Diamond techs... will PG catch this trojan

Discussion in 'ProcessGuard' started by BlackHawk1, Jan 30, 2006.

Thread Status:
Not open for further replies.
  1. BlackHawk1

    BlackHawk1 Registered Member

    Joined:
    Jul 22, 2004
    Posts:
    32
    and prevent it from activating? A friend sent me a trojan in December for me to check and I would like to send this trojan to you so you can experiment with it. I am very curious if PG could have stopped this thing. I want to know more about it and what program(s) if any, may have prevented it. The trojan is called Edepol.b and some information on it can be found here...

    http://www.sophos.com/virusinfo/analyses/trojedepolb.html

    If PG could not have stopped it, what do you think could have?

    My friend was told he most likely got infected with it via browser injection.

    My friend found this in very early December 2005 and at the time it was not detectable by any AV in the world. He sent it to several AV companies and they confimed it was a new variant. He saw a file on his computer he felt was suspicious so he did a scan with several programs. He sent it to me to check as well and the only thing that detected it was Microsoft Antispyware. That Micrsoft Antispyware was the only program able to detect it surprised me. The file was also uploaded to the 2 sites that have multi engine scanners (jotti, etc. ) and not 1 AV program there detected it. I had it checked against all of the programs below on my end and like his results, only Microsoft Antispyware was able to detect it...

    Dr. Web antivirus
    Kaspersky antivirus
    FSecure Blacklight BETA
    * Microsoft antispyware
    Webroot SpySweeper
    Ewido
    eTrust PestPatrol
    Lavasoft Ad-aware
    Spybot Search and Destroy
    Spyware Doctor
    CWShredder
    UnHackMe

    I ran the trojan on a old Windows 98 computer that's not connected to the net. When you run the trojan it disappears and places files in the windows system folder. The main file, kernel32.exe, is the one that disappears. Then it creates dpnsvr32.exe, plugin1.dat and SysPr.prx from what I can see. It also makes a registry entry. Would you like this trojan for testing? I'm just curious as to what could have stopped it since it was undetectable to AV at the time. Let me know either way if you want it or not. Thank you.

    P.S. Here is what some AV companies told him...

    This program is for sure malware, but requires some advanced processing. It acts like a true malware (packed with an unknown protector, copies itself into system directory and registry, and deletes the original file then. Software based firewall, if any on the machine might not alert about the Trojan trying to connect to the Internet. This is because; the Trojan uses the Internet Explorer to connect to the Internet. Thank you for your email. The file kernel32.exe that you sent to us for analysis was a Trojan, Troj/Edepol-B. Thank you for submitting the file "kernel32.exe". The file is indeed malicious and should be deleted. Detection will be added for this file in the next database update. It is a variant of Trojan called Bifrose or Bifrost.
     
  2. James K

    James K Guest

    Microsfot Antispyware detected it only because it is a program that has been aquired through an assimilated company (Giant Antispyware). I used to own that program..... you can imagine the hate for M$ when i heard about the takeover a while back. I'm slightly suprised nothing else caught it though.
     
  3. Gavin - DiamondCS

    Gavin - DiamondCS Former DCS Moderator

    Joined:
    Feb 10, 2002
    Posts:
    2,080
    Location:
    Perth, Western Australia
    ProcessGuard prevents the DLL injection, saving you from the risk of data theft ;) even if you got infected and allowed the copies in SYSTEM32 to run (why would you?), the main component needs to be injected into explorer to get information OUT (to bypass firewalls). PG stops all of this type of attack.
     
  4. Gavin - DiamondCS

    Gavin - DiamondCS Former DCS Moderator

    Joined:
    Feb 10, 2002
    Posts:
    2,080
    Location:
    Perth, Western Australia
    Just noticed they said its a variant of bifrose/bifrost. There are literally thousands of these out there, and loads of people who actively create modified variants. Bifrose is one of the most common detections on Jotti's malware scanner (http://virusscan.jotti.org), quite often a number of files are uploaded in a row with changes, new packers etc to see who detects what.
     
  5. hitbit

    hitbit Registered Member

    Joined:
    Nov 25, 2005
    Posts:
    35
    Location:
    Dublin Ireland
    Yes MS aware of its quality bought the Giant. But then its developers Sunbelt Software launched CounterSpy. If you were a Giant fan try CounterSpy I think you will be pl;eased.

    hitbit
     
    Last edited by a moderator: Feb 1, 2006
Thread Status:
Not open for further replies.