Does TDS detects "trojan downloader"s?

Discussion in 'Trojan Defence Suite' started by ronny, Jul 22, 2004.

Thread Status:
Not open for further replies.
  1. ronny

    ronny Registered Member

    Joined:
    Feb 18, 2004
    Posts:
    231
    Location:
    Belgium
    I ask this because i did a test with a friend. We noticed that TDS didn't detect :
    Trojan Downloader(59904).Win32.INService.h
    Trojan Downloader(258 ).Win32.Small.gl

    Dr.Web, Kaspersky, Housecall found the 2. e-Trust found the 2nd one, Small.gl.
    I don't know how i can see which trojans TDS detects .
    Are these downloaders perhaps no real trojans? So is that the reason they are not detected? Or am i completely wrong :oops:
    Thanks for the help!
     
    Last edited by a moderator: Jul 22, 2004
  2. Pilli

    Pilli Registered Member

    Joined:
    Feb 13, 2002
    Posts:
    6,217
    Location:
    Hampshire UK
    Hi Ronny, To see TDS primary list go to Help - Primary list.

    Make sure you have downloaded the latest radius file from here: http://tds.diamondcs.com.au/index.php?page=update

    Some downloaders are harmless and some TDS3 detects, I am not sure about your two but no doubt Gavin would be interested in analysing them, so please submit@diamondcs.com.au

    Thanks Pilli
     
  3. Jooske

    Jooske Registered Member

    Joined:
    Feb 12, 2002
    Posts:
    9,713
    Location:
    Netherlands, EU near the sea
    Some files exist with several names, and like Pilli said, maybe the downloader was not nasty enough to be added? :)
     
  4. ronny

    ronny Registered Member

    Joined:
    Feb 18, 2004
    Posts:
    231
    Location:
    Belgium
    Thanks a lot Pilli , of course i looked everywhere in TDS except there :rolleyes: :D

    They seem not to be included in TDS's list, or perhaps they where there with a different name or "not nasty" enough like Jooske said ;)

    I found the following information for the 2 on Trend Micro's website:
    For the first one:"This Trojan downloader is either dropped by another malware, or is manually installed by the user.
    Upon execution, it opens an Internet Explorer browser and downloads files from the following Web sites:
    http://stat7.z-s<BLOCKED>t.com/ps
    http://stat8.z-s<BLOCKED>t.com/ps
    The said URLs respectively point to two malicious files, detected by Trend Micro as the following:
    TROJ_ISTBAR.Q
    ADW_PURITYSCAN.F. "

    For the second one :"This Trojan downloader connects to the following URL:
    http://www.slot<BLOCKED>.com/ist/softwares/bundlers/
    It then downloads the file BUNDLER_REGULAR.EXE from this site and installs it in the Windows Temp directory using the following name:

    BUNDELRNETSCAPE.EXE
    This file is detected by Trend Micro as TROJ_ISTBAR.EH.
    This Trojan is created in Visual C++ and arrives as a UPX-compressed file. "

    But still not clear to me if they are really dangerous.Leave that decision to people like you who really know that kind of things.Is that not one of the reasons i am visiting this forum , learning from the specialists ;) .
     
  5. wildrover

    wildrover Guest

    They need all the help they can get, so sen em off ...
     
  6. ronny

    ronny Registered Member

    Joined:
    Feb 18, 2004
    Posts:
    231
    Location:
    Belgium
    Ok files send to Diamondcs for analysis. I hope it's not a waste of Gavin' s time.
     
  7. Pilli

    Pilli Registered Member

    Joined:
    Feb 13, 2002
    Posts:
    6,217
    Location:
    Hampshire UK
    Thanks Ronny, Hopefully it will not be long before Gavin has an answer. :)
     
  8. Jooske

    Jooske Registered Member

    Joined:
    Feb 12, 2002
    Posts:
    9,713
    Location:
    Netherlands, EU near the sea
    Don't be shy submitting files as it's never waste of time: better many times a known file or even an innocent file then one time getting infected by something nasty and we'll need all together lots of time to get you clean and safe again!
     
