Discussion in 'Trojan Defence Suite' started by controler, May 13, 2002.
Why does TDS-3 show in the main window
Scanned 0 files when I do a full system scan?
Have you checked out the configuration options and scan control stuff?
You may have some setting to adjust?
Sounds like you scanned an empty drive or maybe only a single folder?
stiff upper lip controler, we'll get you rollin.
Everything is set to default and I requested a full scan.
Before the update today , the plugins button was grayed but now it works
I will run a san again ans see if it still shows ) files scanned.
Yesterday I got a warning in lockdown saying an attempt was being made on a port and it was Darkangle RAT
Now after setting the scanjing options in scan control as you suggested, I got a warning that that RAT was in my recycle bin. I did an undo of recycle and am doing a full scan again. Will let ya know how it goes.
Shows a liget number now after cofig for files scanned but what worries me is the detection of the RAT in the recycle bin and after undoing the recycle bin, and doing a full scan again. Nothing shows up.
I am pretty sure it is having something to do with Kazaa Lite a P2P program I am using.
What do you mean with "undoing the recycle bin" ?
Are you able to do a rightclick scan on the possible file or scan the whole recyclebin on highest sensitivity and everything checked?
Could it be Lockdown does not like to work fine with TDS?
I don't see where you can scan the recycle bin with TDS with a right click or even the files inside the bin.
What I mean by undoing is this.
Go to recycly bin and select restore all.
When you do that all the files in the bin go back to where they came from on your hard drive.
I am saying When you do a full sac with TDS it seems to check the recycle bin and that is where I GOT THE MESSAGE about the RAT. After restoring the items from the recycle bin back to their undeleted state and running a full scan with TDS( LockDown not running)
I get no RAT found. Wierd stuff there and maybe mutations ? LOL
Funny. I did a full system scan yesterday and TDS came up with DAngel.rat in the recycle bin. I had two files in the bin, neither of which were named the file that TDS3 said was there.
Also during the scan, F-Secure poped up and said I had some kind of virus in TDS3. Unpacker.exe or something like that. I knew it was a false positive, so I just ignored it.
I don't get too upset about false positives, so I didn't write down what was going on. If it repeats, I'll write down the info.
Now i understand what was the undo with the recyclebin, sorry.
If you go to Windows\Explorer, find the recyclebin and you can click on the thing (rightclick) to scan it as a folder, or open it and you should be able to scan each item with rightclick.
Another way is via TDS console > Scan System > and search in the upper choice the files/folders (recyclebin) you want to scan with that.
That would be two ways.
Just realising, the recyclebin doesn't give the full pathnames where the thing came from, and very often is stored under a coded name.
Did you look deeper in the find in the lower window with the scan alerts for further investigation, dumping it's name on the scandump?
Darkangel RAT ..isn't that one of those ICQ worms?
Any idea how you could have got the thing anyway?
Could not find infor about it yet via googling (is it my impression only that the results are worse tehn before since Google is commercial?)
What i don't like is the same alert doesn't show up nowhere since putting it back into place!
Can't find the name, not even on f-secure which you said popped up!
If ever happens such a thing false positive or not, please be so good as to alert the TDS-lab with a submission so they can refine their databases.
Hope all is ok with the system, as for sure there is no new "undo" button to put the files back in the recyclebin and try again..... or ...?
I got that RAT alert with Lockdown first when I was using ICQ. I actualy got two alerts of two different attemps to gain access to my puter. Then I scaned with TDS-3 and got an alert that RAT was in my recycle bin. I then restored the items from the recycle bin and can't get the dang thing to show up again with either Lockdown or TDS-3 . This really bugs me. It is like the dude knew he was being watched and pulled it off my computer again. LOL
I am not smart enough to catch that stuff.
Do I need to try Fprot too?
This is indeed intriguing. I am not sure there is much I can do from here. Try updating TDS3's def list again when a new one is out and scan again. Why the RAT may have dissapeared when restored is odd.
With todays updates here is what I get.
Full system scan =
Scan Control Dumped @ 18:24:31 13-05-02
Live trojan found (in process memory): RAT.Netbus 1.70
File: C:\PROGRAM FILES\LOCKDOWN MILLENNIUM\LOCKDOWNADVANCED.EXE
If I go to the Lockdown folder and do a right click and scan, Nothing found From what I am guessing is it not not warning the EXE is a problem with right click but rather only Full Scan and NO I didn't delete my Lockdown.EXE program after the TDS-3 warning
If I turn off TDS and turn it back on and it goes through it's memorty scan , it finds nothing does TDS-3 warn this is a RAT
What's up with that?
ONLY ON A FULL STSTEM SCAN
We may require Wayne or Gavin on this one. If I was to guess, I'd guess false positive.
Better said: i HOPE it's a false positive.
Maybe you have something in your settings for some test which is not in the configuration start up scans?
Anyway like said: always update to the latest references daily, scan.
Do send the file to TDS lab please with this remark.
About the RAT:
i have seen over the years with several scans a zipped file was alarmed on, but not on the installed or unzipped version of the same, so very difficult to say...
For your rat you could go in explorer and find by date the new or modified either changed files, so if you remember the exact date it took place that might help.
As it is intriguing. Looked for that darkangle rat, but no info else then dark angle exists and effects com and exe files if we are talking about the same.
It is in the TDS primaries though so should be caught.
Hope you find back the annoying nasty.
I would do every possible scan, online scans at panda, housecall, bitdefender, all my local software but first do that find and rightclick scan any file which is not TXT i guess.
Don't you run pestpatrol too with all options on for file extensions to look at, even in txt files? just a thought, i don't know if they have that nasty in their database.
Just thinking: maybe there is some code which is able to join some other code from the computer (for instance from protective databases) into a new nasty, some intelligence action
I will send the file in tonight if todays file update still shows the file as a RAT.
You Since the program is memory resident, You cannot right click and scan the file itself.
To detect it with TDS, I must either do a full scan or a process memory scan. TDS detects the file when the program is executed and not just sitting there.
I don't have TDS or LockDown set to kick on when windows starts As I grow older I don't seem to have the paitents to load all that stuff at startp
I uninstalled Norton Antivirus while doing some testing here too.
Separate names with a comma.