Interesting Observation.

Discussion in 'other anti-virus software' started by SDS909, Jul 1, 2005.

Thread Status:
Not open for further replies.
  1. SDS909

    SDS909 Registered Member

    Joined:
    Apr 8, 2005
    Posts:
    333
    I found a new Trojan around the 16th of June. (estimate) I submitted it to several multiple scan engines, and only 3 AV's detected it. I carefully monitored daily to see who added it. NOD32, KAV and VBA32 had it immediately on outbreak (around 10th?) The trojans name is:

    Troj/Bahnhof-A
    Aliases Trojan-Downloader.Win32.Small.ayl

    What concerns me, is the amount of AV's that STILL haven't dealt with this outbreak.. I personally sent this file to all of them, including Dr.Web, and it still hasn't been added. Also alarming was the fact that a majority of time only 3 AV's detected this, the rest only added it very recently.

    http://www.boredmofo.com/downloads/tj.JPG
     
  2. tiagozt

    tiagozt Registered Member

    Joined:
    Feb 28, 2004
    Posts:
    331
    very good!
    It's very important!
     
  3. Firefighter

    Firefighter Registered Member

    Joined:
    Oct 28, 2002
    Posts:
    1,670
    Location:
    Finland
    Because it seems to be a Dialer, have you checked DrWeb with Beta update defs too? If DrWeb still doesn't detect that, I believe that they are not so interested about Dielers anymore!

    Best regards,
    Firefighter!
     
  4. pvsurfer

    pvsurfer Registered Member

    Joined:
    Sep 1, 2004
    Posts:
    1,400
    Location:
    California - USA
    This actually broaches the issue of whether you should depend on any AV product to fully protect against against spyware and trojans! :doubt:
     
  5. SDS909

    SDS909 Registered Member

    Joined:
    Apr 8, 2005
    Posts:
    333
    Yes it was checked with Dr.Web BETA Risky/Spyware databases, still not detected.

    Also, the term "Dialer" is pretty loose, since most AV's tend to label this as a TrojanDownloader rather than a dialer. Given what this program does, and how it works, i'd also label it a trojan, and the annoyance and damage it causes should immediately have it in database of all major AV.

    I should add, Norman's Sandbox actually detected it before definitions.

    I will also point out I would have been infected with this if I had not been using Safe'n'Sec, which shut it down and allowed me to examine it more closely and stop the infection. So that means this made it past 2 layers of my 3 layer security and was caught. Which pretty much is how I set it up, given the highly unlikely nature of anything ever passing Safe'n'Sec.
     
  6. richrf

    richrf Registered Member

    Joined:
    Dec 11, 2003
    Posts:
    1,907
    Hi SDS909,

    Which aspect of SafeNSecure stopped the malware. Was it the new process detection or was it the registry protection - or something else? Thanks.

    Rich
     
  7. SDS909

    SDS909 Registered Member

    Joined:
    Apr 8, 2005
    Posts:
    333
    I believe was when it tried to copy a new file to Windows directory, but so many alarms were going off, I just blocked everything, and sent the file to the AV scanners. Needless to say, i'm extremely happy with Safe'n'Sec at this point.
     
  8. richrf

    richrf Registered Member

    Joined:
    Dec 11, 2003
    Posts:
    1,907
    Thanks for the info.

    Rich
     
  9. solarpowered candle

    solarpowered candle Registered Member

    Joined:
    Jan 9, 2003
    Posts:
    1,181
    Location:
    new zealand
    safensec is really looking good
     
  10. RejZoR

    RejZoR Registered Member

    Joined:
    May 31, 2004
    Posts:
    6,426
    Well this is certanly not an outbreak. And dialers are losing ther purpose since more and more people are moving to Cable/DSL which are immune to dialers.
     
  11. SDS909

    SDS909 Registered Member

    Joined:
    Apr 8, 2005
    Posts:
    333
    It isn't a dialer, I already said that once. Catagorizing it as such is incorrect. It is a trojan downloader, and can work fine off of TCP/IP stack. Curious, several AV's still don't have definitions for it. Pretty disappointed with Dr.Web. I used the correct submission form as well.

    I don't really care WHAT it does though, it is a trojan, and should be detected considering it is several weeks after it was discovered. Also of concern is the very long delay of the ones that now detect it.

    I think everyone checking response times checks only major outbreaks, and not these other things (which are extremely common). Smaller or less responsive AV companies seem to respond rapidly to huge, high publicity threats - and sometimes don't respond at all to lesser threats.
     
  12. Pollmaster

    Pollmaster Guest

    That's why solutions like Regdefend+Processguard+AV isn't always enough. There should be something monitoring sensitive file areas as well .


    That's why many people use PrevX as well . Or you could run as a none-admin.
     
  13. AndreyKa

    AndreyKa Registered Member

    Joined:
    Feb 25, 2005
    Posts:
    93
    Location:
    Russia
  14. SDS909

    SDS909 Registered Member

    Joined:
    Apr 8, 2005
    Posts:
    333
    I've already sent it to them twice. Perhaps Dr.Web is missing it because this one is packed with YODA or something?

    Either way, the good Dr. definately doesn't detect this for me, nor on the scan sites!
     
  15. tiagozt

    tiagozt Registered Member

    Joined:
    Feb 28, 2004
    Posts:
    331
    Try to send by mail vms@drweb.com
     
  16. SDS909

    SDS909 Registered Member

    Joined:
    Apr 8, 2005
    Posts:
    333
    Dr.Web JUST added detections for this, and it took someone that has a contact there to send it.

    I'm not impressed with what it took to get them to add this threat and most worrying it took them weeks and weeks to add it.
     
  17. Dave-54321

    Dave-54321 Guest

    ...or you could just use Linux!
     
  18. The Hammer

    The Hammer Registered Member

    Joined:
    May 12, 2005
    Posts:
    5,619
    Location:
    Toronto Canada
    Or switch to NOD.
     
  19. Firefighter

    Firefighter Registered Member

    Joined:
    Oct 28, 2002
    Posts:
    1,670
    Location:
    Finland
    I'm not so worried about DrWeb after that single sample, because there are so many new samples each day. What do you think about my "P2P-Worm.Win32.Furby" sample? I picked up that sample when I used Panda Platinum v7.0 about a year ago, it took almost HALF A YEAR when KASPERSKY detected that. I'm not saying that Kaspersky is a bad scanner after this, because it still has the best detection rate overall. S...t happens. o_O

    Best regards,
    Firefighter!
     

    Attached Files:

  20. SDS909

    SDS909 Registered Member

    Joined:
    Apr 8, 2005
    Posts:
    333
    Been there, done that. No thanks, won't happen again. And thats with free licenses to it. LOL
     
Thread Status:
Not open for further replies.