Wayne&Gavin trojan

Discussion in 'Trojan Defence Suite' started by Open Source, Sep 13, 2002.

Thread Status:
Not open for further replies.
  1. Open Source

    Open Source Guest

    hello I was wondering if tds detects whackjob v1.7 and different or mutated variants binded with an unknown binder attached to an exe self extracting archive.

    reason i ask is
    c:\windows\desktop\computer performance appplications\memturbo v2.1setup.exe whackjob 1.7
    another program detected it which i wont name

    And TDS-3 your latest verstion did not

    At first i thought most likely a false positive but when excuting it on purpose cause i felt my 37 security applications runing in the background could more then handle it

    It did spoof needless to say I still by pass it and got the files I wanted with winrar 3.0 which seems to come in handy extracting the guts out of any setup.Exe

    so I got what I wanted the actual file with no infection.

    IM not sure what kind of Trojan whackjob 1.7 is but isnt it something to do with remotely controlled on port 12631 or could this be a variant of WhackJob.NB1.7

    i know theirs a Trojan whackjob version 2.0 around 631k)   

    just wanted to know if tds can detect it if you say yes ill consider it a false positive
     
  2. Jooske

    Jooske Registered Member

    Joined:
    Feb 12, 2002
    Posts:
    9,713
    Location:
    Netherlands, EU near the sea
    It is in the primaries list. To make sure it is not a false positive or some variant can you please send the sample to the support@diamondcs.com.au so the lab can tell you all about it? thanks in advance!
     
  3. Open Source

    Open Source Guest

    Thank you Jooske i sent it
     
  4. Jooske

    Jooske Registered Member

    Joined:
    Feb 12, 2002
    Posts:
    9,713
    Location:
    Netherlands, EU near the sea
    Looking forward to the finds from there!
    Fingers crossed it is harmless or in case it is not for you the honor to bring in something new, if that is possible, with all Gavin's additions.........
     
  5. Open Source

    Open Source Guest

    IM pretty sure its harmless I cant picture anything getting by tds.

    I would like to learn more about submitting and how to be safe in contributing Trojans and finding new ones to add to tds data base simply cause collecting things is my hobby and so is learning.
     
  6. Jooske

    Jooske Registered Member

    Joined:
    Feb 12, 2002
    Posts:
    9,713
    Location:
    Netherlands, EU near the sea
    Simple, if you come across something look in the primaries if it's mentioned there. If not, and it's a worm or trojan, just submit to the lab. You might like to zip the thing to prevent loss. If TDS alarms on it as a positive identification, no need either. Are you collecting to help the TDS base growing?
    Try to keep the collection outside the computer or at least zipped. Don't you prefer collecting nice images, or stamps or other beauties?
     
  7. Gavin - DiamondCS

    Gavin - DiamondCS Former DCS Moderator

    Joined:
    Feb 10, 2002
    Posts:
    2,080
    Location:
    Perth, Western Australia
    Hi,

    This is just a program installer, for MemTurbo

    Whatever program is detecting Whackjob Netbus dropper is doing so incorrectly. We have seen this before where the detection was picking up the legitimate Whackjob GAME file, not only Whackjob which Netbus was bound to. In this case the detection is completely off the mark :doubt:

    When we detect bound trojans, we are always detecting the code which creates the trojan (and other bound files) and not any other code. This way we detect the bound result no matter what files are bound together. In the case of Whackjob a PKZIP self extractor was used not a binder, MemTurbo is a self extractor as well. The detection used by this unnamed program must be a result of a signature being used in the self extractor header, not a great idea.

    Hope that helps understand bound detections a little better (see the TDS primary list for how many binders are detected - Binded.<binder>)
     
Thread Status:
Not open for further replies.