Here's a trojan you can't detect ;)

Discussion in 'Trojan Defence Suite' started by Paranoid, Mar 16, 2005.

Thread Status:
Not open for further replies.
  1. Paranoid

    Paranoid Guest

  2. Jooske

    Jooske Registered Member

    Joined:
    Feb 12, 2002
    Posts:
    9,713
    Location:
    Netherlands, EU near the sea
    Hi there Paranoid,
    Did you scan with TDS and all other scanners and resident protection disabled? Or in Safe mode and of course with a fully updated database (get the latest from the TDS site if you didn't).
    Make sure all hidden files and extensions are showing.

    Thought you found the name of the nasty with some other scanner already?
    Tried this cleaning thread ? http://www3.ca.com/securityadvisor/virusinfo/virus.aspx?id=41658
    You see this dll is hiding all the processes and it's being there securers.dll
    That's the one to locate and get rid of in the first place, after which you see things much easier.

    With it's alias TrojanSpy.Win32.Agent.w it is in the TDS primaries. So it is detectable.

    If it can't be deleted just with that, you can try to get rid of that .dll with Dellater (DiamondCS free products page).

    Even after this cleansing i would scan thouroughly with unhackme as the thing could have downloaded a rootkit or other malware.
    And as it is a backdoor after all cleansing make sure to change all your passwords.
     
    Last edited: Mar 16, 2005
  3. FanJ

    FanJ Guest

    In the other thread you wrote that it was Win32.Mazocker.A according to CA.
    At the CA site http://www3.ca.com/securityadvisor/virusinfo/virus.aspx?id=41658 it is said that KAV calls it TrojanSpy.Win32.Agent.w

    In the TDS-3 Primary list are lots of TrojanSpy.Win32.Agent 's listed.
    Among them is that one (of course I don't know whether it is the same).
    See screenshot.
     

    Attached Files:

  4. FanJ

    FanJ Guest

    LOL Jooske, we just posted at the same time about it in the TDS-3 Primary List :D
     
  5. Paranoid

    Paranoid Guest

    Thanks for the replies, guys. I suspect the Agent.W you are referring to is actually just the rubbish file dumping .tmps that the Trojan generates (Norton detected the .tmps as the PWSteal.Trojan, which was obviously just a ruse by the actual trojan). The CA site doesn't have a standalone utility for getting rid of it (i.e. you gotta buy the product, then download the signatures). DelLater cannot find the file ("If you can hide the file from the dir command, it's all over.") at both the Appdata and System32 folders. Unhackme reveals nothing.

    Perhaps I should download a TDS script or 3 that I am missing? I've read the Basic Configuration thread and it doesn't seem like I've set up TDS wrongly or such...and no, I never detected the actual trojan with any scanner. Only the symptoms match. :p Maybe I should run those programs while the Trojan is active.
     
  6. Jooske

    Jooske Registered Member

    Joined:
    Feb 12, 2002
    Posts:
    9,713
    Location:
    Netherlands, EU near the sea
    Did you make sure all hidden files and extensions are showing in windows explorer?
    Did you look for the dll i mentioned?
    Did you look in that page at CA what that dll does? It does hide files and covers the traces for detection.
    So the service has to be stopped, the dll found and deleted, maybe better in safe mode,
    disable system restore and i expect all the nasty parts to show up nicely for you to be deleted.
    TDS would see it, Norton, an online scanner, etc.
    BTW: you tried with AVG as well. Now please do yourself and the whole internet community a big favor and disable AVG completely, inclusive it's resident protection (in systay open GUI, uncheck all options, systray should grey out, close AVG GUI). AVG has the habit to hide files from sight by any other scanner.
    Now try scanning again, eventually from safe mode.
    Did you locate the file and can you submit it to submit@diamondcs.com.au ? thanks a lot and keep us informed how you're doing.


    One thing more: there are many kinds of malwares using several of the same techniques like others. So you mentioned a name of a known trojan, by no way a rootkit, but in your other thread you name it a rootkit. What makes you think so it would be?
     
    Last edited: Mar 17, 2005
  7. Paranoid

    Paranoid Guest

    Yeap, hidden files and exts. are shown in explorer.

    The .dll you mentioned is the only thing I'm trying to locate. I understand it's the lynchpin that's holding this evil thing together. :p

    I have physically disconnected the computer and only run it on safe mode everytime I install new security software for scanning.

    I always hated System Restore. :D

    AVG does not run by default in Safe mode, I think... but I'll look into those options you mentioned and disable it anyway as soon as I get back from university.

    I'm really just broadly using the word rootkit because it seems to fit some terms i.e. stealthy, backdooring, input-stealing. My apologies if it I used it in error. :\

    I'll definitely send the file to you guys if I find it though. Quite a gem.
     
  8. Jooske

    Jooske Registered Member

    Joined:
    Feb 12, 2002
    Posts:
    9,713
    Location:
    Netherlands, EU near the sea
    As you mentioned that infection name i came to that dll, but if it is another infection you should be looking for other files :)
    Till we know a name we don't know what to look for yet.
    Hoped the scanners would come up with something.

    Of course with system restore you could have gone back to before the infection if you know when it happened.


    BTW: you might like to register as a member to this forum: it's all free and gives you some extra's here.
     
    Last edited: Mar 17, 2005
  9. Jooske

    Jooske Registered Member

    Joined:
    Feb 12, 2002
    Posts:
    9,713
    Location:
    Netherlands, EU near the sea
    Thanks for joining as a forum member in the meantime!


    See the fortgoing discussion in the original thread https://www.wilderssecurity.com/showthread.php?t=70797

    This sidestep of the discussion to TDS forum at the moment is not functional.
    To keep the discussion in one thread i close this one.
    If TDS comes into being in later stages it can be re-opened.
     
Thread Status:
Not open for further replies.