RAT.Retribution

Discussion in 'Trojan Defence Suite' started by esc9d, Sep 9, 2003.

Thread Status:
Not open for further replies.
  1. esc9d

    esc9d Registered Member

    Joined:
    Sep 9, 2003
    Posts:
    1
    Hi All,

    I am new the forum. I just ran the TDS Professional scanner and came up with a RAT.Retribution trojan on my machine, using a file located at C:/autoexec.exe. This is obvioiusly a trojan as I checked my other Windows XP machines and I cannot find it on any of their hard drives so it is not a system file. I am wondering if anyone has heard of the retribution trojan and can tell me what exactly it allows people to do to my computer, i have evidence already that I have been hacked and that my keystrokes and instant messages are recorded on that machine. I am trying to figure out exactly what this trojan allows the hackers to do and more importantly how to catch them doing it. Thank you so much, any help would be appreciated.
     
  2. Jooske

    Jooske Registered Member

    Joined:
    Feb 12, 2002
    Posts:
    9,713
    Location:
    Netherlands, EU near the sea
    Hello esc9d and welcome!
    The Retribution has several variants, RAT or backdoor, did not find a proper description of them, but many scanners detect them.
    autoexec.bat is on many windows versions a normal system file, not on all though, and autoexec.exe sounds suspicious!
    If you look closer to the file, was it recently created and modified?
    You can zip the file and submit it to the TDS lab for deeper advice if you like submit@diamondcs.com.au .

    If you look in the autostart explorer and process list, do you see unknown/illegal processes there and maybe changes to the autostart?
    You can kill processes from there, if you're not 100% certain of specific registry keys in the autostart you might prefer to uncheck them in the start > msconfig > startup tab as you can very easy put those checks back if needed, easier then re-addibng a deleted registry key!

    You might like to change the file extension of that autoexec.exe and see if your computer still runs ok after reboot.
    From a backdoor or rat one can expect in fact everything and you noticed some bad parts already, maybe as part of this infection, maybe there is more the matter on your system.

    You should really do several things:
    First of all update the TDS database --for an evaluation version you should do that on the DCS site, after getting the file start TDS and do a full scan with everything checked and on highest sensitivity.
    Maybe you prefer this scan when not connected to internet to avoid possible manipulation via the backdoor(s) if still active.

    If you know when you got infected it might be the easiest way though to get back to an older system restore point?

    If in the scan alerts are more suspicious files, don't hesitate to submit them too.

    Anyway, if you can get clean this way, disable your system restore, reboot, enable system restore again and manually create a new restore point which you might like to check before continuing.

    If all this is ok, you might like to go for an online scan as a second opinion.

    You will like to use Port Explorer to see all your connections online, processes and ports mapped to use for those, ability to sniff all packets send on and back, disable and kill connections and see even in one blink of an eye possible hidden and/or trojan connections and lot more.

    Hope this helps to start with. Please keep us updated about your experiences.
    Oh, once at the DCS site, get the AutoStartViewer from the free tools and APM, get the whole lot you like as they might get very handy at some moment.
    Really check all that's starting and running.
    You might like to post your autostartviewer log with all options checked for review here in the forum.

    Looking forward to your next postings!
     
  3. Gavin - DiamondCS

    Gavin - DiamondCS Former DCS Moderator

    Joined:
    Feb 10, 2002
    Posts:
    2,080
    Location:
    Perth, Western Australia
    Hi,

    Was the file positively identified in a file scan ? If not, email a copy to submit@diamondcs.com.au and then delete it, we will let you know ASAP - sorry for the downtime at the moment

    There are a few trojans that use this trace, and a couple of worms, so just the filename triggered an alarm most likely
     
Thread Status:
Not open for further replies.