Malware?

Discussion in 'Trojan Defence Suite' started by Garrate, Jun 12, 2003.

Thread Status:
Not open for further replies.
  1. Garrate

    Garrate Registered Member

    Joined:
    Jun 12, 2003
    Posts:
    6
    I just downloaded the trial of TDS-3 and manually updated it. I did a full system scan and it only hit on:
    -oddly some file in a copy of an old Win98 install disk I have on my HD
    -A VB6 database project I was working on a few months ago
    -Leaktest

    What I'm curious about is I have two EXE files that are both software installers. One of them is a copy of PowerDVD (the installer exe).

    Those two EXE installer files both have some nasty Malware planted in them (can't remember the Malware names).

    So far (including TDS-3), I haven't found a single piece of software (AV, Trojan, Spyware Finder, etc), that has ID'ed the Malware in those EXE files.

    Does TDS-3 not pick up at all on any Malware?

    Should it? I'm mean it's not spyware, it's "malicous ware". Both changed my default homepage to some crap, one installed EXE and dll files that could not be easily deleted, and one installed some file like "WDupdate.exe" in my XP system folder. One was a porn autodialer that luckily found no modem to dial on. :)
    One of the defualt homepages was some crap German site with pictures of naked Viet children and something about the US using chemical weapons on civillian villages in Vietnam (whatever). IE was not open when the homepage was reset.

    I don't want something that goes off (maybe) when those things run ... I want something to find them before they run.

    thanks...


    edit: just playing around with those files.. One of them is "aconti". I have Spyware Guard, TDS-3, Trojanhunter, NAV2003 and nothing stopped it from setting itself up. Only SpywareGuard stopped the homepage reset. Oh well :oops:
     
  2. Pieter_Arntz

    Pieter_Arntz Spyware Veteran

    Joined:
    Apr 27, 2002
    Posts:
    13,330
    Location:
    Netherlands
    Hi Garrate,

    Welcome at Wilders. :)

    Q: Which kinds of malicious software does TDS detect?

    A: TDS essentially detects anything malicious that isn't a virus. This includes RAT Servers, RAT EditServers, RAT Clients, RAT Plugins, RAT DDoS Servers, FTP RATs, Droppers, Binded trojans, Packed Servers, Keyloggers, Spyware, Mail Trojans, Password Stealers, Internet Worms, mIRC Worms, Malicious DLLs, Monitors, Spyware, and many others.

    I know it also does find some dialers, but browser hijackers are an entirely different case.

    I think we'll need some more info on what was flagged, in order to help you out with those.

    Regards,

    Pieter
     
  3. Garrate

    Garrate Registered Member

    Joined:
    Jun 12, 2003
    Posts:
    6
    Thanks, nice to be here.

    TDS-3 hit:

    -Leaktest of course.

    - A Windows 98 install disk file on one of my hard drives: F:\General\Software Install\OS IMAGES\Win98SE\tools\reskit\netadmin\pwledit

    -My VB6 Databae project (both exe and uncomplied project) I think because of this code ("possible web downloader" TDS-3 says):
    "Public Function DownloadFile(URL As String, _
    LocalFilename As String) As Boolean
    Dim lngRetVal As Long
    lngRetVal = URLDownloadToFile(0, URL, LocalFilename, 0, 0)
    If lngRetVal = 0 Then DownloadFile = True
    End Function"
    (that was cool - I was using it to grap html tables to stick in db tables. Nice hit! Even saw it in the EXE file)

    Missed two Malwares that were stuck in program installer files... One I've just rechecked to see what it was and it was an "Aconti" porn autodialer. I don't know if it was the Aconti changing the homepage as it was trying to install, or something extra. The other one I'm more worried about because it installed that ~"WDupdate.exe" file in my system directory. I'm not sure if it was a Malware or something else. I think when I looked it up it was a Malware though.
     
  4. Pieter_Arntz

    Pieter_Arntz Spyware Veteran

    Joined:
    Apr 27, 2002
    Posts:
    13,330
    Location:
    Netherlands
    Could you send me that one please?
    The e-mailaddress is in my Profile.

    Regards,

    Pieter
     
  5. Garrate

    Garrate Registered Member

    Joined:
    Jun 12, 2003
    Posts:
    6
    If I can find it - yes. I can't remember what did it though. When I saw that one, I just restored a Ghost image of my system instead of dealing with it (I like that clean feeling :D).

    I think I noticed it because of an error message after a reboot. So, I'm not positive what did it and am having trouble finding it.



    looking...
     
  6. Jooske

    Jooske Registered Member

    Joined:
    Feb 12, 2002
    Posts:
    9,713
    Location:
    Netherlands, EU near the sea
    Hi Garrate,
    that pwledit in the original win98 software is a known file on which TDS alarms as it has to do with the passwordfile.

    For leaktest you will see it's a demo.

    The other suspicious files if you find them back please zip them and send them to submit@diamondcs.com for advice.
     
  7. Gavin - DiamondCS

    Gavin - DiamondCS Former DCS Moderator

    Joined:
    Feb 10, 2002
    Posts:
    2,080
    Location:
    Perth, Western Australia
    Hi,

    I think most has been explained, however it depends on the package whether an embedded EXE will be scannable. We are working on this, can you send in the packaged EXE file which has malware inside it ?

    We dont detect porndiallers unless they are truly a trojan style dialer. For that, it has to dial automatically, no $4.95 a minute warning window, nothing ;)

    Please email anything you like to support@diamondcs.com.au and I'll get back to you on Monday :)
     
  8. Garrate

    Garrate Registered Member

    Joined:
    Jun 12, 2003
    Posts:
    6
    Thanks.. been gone a few days (sorry). I deleted the one file with the Aconti already and never found the other installer with the different Malware.

    Actually, the reason I noticed the Aconti thing was because after a reboot I got a notice that the Aconti.exe was trying to use some OS dialer - and no hardware was attached (or something like that). So, it did try to install and dial secretly without my knowledge (I think).

    I may know where to go get that file again though....


    BTW: I was going to go ahead and pay. I wish you had another (cheap) package for just TDS-3 and Wormguard alone. :D
     
Thread Status:
Not open for further replies.