Please help: who is this RAT ?

Discussion in 'Trojan Defence Suite' started by paperinik3, Jan 25, 2005.

Thread Status:
Not open for further replies.
  1. paperinik3

    paperinik3 Registered Member

    Joined:
    Aug 10, 2003
    Posts:
    90
    TDS3 tells me I'm infected with a RAT.Haxdoor trojan (file trace in C:\WINNT\System32\w32tm.exe).I've sent the file to DiamondCS but apparently my mail client is knocked out. I've told TDS to delete the file - it seems unable to do so.
    I have also googled for this RAT.Haxdoor - unknown.Please advise. :oops:
     
  2. no13

    no13 Retired Major Resident Nutcase

    Joined:
    Sep 28, 2004
    Posts:
    1,327
    Location:
    Wouldn't YOU like to know?
    RAT = Remote Admnistration Tool.
    Haxdoor is pretty famous.
    try googling "haxdoor removal"
     
  3. no13

    no13 Retired Major Resident Nutcase

    Joined:
    Sep 28, 2004
    Posts:
    1,327
    Location:
    Wouldn't YOU like to know?
  4. paperinik3

    paperinik3 Registered Member

    Joined:
    Aug 10, 2003
    Posts:
    90
    Hi, I'm a bit late in answering because I perused the Symantec instructions for removal and then went to the registry to delete all the registry entries added by the RAT.
    Well, there weren't any : I think that ProcessGuard must have closed the door. Very interesting!
    Thank you very much for your help no13 ! :D
     
  5. TonyKlein

    TonyKlein Security Expert

    Joined:
    Feb 9, 2002
    Posts:
    4,350
    Location:
    The Netherlands
  6. JamesRH

    JamesRH Guest

    I have the exact same problem. Checked and I also found no reg. entries - but I get the same warning every time I scan:

    File Trace: Default trojan filename: RAT.Haxdoor
    File: C:\WINNT\System32\w32tm.exe

    when I tell TD3 to delete the file, it lists it as deleted, but it shows up again as soon as I scan .... Is it still there? Is it still a problem?
     
  7. TonyKlein

    TonyKlein Security Expert

    Joined:
    Feb 9, 2002
    Posts:
    4,350
    Location:
    The Netherlands
  8. JamesRH

    JamesRH Guest

    Thanks Tony. I didn't know this forum had stopped offering those services. I'll check out the links you posted.
     
  9. TonyKlein

    TonyKlein Security Expert

    Joined:
    Feb 9, 2002
    Posts:
    4,350
    Location:
    The Netherlands
    You're welcome. Do check out that Symantec link I posted though; it may help.
     
  10. whatsup

    whatsup Guest

    same problem with w32tm.exe , no reg entries , also scanned with Pest Patrol which is supposed to find and delete Rat.Haxdoor , it didn't find anything , tried a couple of online scans again nothing . Could this be a false positive .
     
  11. beethoven

    beethoven Registered Member

    Joined:
    Dec 27, 2004
    Posts:
    1,042
    I am also wondering if this Rat is a false alarm. I just updated the radius TD-3 and then found it on two PC. None of the other AV or AT programs picks up anything and while I can find the files on my PCs, the last modification date according to explorer was 23/8/01 and 21/9/03 respectively.
    One PC is running XP, hardware and software firewall, NOD32 and as I am testing AT programs it's also running Ewido and Spywaresweeper. Apart from TDS-3 none of the other program has given me any alert. I even downloaded Trojanhunter to check and nothing is shown.

    The other PC is W2000 with NAV. According to the earlier link, Symantec detects this trojan and can remove it. However when I run a scan with the latest updates, NAV does not show any RAT or Backdoor...

    I am a bit frustrated as I feel running all these programs does not make me feel more secure just more paranoid :mad:
     
  12. FanJ

    FanJ Guest

  13. illukka

    illukka Spyware Fighter

    Joined:
    Jun 23, 2003
    Posts:
    633
    Location:
    S.A.V.O
    hi


    guys the haxdoor drops several files when installed, exe's, dll's, and sys files

    the other components reload the exes

    scan with tds in safe mode, do all possible scans in tds's menu


    set the heuristic sensitivity to max before scanning

    and before deleting anything post the scandump.txt for us to see...then delete everything with positive identification
     
  14. beethoven

    beethoven Registered Member

    Joined:
    Dec 27, 2004
    Posts:
    1,042
    @Fanj - thanks for that link. While it sounded promising ( as the alert is trace related), it does not help me (or I don't know how to do it properly).
    When doing it on PC 1, my normal account has admin privileges and if trying to use the other option by typing in administrator I get the following error message: "the service cannot be started, either because it is enabled or because it has no devices associated with".
    On the other PC (W2000) there is no run as option when rightclicking TDS-3. :'(

    @Illuka, I have run the scan several times but it only shows up one file trace.
     
