Housecall detect and TDS-3 not??

Discussion in 'Trojan Defence Suite' started by ronny, Mar 5, 2004.

Thread Status:
Not open for further replies.
  1. ronny

    ronny Registered Member

    Joined:
    Feb 18, 2004
    Posts:
    231
    Location:
    Belgium
    for fun i did a scan with TrendMicro's Housecall. To my utter amazement it found the following trojan:
    TROJ_ANAKHA.C

    When i scanned the infected file with TDS-3, Trojan Hunter ,Trojan Remover and Norton anti-virus, they all didn't found anything :eek:
    I must say that the file was zipped ,but when i unzipped it and scanned they again didn't find anything!?

    Housecall found also"JAVA_BYTEVERA.A" although i scanned my pc before with TDS-3 and Norton ,... but they didn't say anything. Now when i scanned the "C:\DocandSettings\...\ApplicationData\Sun\Java\Deployment\..." again with Norton (i didn't delete the found BYTEVERA) this time norton said i had an infection and deleted it immediately o_OSo i couldn't test TDS-3 again on that one.

    Can someone explain me why Housecall found that but the others not or too late.I don't understand this at all!

    I
     
  2. Gavin - DiamondCS

    Gavin - DiamondCS Former DCS Moderator

    Joined:
    Feb 10, 2002
    Posts:
    2,080
    Location:
    Perth, Western Australia
    Hi,

    Java exploits are not detected by anti trojan software, since they are not trojans but rather exploits of the MS Java Virtual Machine. Patching with Windows Update avoids any danger from these (very old) exploits. Also, it would require a file system filter driver to be effective in detecting these anyway, and more than one of these installed would mean a conflict with your AV monitor

    Can you send the other file for verification ? I know we do detect 2 DDoS.RAT.Anakha variants, so I would like to verify this sample. submit@diamondcs.com.au if you still have a sample
     
  3. ronny

    ronny Registered Member

    Joined:
    Feb 18, 2004
    Posts:
    231
    Location:
    Belgium
    :oops: i did a stupid thing (have to learn a lot): i deleted the TROJ_ANAKHA.A. But i was in panic because when i did a new scan(after i deleted the infected zipfile which was a game called redalert 2 Yuri's expansion,a download from kaaza-lite (i just wanted to try this expansion, you can check me , i BOUGHT all my games and ALL good(!) software)), MicroTrend Housecall told me that it found a new infection.
    This time it was in"C:\Program Files\TDS3\xDynamic\TDS.Unpk\install.exe"!!And i thought that this program was protected because i added it in ProcessGuard list( im a registered user).
    on top of it, i found an exe-file from SpySweeper and some dll-files also in this TDS.Unpk-folder.They were not infected ...but i freaked out. I thought:" Wat are they doing here!!" So i deleted the whole TDS.Unpk :oops: :oops: :oops:
    But i can confirm that when i unpacked the game and clicked on the "exe" this was wat i saw: "This Trojan displays the following Graphical User Interface (GUI) of installation software: http://www.trendmicro.com/vinfo/images/troj_anakha_c_img1.jpg
    " This Trojan is a UPX-compressed executable file disguised as an installer. On affected systems, its presence is indicated by an icon and a file named ShellEx.exe in the Windows system directory. Its icon is similar to that of a typical installation program.

    Upon execution, this malware drops and executes a backdoor program detected by Trend Micro antivirus as TROJ_ANAKHA.A. The dropped backdoor allows remote users to access and manipulate infected machines. "

    Now i am real scared and confused :how is it possible that certain exe-files and others show up in this TDS-folder?
    And why did Housecall didn't found an infection in the TDS-folder the first time,

    OO and thank you VERY much for you reply.Next time i'm gonna calm down and keep the infected file so i can send it :oops: :)
     
  4. Jooske

    Jooske Registered Member

    Joined:
    Feb 12, 2002
    Posts:
    9,713
    Location:
    Netherlands, EU near the sea
    Hear the thundering voice of TDS through all your speakers reading from the ten commandments of trojan detection handbook, dont ask me if it's the first or the last:
    "Thou shallst never delete any suspicious file or what is detected by other scanners without FIRST having send a --preferable zipped-- copy to Gavin, submit@diamondcs.com.au
    ""


    Hope you deleted only the super valuable contents of the Unpk folder and not the folder itself, as you need it for TDS scanning properly and unpacking copies of files there.
    Is a system-restore possible?
     
  5. ronny

    ronny Registered Member

    Joined:
    Feb 18, 2004
    Posts:
    231
    Location:
    Belgium
    1 :oops: : No system restore is not possible because i closed it. So there were no restore points more and i immediately deleted the Norton protected bin and rebooted. ,as Housecall advised me.

    2 :oops: : I deleted the folder also...but i reinstalled TDS-3.Why are there things in this folder?Can you delete them but then again why are they in this folder?
    Where can i find more information about its purpose?

