot of binders :)
     
  19. zak_dashiell

    zak_dashiell Registered Member

    Joined:
    Mar 18, 2002
    Posts:
    45
    optix pro 1.2 is detected.

    but scanning the zipped file i emailed you does not produce any alarm.

    i unzipped the file and scanned it and no alarm was produced either.

    tell me what i did wrong in the scanning process...

    btw i checked the primary list and saw binded.EES 1.0b... thanks...
     
  20. Looney

    Looney Guest

    Gavin,
    Is the "primary list" any different from the area that trojan detections picked up by TDS are listed? Or is it a hidden secret list, hidden away from the likes of us noobies.
     
  21. Gavin - DiamondCS

    Gavin - DiamondCS Former DCS Moderator

    Joined:
    Feb 10, 2002
    Posts:
    2,080
    Location:
    Perth, Western Australia
    Hi Looney,

    If you click Help > Primary List you will see the primary variants detected, of course this does not include lots of detection methods, nor does it include advanced signatures for common trojan families such as Optix Pro - which are very different to normal signatures.

    zak_dashiell : looking into the problem and will solve it soon :)
     
  22. zak_dashiell

    zak_dashiell Registered Member

    Joined:
    Mar 18, 2002
    Posts:
    45
    hello Gavin,

    have you solved the problem already?

    my kaspersky trial period has already ended and i fear that i am not adequately protected now.

    anything, please!
     
  23. Gavin - DiamondCS

    Gavin - DiamondCS Former DCS Moderator

    Joined:
    Feb 10, 2002
    Posts:
    2,080
    Location:
    Perth, Western Australia
    Hi zak_dashiell,

    We found a small problem which would be very rare.. surprising it ever came up. And it should be now fixed for the latest database tonight :)
     
  24. zak_dashiell

    zak_dashiell Registered Member

    Joined:
    Mar 18, 2002
    Posts:
    45
    Hello Gavin,

    i tried the latest update (23229 references) but the Binder was still NOT detected when scanned :(

    guess i am just unlucky. that's it!! i'll just burn the file to a cd and wipe it out from my hdd. and hope for the best!!!

    just give me a buzz if there is still something i should do. otherwise, just go on making tds the best anti-trojan application. all operators will be grateful.

    thanks...
     
  25. Gavin - DiamondCS

    Gavin - DiamondCS Former DCS Moderator

    Joined:
    Feb 10, 2002
    Posts:
    2,080
    Location:
    Perth, Western Australia
    Hmmm 23353 references today.. I know, a big jump :D

    Will check the detection, there will be another update in 5 hours so you might want to wait and scan after that one. Sorry for the problems.
     
Thread Status:
Not open for further replies.