  15. FanJ

    FanJ Guest

  16. beethoven

    beethoven Registered Member

    Joined:
    Dec 27, 2004
    Posts:
    1,042
    Thanks for the great link - I ran both scans and nothing showed up at Kapersky or Jotti. :D
    Feeling a bit more relaxed now though these two scans of course do not necessarily proof anything. Would a trojan even show up there as these are virus scans?
     
  17. FanJ

    FanJ Guest

    Hi Beethoven,

    Thanks for letting us know :D

    As for KAV: usually you would say, yes indeed it would tell you so.
    There is of course always a chance that something is not yet in the defs of a scanner.

    I had a liitle bit the feeling that, when I saw several people posting here in this thread about the same warning on the same file, there could be a false positive from TDS-3 (that can happen to all scanners).
    Maybe others with that same warning, could also post the results on those online scanners.

    I really don't know whether it is indeed a false positive or not
    I guess we have to wait for Gavin to have a closer look at it.
    But since it is Australian Day, a public holiday in Australia, we might have to wait until tomorrow.

    As for your question about running TDS-3 as admin:
    all I can do, is point to that thread from Gavin; I myself have only W98SE, so it would make no sense when I would try to tell more about it.
    I hope others can help you here.


    EDIT :
    I want to make clear that I wrote:
    I really don't know whether it is indeed a false positive or not.
     
    Last edited by a moderator: Jan 26, 2005
  18. ---

    --- Guest

    you should boot from the windows boot CD, use the repair console and delete the dropper file, maybe the w32tm.exe file or other infected files. Note: It is possible that many AT/AV scanners cannot remove the trojan files of the haxdoor family, also not in the safe mode.
     
  19. Dieter Bressem

    Dieter Bressem Registered Member

    Joined:
    Sep 1, 2004
    Posts:
    36
    Location:
    Germany
    Today TDS-3 found this "Trojan" on my machine, too.
    I think it is a false alarm because no TCP-Port 7080,8008 or 16601 is open and no flie c3.sys, boot32.sys, smtapi.sys etc. can be found.
    BTW I am waiting for the signatures from today.

    WTM32.EXE
    SIZE: 61,440 bytes
    CREATED: 15 April 2004
    VERSION: 5.0.2195.6824

    I started the program, the cmd-box will open, but nothing happens any more.
    After starting also no infection found
     
  20. lagerstedt

    lagerstedt Registered Member

    Joined:
    May 31, 2004
    Posts:
    33
    TDS-3 found this one in my PC too, but only in WINNT/System32 and it turned out to be a normal Windows fiile. I scanned with Norton AV with today's definition files, nothing was found. Then I scanned with Trend Micro, same result. I think that TDS-3 simply reacted to the file name and gave a warning "default trojan filename". I tried to submit the file, but could not understand the procedure. Some of TDS's instructions are cryptic. I hope that this is cleared up in the next definition update
     
  21. linney

    linney Registered Member

    Joined:
    Feb 17, 2002
    Posts:
    174
    I vote for a false positive on W32tm.exe as the reason.
     
  22. whatsup

    whatsup Guest

    After I first posted that this might be a false positive I spent the rest of the day scanning with everything you can imagine the out come still nothing . Like Beethoven & Dieter I checked the dates on the rogue files and they are 2001 & 2004 . Also as Dieter mentions none of the suspect ports are open . I did send an email to the TDS guys and waited all day for some kind of answer - Australia Day holiday of course no one at work , silly me I am an Australian and didn't realize . So now as well as being paranod I'm apparently unpatriotic , boy you can get lost on a wild goose chase . Got so caught up even missed the cricket _ now that is serious . My money is still on a false positive .
     
  23. whatsup

    whatsup Guest

    Just did a MD5 check on w32tm.exe and compared it with the same on a machine saying its clean , both numbers the same .
     
  24. beethoven

    beethoven Registered Member

    Joined:
    Dec 27, 2004
    Posts:
    1,042
    :D Just got my response from TDS - it's a false alarm and will be removed soon :D
    Thanks everybody for their support and thanks to TDS for getting back so quickly :-*
     
  25. whatsup

    whatsup Guest

    just recieved an email from TDS ;

    False alarm, this file exists if you have the Windows Time service enabled
    Removing the detection today

    well that was enough excitment for a few days hey folks
     
Thread Status:
Not open for further replies.