    Thank you AGAIN Jooske.I hope you don't loose your patience with people like me :rolleyes: ;)
     
  6. Pilli

    Pilli Registered Member

    Joined:
    Feb 13, 2002
    Posts:
    6,217
    Location:
    Hampshire UK
    That is the folder that TDS uses to unpack files whist scanning, usually thay are dleted after a scan unless the scan was stopped before completion or if the file was corrupted in some way :)

    If you deleted the folder hopefully it should be in your recycle bin in which case the files can be extracted from there and a zipped copy sent to DCS for analysis.

    HTH Pilli
     
  7. ronny

    ronny Registered Member

    Joined:
    Feb 18, 2004
    Posts:
    231
    Location:
    Belgium
    ok i think (yes i can think :D) i understand what TDS does in that unpack -folder and why it got infected : TDS unpacks things there while it scans, and because i scanned the infected file with TDS , i think that's the reason it was there with the second scan.
    But shouldn't TDS delete those files better when it has finished scanning?! :p

    The Java -thing , i still don't understand.I don't use MSVirtual Machine, I use Sun Java version 1.4.2_03 and i always have the latest updates via Windows Update.

    So how can i get infected? o_O
     
  8. ronny

    ronny Registered Member

    Joined:
    Feb 18, 2004
    Posts:
    231
    Location:
    Belgium
    1)As you can read ,in my post ( you were a bit quicker than me in posting :D) i guessed it ,but still thank you for your answer. ;)

    2)No,it isnt in my recycle bin .Like i already wrote (yes yes i did,look better ;) ) , i immediately deleted the protected recycle-bin.
     
  9. Jooske

    Jooske Registered Member

    Joined:
    Feb 12, 2002
    Posts:
    9,713
    Location:
    Netherlands, EU near the sea
    Any interest in an undelete software? :D
    No Ronny, people don't lose patience here, most of time anyway, as you gave me the nice opportunity to write that part for all to see! should make it sticky, so the whole internet world and all AV and AT developers know to send copies to Gavin first. Gavin for Anti-trojan president! Yeah! All samples lead to submit@diamondcs.com.au ! Make sure he's on your lists, any of them!

    BTW: i was told, but correct me if i'm wrong, if you deleted the Unpk. folder you could manualy make a folder with that name in that location yourself. Did not try, so can't guarantee.
    Files there are always copies of originals from your system to be unpacked and scanned there throroughly and normally are deleted in the end but if not happened this or a next time you can delete them safely yourself with the above commandment in mind :)
     
  10. Gavin - DiamondCS

    Gavin - DiamondCS Former DCS Moderator

    Joined:
    Feb 10, 2002
    Posts:
    2,080
    Location:
    Perth, Western Australia
    I would very much like to see what happens when you run a full filescan again, and TDS UNZIPS this again. Then please send it in for analysis. It could of course be a false alarm and I'm thinking it is a false alarm (weakish signature, or just bad luck)
     
  11. ronny

    ronny Registered Member

    Joined:
    Feb 18, 2004
    Posts:
    231
    Location:
    Belgium
    For the moment nothing "bad" on my pc :D but...

    I am trying to download that "infected" file again! and when i 've got it ,i will let you know and send it to you. ;) This can take a while,it seems not so easy ,lol, to download it again.
    Until then.
     
  12. ronny

    ronny Registered Member

    Joined:
    Feb 18, 2004
    Posts:
    231
    Location:
    Belgium
    Finally ,i ve got it back!! :D :DAnd again Trend micro housecall said it was infected with TROJ_ANAKHA ;)

    So this time i have zipped it and send it to:
    submit@diamondcs.com.au
    I hope you will let me( of course i mean us all) know the results. I' m very curious now ( and it costed me a lot of download, :p)


    [a little later] Just got the results from Kaspersky labs:
    Current object: install.exe


    install.exe Packed: UPX
    install.exe Infected: TrojanDropper.Win32.Small.bf


    Thus it seems the file was infected and Housecall was right.
     
  13. Jooske

    Jooske Registered Member

    Joined:
    Feb 12, 2002
    Posts:
    9,713
    Location:
    Netherlands, EU near the sea
    You start to get the grip on it don't you Ronny, and kind of liking it. Please do be careful and keep the thing zipped on your system if you like to keep it till Gavin's reply came through. I created a folder where i move all suspicious things till reply received so i know to be extra alert when going there.
     
  14. ronny

    ronny Registered Member

    Joined:
    Feb 18, 2004
    Posts:
    231
    Location:
    Belgium
    Thank you Jooske, I am glad to tell you that I was careful. I burned the infected file on a CD-RW and then deleted the file on my pc.
    i don't need it anyway,just wanted to have it to send it to Gavin.
     
  15. Jooske

    Jooske Registered Member

    Joined:
    Feb 12, 2002
    Posts:
    9,713
    Location:
    Netherlands, EU near the sea
    So you are creating a suspicious CD-rom named Gavin for your files. If possible have them zipped or renamed with an non-executable extension behind them.
     
