Backdoor.Win32.Rbot.gen - is tds supposed to catch it?

Discussion in 'Trojan Defence Suite' started by martin37, Dec 11, 2004.

Thread Status:
Not open for further replies.
  1. martin37

    martin37 Guest

    hello everybody,

    I am testing tds-3 atm (latest updates installed) and was wondering if it is supposed to catch this trojan: Backdoor.Win32.Rbot.gen

    or is it even a trojan? anyway, my firewall caught it in the act while trying to connect to 195.210.247.23:6662

    the only program that even detected (nod32, antivir etc. didn't) that it was indeed a trojan was kaspersky

    do I miss something?

    cheers
     
  2. Pilli

    Pilli Registered Member

    Joined:
    Feb 13, 2002
    Posts:
    6,217
    Location:
    Hampshire UK
    There are a lot of variants of this malware TDS3 does detect a lot of them see the TDS3 help - Primaries list.
    When you do a full scan with TDS3 you should disable your AV scanner or run TDS3 in Safe mode.

    For manual removel try this link:
    http://www.viruslist.com/en/viruses/encyclopedia?virusid=56713

    HTH Pilli
     
  3. dvk01

    dvk01 Global Moderator

    Joined:
    Oct 9, 2003
    Posts:
    3,131
    Location:
    Loughton, Essex. UK
    Therer are somewhere in the region of 2000 different versions of Backdoor.Win32.Rbot & SDbot

    The only Antivirus that I know of at this time that has a generic detection of them is Kapersky and that does sometimes give a false alarm as some versions of it are very close to legitimate programs

    Almost all other antiviruses & antitrojans rely on signatures for specific versions so many will get through

    If your firewall is enabled it shoould warn you and block anything from happening
     
  4. martin37

    martin37 Guest

    thankyou Pilli and dvk01 for the fast response.

    I had no problem removing it for I keep a clean updated system image that I just re-play on the system partition - problem solved ;)

    I also don't run any real time anti virus scanners - it's on demand only. I run tds in safe mode and still no result. don't get me wrong, tds has a good reputation, I just wanted to know if there is a particular reason why this very very dangerous trojan (after all, it's possible to upload "things" onto your harddrive!!! imagine what harm can be done to you ...) wasn't detected. and yes, 2000 or more variants are a lot, but I rather wait 5 more minutes before the scan has finished ...

    and regarding kasperski, I use it for years now, and never had any false alarm (touch wood!)

    funny enough, the trojan file was injected into setup.exe of a trial Ad-Aware SE version ...

    cheers
     
  5. dvk01

    dvk01 Global Moderator

    Joined:
    Oct 9, 2003
    Posts:
    3,131
    Location:
    Loughton, Essex. UK
    If you downloaded the adaware version from one of the authorised sites I find it hard to believe it was really infected

    If it came from a non approved download site then anything is possible

    Adaware SE doesn't have trial versions just the free full version or the paid for Pro or plus versions

    Please pm with the link to the download so I can get it checked out and if it was a genuine Adaware version I will get it pulled immediately by the adaware developers
     
  6. Pilli

    Pilli Registered Member

    Joined:
    Feb 13, 2002
    Posts:
    6,217
    Location:
    Hampshire UK
    Thanks for the reply Martin,
    ProcessGuard stops .dll injection and many other methods that the latest dangerous Trojans used such as rootkits.
    Also remember that TDS3 users will get a free upgrade to TDS4 which will include new technologyto fight Trojans.
    Please take time to read about ProcessGuard on these forums.

    Cheers. Pilli
     
  7. martin37

    martin37 Guest

    dvk01, well, I never said I dl it from an authorized link. I got it from an admin friend for testing. I don't know where he got it from. but that only shows: Trust No One :(

    thanks Pilli for the info :) I going to give it a try on one of our test machines ...
     
  8. FanJ

    FanJ Guest

    Hi Martin,

    If I'm allowed to add a little bit to above postings:
    if you still have that file, you could send it (if possible zipped) to Gavin:
    submit at diamondcs.com.au

    Thanks !
     
  9. martin37

    martin37 Guest

    @ FanJ

    yes, no problem. I just sent it :)

    cheers
     
  10. Gavin - DiamondCS

    Gavin - DiamondCS Former DCS Moderator

    Joined:
    Feb 10, 2002
    Posts:
    2,080
    Location:
    Perth, Western Australia
    Please also note that TDS-3 Process Memory Scan should detect most variants of any IRC Bot. Thanks for sending, will check this one shortly
     
Thread Status:
Not open for further replies.