  9. pitti

    pitti Registered Member

    Joined:
    Jan 5, 2004
    Posts:
    6
    I discovered 4 trojandownloaders on a virus scan but my software wouldn't delete them. I have multiple security programs and didn't realize I was missing trojan coverage so I downloaded this program to try. It didn't identify any of the files.
    I've searched on the internet and there are several different forms of the trojandownloaders. They have slightly different names and they attack different parts of windows.
    I ended up using kapersky to get rid of these files. Pest patrol also recognizes them.
    My version was called this:

    trojandownloader.win32.inservice

    I'm not a regular user of this software and was just trying it out to see if I wanted to buy it. It's failure to identify infected files doesn't inspire much confidence.
     
  10. Pilli

    Pilli Registered Member

    Joined:
    Feb 13, 2002
    Posts:
    6,217
    Location:
    Hampshire UK
    Hi pitti, Did you download the latest Radius file from here: http://tds.diamondcs.com.au/index.php?page=update and put it in the main TDS3 folder?
    Did you open Scan control and enable all the boxes?
    Did you set the Generic detection to it's highest setting?
    Were you running a resident Anti-virus scanner when you did the TDS3 full system scan?

    Some downloaders are not Trojans or are not considered dangerous.
    If you still have copies of any of the files please zip and send to submit@diamondcs.com.au for analysis.

    HTH Pilli
     
  11. Jooske

    Jooske Registered Member

    Joined:
    Feb 12, 2002
    Posts:
    9,713
    Location:
    Netherlands, EU near the sea
    Hi there pitti,
    With all Pilli's good questions, let me guess if you used AVG?
    AVG has the habit hiding files for other scanners, especially if you also keep the resident protection on. If you have AVG running, please open the GUI, uncheck all the marks and close it again.
    Now you should see more in scans with other scanners.
    There might be more scanners doing the same, but especially AVG is famous for that.
    Also make sure in your folder options your settings are to show all hidden files and extensions.

    Ronny,
    as you can search in the HJT forum here you'll see those files you mention a lot in the infected HJT logs, so i really do hope you did not get infected yourself!
     
  12. pitti

    pitti Registered Member

    Joined:
    Jan 5, 2004
    Posts:
    6
    I run avast as my resident antivirus software- it reported no problems. I usually do an extra scan monthly with AVG and that's how I detected the trojans.

    I did download the update, check all the boxes etc. The one thing I missed was turning off avast. Would that stop the detection of trojans?
     
  13. Gavin - DiamondCS

    Gavin - DiamondCS Former DCS Moderator

    Joined:
    Feb 10, 2002
    Posts:
    2,080
    Location:
    Perth, Western Australia
    Those are adware downloaders, but as long as your antivirus handled it thats a good start. We appreciate submissions of anything new which isn't detected - so send them in !

    Please note that if your antivirus detects a trojan then it will lock the file so nothing can access it, not even TDS. This can often be the reason for a non detection

    Edit: INService is one name that I do remember, so it should be detected ;)
     
  14. tutankamon

    tutankamon Registered Member

    Joined:
    Jul 10, 2003
    Posts:
    170
    Location:
    Lancashire U.K.
    Hi all,
    I had downloaded some freeware icons recently, I downloaded into my DOWNLOAD folder on C drive, scanned with Norton AV nothing reported! (I have TDS3 to run on start up, and then minimise to system tray.) It was not until later in the evening that I maximised TDS and found to my horror that it reported "Positive ident Trojan Dropper Win32.Small.gt" embedded in the 3 files of icons I had downloaded earlier, I zipped them and submitted them. then deleted the files, also the files in my download folder. I have run a full system scan since and everything seems ok now. My questions are:- Were the trojans "trapped" by TDS, I mean were they still operating? Why didn`t TDS maximise and warn me? I realise that I should have selected the "Scan with TDS" option, while the files were still in the download folder, before opening them. Could this be another feature for TDS4 or TDS4 Pro?
     
  15. ronny

    ronny Registered Member

    Joined:
    Feb 18, 2004
    Posts:
    231
    Location:
    Belgium
    I will.
    Ok, now i understand why TDS didn't detect it, my e-trust realtime scanner was first :D lol and had already cleaned the bad guys-girls.
    But as long it was zipped , it still was there because Housecall and Kaspersky could detect it.I guess that if i executed it ( if my realtime virusscanner would be disabled), TDS would detect & clean it.
    It certainly feels good to be so well protected.
    Thanks again Gavin and you all there at TDS-3 for your excellent support.
     
    Last edited: Aug 2, 2004
Thread Status:
Not open for further replies.