OK, I'm a Believer

I just downloaded TDS for evaluation and ran it. It found DDos.RAT in explorer.exe in my Windows folder. I was stunned. It must have been there for a long time, from back when I connected directly to my cable modem. I've used other programs to scan for trojans and none found this. I had noticed explorer.exe in my startup and thought that was odd, but MS often does things oddly.

I checked my firewall and confirmed that I had blocked explorer.exe from calling out when it tried. At the time, I thought it was one of those many calls home that MS programs make, or try to make.

So as soon as I get my tax return, I'm registering TDS.

 

Good for you!

I hope that you enjoy TDS-3 as much as I do.

Just wait untill you run it some more.
This program is really impressive with all the tools and utilities that DiamondCS has packed into it!

You will find that support from DiamondCS and the TDS-3 operators is top notch also.

 

Hi Finn,

Can you zip and send me your explorer.exe ? gavin@diamondcs.com.au

What OS do you have ?

I advise that you download the latest databases for now, we have discovered a small bug with the trace scanner, which is very strange indeed. I have removed this detection, but don't worry, TDS detects the trojan in question in a number of other ways

 

Good for you dude! Congrats on getting rid of that... umm... Rat

 

Sorry, Gavin. I had TDS close the process and delete the file and I can't recover it.

Windows XP Pro

When I ran it immediately after installing, it found only the registry entry, listing it as DDos.RAT.Litmus. I downloaded the Radius database and overwrote the previous one, then ran TDS again. This time it alerted on both the registry entry and the file.

 

Gavin,

Is this tied in with the bug you mention?

Scan Control Dumped @ 21:28:07 05-03-03
File Trace: Default trojan filename: DDoS.RAT.XTBot
File: D:\WINDOWS\explorer.exe

I immeadiately rechecked by Scanning just the Explorer.exe and also just Windows directory but could not get an alarm.

Later I did a full scan and the alarm came back. Again I couldn't repeat it by selective scanning.

Today I have the new Radius update and have not detected any alarms so far.

 

Hi linney,

The trace for this trojan was removed quickly and the update has been available for ~ 24 hours. TDS detects the trojan in question in a number of other ways, so not a huge loss of a detection method.

What was happening was I added a trace for "EXPLORER.EXE " which has a space character on the end (ok not a space but a fake space) and when testing the trace scanner on my test machines, nothing was detected..

So all should have been ok ? Obviously not, I am still trying to find the exact reason for the problem, we need to debug the trace engine.. and since we are rebuilding this for TDS-4 anyway, that is a good thing

 

Explorer.exe can make legitimate outbound connections to the Internet. It's fortunate that you happened to block it.