NOD32 missed Trojan-Downloader Win32.IstBar.

Discussion in 'NOD32 version 2 Forum' started by alien x, May 30, 2005.

Thread Status:
Not open for further replies.
  1. alien x

    alien x Registered Member

    Joined:
    May 6, 2005
    Posts:
    29
    Last edited by a moderator: May 30, 2005
  2. ronjor

    ronjor Global Moderator

    Joined:
    Jul 21, 2003
    Posts:
    57,779
    Location:
    Texas
  3. alien x

    alien x Registered Member

    Joined:
    May 6, 2005
    Posts:
    29
    I am sorry, i forgot to tell you that the file i am talking about is a program called
    S3K_full_YSB.exe (serial 3000). and it is only the program alone
    so is it still considered malware?

    i have checked using virus total and the result:
    http://www.sfhty.com/u/24413200505301058251.jpg
     
  4. kjempen

    kjempen Registered Member

    Joined:
    May 6, 2004
    Posts:
    379
    Yep, Trojan-Downloader.Win32.IstBar.ja is also undetected by NOD32. And so are probably a bunch of other IstBar variants. I guess it's got something to do with what ESET people prioritize. My guess is that this "spyware" (?) is low priority and not really that destructive.
     
  5. alien x

    alien x Registered Member

    Joined:
    May 6, 2005
    Posts:
    29
    Well, it doesn't seem less harmful does it?

    Trojan-Downloader.Win32.IstBar.gen
    Aliases
    Trojan-Downloader.Win32.IstBar.gen (Kaspersky Lab) is also known as: Trojan.StartPage.61 (Doctor Web), TR/Dldr.IstBar.G.1 (H+BEDV), Trojan.Downloader.Istbar-38 (ClamAV) Detection added Dec 01 2004
    Description added Apr 12 2005
    Behavior TrojanDownloader
    Technical Details

    This is a generic detection for a family of Trojan downloaders. These malicious programs will download a range of other malicious programs from the Internet to the victim machine.
    Programs from this family may create the following registry values:

    [HKLM\SOFTWARE\DR_S]
    [HKCU\SOFTWARE\DR_S]
    [HKLM\SOFTWARE\Classes\drs.n\uID]
    [HKCU\SOFTWARE\Classes\drs.n\uID]
    All programs in this family have an identical way of getting URLs from where they will download additional malicious programs. Every 30 minutes a program from this family will download a file from, for instance, hxxp: //www.adzhooter.com/DR_S/gSD.html. This file contains addresses which direct the Trojan to other sites where it can download additional malicious programs:

    |5|20050406|
    ts|http://www.adzhooter.com/DR_S/bp/as_8_new.exe|1|bs_8_new.exe|1.0|1|
    adsh|http://www.adzhooter.com/DR_S/bp/afita.exe|2|afita.exe|1.2|1|
    sfitb|http://www.adzhooter.com/DR_S/bp/SYSsfita.dll|3|SYSsfita.dll|1.0|2
    sfitb||
    ezu|http://www.adzhooter.com/DR_S/bp/wzStub.exe|3|wzStub.exe|1.0|1|
    sfisb|http://www.adzhooter.com/DR_S/bp/ReplaceSearch.dll|3|ReplaceSearch
    sfisb|.dll|1.0|2|

    http://www.viruslist.com/en/viruses/encyclopedia?virusid=66843
     
    Last edited by a moderator: May 31, 2005
  6. Blackspear

    Blackspear Global Moderator

    Joined:
    Dec 2, 2002
    Posts:
    15,115
    Location:
    Gold Coast, Queensland, Australia
    I'm certain Eset will get on to it, they do prioritise what is included though.

    Cheers :D
     
  7. TheQuest

    TheQuest Registered Member

    Joined:
    Jun 9, 2003
    Posts:
    2,301
    Location:
    Kent. UK by the sea
    Hi, alien x

    If not considered malware, it is not very good for software owers or makers that for sure. [hacked serials]

    Take Care,
    TheQuest :cool:
     
  8. pykko

    pykko Registered Member

    Joined:
    Apr 27, 2005
    Posts:
    2,236
    Location:
    Romania...and walking to heaven
    We all know that ESEt has problems detecting Trojans, so let's wait...they should improve it, or not o_O
     
  9. Marcos

    Marcos Eset Staff Account

    Joined:
    Nov 22, 2002
    Posts:
    14,374
    It's ridiculous that NOD32 should detect installers for not malicious programs. Actually,this particular installer drops some kind of spyware/adware detected by NOD32, but contains also a regular application that does not do anything malicious. I can tell you for sure there are hundreds (if not thousands) of real trojans, backdoors, dialers and spyware detected only by NOD32's advanced heuristics which are not picked up by any of the big AV "players".
     
  10. Happy Bytes

    Happy Bytes Guest

    I'm back :cool:

    And this trojan downloader IS detected. I've just tested it here. Detected as generic detection during installation.
     
  11. kjempen

    kjempen Registered Member

    Joined:
    May 6, 2004
    Posts:
    379
    Ok, I tried running the Trojan Downloader on my computer. It ran without interruption from AMON. It wasn't until it tried to download something called "istdownload.exe" from www.ysbweb.com that NOD (IMON) first reacted.

    In other words, NOD doesn't detect/stop the trojan downloader itself from running, but it stops (and detects) whatever it's downloading.
     
  12. alien x

    alien x Registered Member

    Joined:
    May 6, 2005
    Posts:
    29
    emmmmmm o_O
    i thought NOD32 will detect it before running it.
     
  13. bsilva

    bsilva Registered Member

    Joined:
    Mar 24, 2004
    Posts:
    238
    Location:
    MA, USA
    I have to disagree with you Marcos. This installer is causing unnecessary traffic in the network, and to me I think this is a problem because it's trying to download something malicious.
     
  14. ronjor

    ronjor Global Moderator

    Joined:
    Jul 21, 2003
    Posts:
    57,779
    Location:
    Texas
    BornMember

    I split your post off this thread as it was an opinion post, not a support question and put it here.
     
  15. kjempen

    kjempen Registered Member

    Joined:
    May 6, 2004
    Posts:
    379
    I forgot to mention that since NOD allows the Trojan Downloader ("regular_plugin.exe") to run, even if it doesn't get to download the "istdownload.exe" file, it is allowed to make changes in the windows registry.

    I got the following registry entry added after running the "regular_plugin.exe" (Trojan-Downloader.Win32.IstBar.ja):

    HKU\S-(lots of numbers...)\software\ist\
     
Thread Status:
Not open for further replies.