  16. Gavin - DiamondCS

    Gavin - DiamondCS Former DCS Moderator

    Joined:
    Feb 10, 2002
    Posts:
    2,080
    Location:
    Perth, Western Australia
    I dont think I have received that file yet :(

    I haven't added a detection for TrojanDropper.Win32.Small.bf and I do use the KAV names where possible so it must not have arrived. It didn't bounce back for any reason did it ?
     
  17. ronny

    ronny Registered Member

    Joined:
    Feb 18, 2004
    Posts:
    231
    Location:
    Belgium
    No it didn't bounce back. I 've send it to you on saturday 6March 2004 ,5:06 a.m. , central european time (Brussels-Paris-Amsterdam). The subject was: "infected file according to Microtrends Housecall"

    But no problem ;) i gladly will send it back to you now immediately!

    :oops: :blink: How dumb can i be!! I' ve send it to "....@diamonds.com.au" instead of "submit@diamondcs.com.au" !! But don't worry, this time i 've used the right address.
     
  18. Gavin - DiamondCS

    Gavin - DiamondCS Former DCS Moderator

    Joined:
    Feb 10, 2002
    Posts:
    2,080
    Location:
    Perth, Western Australia
    No problems :) thanks for the file..

    Strange one, false alarm really. Full details in your inbox :)
     
  19. ronny

    ronny Registered Member

    Joined:
    Feb 18, 2004
    Posts:
    231
    Location:
    Belgium
    Thank you :) Gavin!
    If someone here on the forum want details,sorry i think i can't post them.After all it is Gavin "copyrighted" :D explanation.He did all the work.
    But we all can be reassured: it was a false alarm,and i understand that Housecall and Kaspersky are not to blame also, for saying it was an infected file.Although,a little more explanation, like Gavin did,would be very convenient.But then again ,it was only an online scan.
     
  20. Tassie_Devils

    Tassie_Devils Global Moderator

    Joined:
    May 8, 2002
    Posts:
    2,514
    Location:
    State Queensland, Australia
    Now that made for an interesting thread overall... following the "story" like a TV mini-series LOL.

    Glad it all worked out in the end guys. ;)

    Cheers, Adrian
     
  21. Jooske

    Jooske Registered Member

    Joined:
    Feb 12, 2002
    Posts:
    9,713
    Location:
    Netherlands, EU near the sea
    Now copy this first TDSAddictionScan1.SS3 to notepad or your SS3 editor and save by that name, in TDS > SS3 > load script and see if it runs well for you.
    Wonder what Housecall will make of this one!
    Mind the wrapped lines, btw
    '-----------------------------------------------
    Sub main
    Dim intCount
    speak "press ok to start the trojan check"
    msgbox "TDS trojan check"
    'On Error Resume Next
    Call addline("TDSTrojanTest","Please standby for testing.....")
    WaitSeconds(5)
    Call addline("TDSTrojanTest","It seems that you are infected")
    WaitSeconds(4) '5 Seconds (example)
    Call addline("TDSTrojanTest",".....checking....")
    WaitSeconds(5)
    alarmbeep 3
    Call addline("TDSTrojanTest","TDS trojan detected!")
    WaitSeconds(2)
    Call addline("TDSTrojanTest","Yes, you're definitely infected with the TDS addict trojan.")
    alarmbeep 1
    Call addline("TDSTrojanTest","Sympthoms: always running TDS, visiting TDS forums, playing scripts,")
    WaitSeconds(1)
    Call addline("TDSTrojanTest","waiting for the latest updates.")
    WaitSeconds(1)
    Call addline("TDSTrojanTest","Is there a cure? No.")
    WaitSeconds(1)
    Call addline("TDSTrojanTest","You'll always be addicted to the TDS trojan.")
    WaitSeconds(1)
    Call addline("TDSTrojanTest","the good news: it's a happy experience of only recycled electrons.")
    WaitSeconds(1)
    Call addline("TDSTrojanTest","And it's the first using SS3!")
    WaitSeconds(2)
    Call addline("TDSTrojanTest","Congratulations to be tested succesfully positive among the first!")
    WaitSeconds(2)
    speak "Thanks for using this Trojan Addiction Test."
    End Sub
    Function WaitSeconds(NumberOfSeconds)
       WaitTime = Timer + NumberOfSeconds
       Do While Timer < WaitTime
    Do_Events
       Loop
    End Function
    '(c) The TDS Addicts Team
    '--------------------------------------------------
     
  22. ronny

    ronny Registered Member

    Joined:
    Feb 18, 2004
    Posts:
    231
    Location:
    Belgium
  23. Jooske

    Jooske Registered Member

    Joined:
    Feb 12, 2002
    Posts:
    9,713
    Location:
    Netherlands, EU near the sea
    Really works, KAV didn't even blink at all. hmm pity!
    Now you can copy that in your WG test.vbs and test.vbs.exe files; at least then WG should popup for the double extension! come on, the first SS3 trojan script!
    na-na-na-na-na-na!
    No need to submit it to Gavin, he has it already in the collection, and maybe more convincing versions from private sources, dunno........... in fact.
     
Thread Status:
Not open for further replies.