Embedded trojan

Discussion in 'Trojan Defence Suite' started by Stro, May 11, 2005.

Thread Status:
Not open for further replies.
  1. Stro

    Stro Registered Member

    Joined:
    May 16, 2004
    Posts:
    130
    Location:
    Memphis, TN USA
    Although I have the paid, licensed version of TDS-3 on my two home PCs, I'm rather new to the program and would appreciate advice on my recent experience.

    When I opened TDS-3 a few days ago, it told me I had an "embedded trojan" located in symlcsvc.exe. This .exe file was a Symantec file in a /common folder. I closed TDS-3 and ran Norton Anti-Virus just to see if NAV would find anything. It didn't.

    I opened TDS-3 again and tried to delete the infected file. I finally succeeded when I selected "kill process and delete file."

    After I deleted the .exe file, however, I found I was unable to start Norton SystemWorks 2004, even after I rebooted.

    Fortunately, I had made an image using BootIt NG a few days before, so I just restored the image and all was well again.

    Note that I became infected with the embedded trojan while my Zone Alarm Pro 5 had "mobile code" enabled which blocks the following (according to ZA):
    - Scripts (vscript, etc.)
    - embedded objects (java, Active X), and
    - mime-type integrated objects
    Javascript was not blocked, however.

    I'm also running licensed Process Guard. PG is password locked on my PC with new or revised .exe blocked from running (I have teenager boys!).

    So I'm curious about the following:

    - How did this nasty get in my PC in the first place? Through javascript off a website perhaps?

    - I was unaware until now that trojans could entwine themselves in a legitimate file. What do you do if you don't have a recent image to restore? Uninstall and reinstall the software who's file became infected? I'm assuming there is no way to "cleanse" a file containing an embedded trojan.

    - Does TDS-3 have a real time scanner running in memory, or is TDS-3 simply an on-demand memory & hard drive scanner?

    - When TDS-3 deletes a file, does it go into the Recycle Bin?

    I appreciate your assistance is helping me better prepare for the next embedded trojan.

    Regards,
    Stro
     
  2. nick s

    nick s Registered Member

    Joined:
    Nov 20, 2002
    Posts:
    1,430
    Hi Stro,

    Don't always assume you are infected even though an AV or AT scan finds otherwise. You should have a second opinion (or maybe more) to rely on. False positives are possible and I have seen legitimate apps get nuked a few times. Submitting the suspect file for analysis is also a good first step.

    Nick
     
  3. Gavin - DiamondCS

    Gavin - DiamondCS Former DCS Moderator

    Joined:
    Feb 10, 2002
    Posts:
    2,080
    Location:
    Perth, Western Australia
    In this case, it was a false alarm. If this was really an infected, note that it would be a VIRUS - infecting another file is a virus. Trojans are self contained, the whole file is malicious.

    Trojans do however infect in memory - newer trojans often inject into a running processes memory space, as if the running process loaded it there on purpose. This is known widely as DLL trojan injection. We released ProcessGuard to stop this ever widening threat to users.

    TDS-3 deletes files completely, not to the recycle bin. If you see something embedded like this, definitely submit the file first. Generally however, TDS-3 false alarms are few and far between, I take great care to ensure they are as infrequent as is humanly possible :)
     
  4. Stro

    Stro Registered Member

    Joined:
    May 16, 2004
    Posts:
    130
    Location:
    Memphis, TN USA
    Gavin & Nick,
    Thanks so much for the information.
    Regards,
    Stro
     
Thread Status:
Not open for further replies.