execution protection failed to stop a trojan sample

this trojan sample

http://www.misec.net/trojansimulator/

TDS clearly detects this trojan sample but it didnt stop this from installing. i have TDS in the system tray, execution protection installed but when i install this trojan sample, TDS didnt do anything. when i look in the task manager the trojan server is running, TDS is also running.

it only detected this sample when i click on reload. i then deleted the file with TDS hoping that it could clean all that remains of that sample but it only deleted the server, not the registry that it created.

registry and file trace scan detected the entry, when i delete the entry it says that it is deleted but when i checked again its still there so i have to manually delete the registry entry using autostart viewer.

can anyone here verify this or is this happening only in my box?

now what if its a real trojan?

or is there something wrong with my settings?

 

Hi help me!, You need to adjust your scan configuration as follows
Under scan options enable "Scan for clients\edit servers" and all should be well. I takeit that you have unpack compressed exe's enabled?

HTH Pilli

 

thanks Pilli! TDS stopped it from executing. but it didnt alerted me because i have it minimized in the system tray. i only noticed it after maximizing TDS. is there a way that i could get a visual alert whenever it stopped something from executing? perhaps something like a script that i can download?

i only trust my box with TDS-3 against trojan. how about wormguard? do i really need its extra layer of protection? i've heard so many good things about wormguard and im considering trialling it.

thanks again.

 

There possibly is a script for this, If you are a licensed user I would go to the Private TDS forum at DCS which also included the SS3 scripting forum.
Jooske may already know of one but I do not I think that TDS4 will address this issue by either throwing a pop up or flashing the TDS icon.

WormGuard does a different job than TDS3 and does not use a database as such but you can add extensions etc to it's configuration it is excellent at spotting possible malicious scripts and worms using it's heuristic engines - Well worth a try.

Don't forget to try Port Explorer, CryptoSuite and Process Guard which all add extra layers to your security. A new release of Process guard is in beta testing ATM.

Enjoy. Pilli

 

thanks. i will try to look into the DCS forum later when i got home.

i also have processguard free installed, before i had SSM but now there is no need to use it IMO because processguard IMO is much better and has a lot of extra feature. after maybe a month or two of testing processguard on my main box, i will consider buying the paid version if i will not encounter any issues on my main box, so far so good.......

 

Hi help me!!!,

SSM still has real value in protecting the registry (as does RegRun) with user customizable registry keys. PG only protects one (very important) key and there are some ways that malware could modify other important registry settings. You can disable the SSM application protection and just use the Registry protection. Here is a great thread on Registry Monitor Comparison