TDS file or a Trojan??

Discussion in 'Trojan Defence Suite' started by winetou, Feb 27, 2004.

Thread Status:
Not open for further replies.
  1. winetou

    winetou Registered Member

    Joined:
    May 22, 2003
    Posts:
    13
    I've had TDS3 for over a year and today for the first time a file called MSXMIDI.exe tried to access the net.

    One copy of this is in C:/Windows another in TDS folders.
    File creation date is today, 6,656 bytes

    Googling only finds pest patrol site which lists this as a hijacker.

    So, my question is whether this is a legit TDS file or something dropped into TDS folder to fool TDS
     
  2. Pilli

    Pilli Registered Member

    Joined:
    Feb 13, 2002
    Posts:
    6,217
    Location:
    Hampshire UK
  3. winetou

    winetou Registered Member

    Joined:
    May 22, 2003
    Posts:
    13
    That is what I found, but the file listed by pest patrol is much larger, this one on my PC is only 6.5 KB.

    And why of all folders would it be present in TDS/xDynamic/TDS.Unpk folder.

    I'll e-mail it to them and see what they say.

    By the way, it tried to contact the Diamond CS site. So it looks like a legitimate file, but this is the very first time it tried to dial out in a year, that is what makes me suspicious.
     
  4. Pilli

    Pilli Registered Member

    Joined:
    Feb 13, 2002
    Posts:
    6,217
    Location:
    Hampshire UK
    That folder is where TDS unpacks files for checking, usually they are deleted after a scan unless they are corrupted in some way or the scan did not complete for some reason.

    Are you sure it was that file that tried to get out or the TDS updater which is set for auto on Fridays and Mondays?

    Please send it to Gavin - Thanks :D
     
  5. Jooske

    Jooske Registered Member

    Joined:
    Feb 12, 2002
    Posts:
    9,713
    Location:
    Netherlands, EU near the sea
    Remember: the file in that folder is a copy of an original which has been somewhere else on your system if it is not removed in the meantime.
    I see in the computercops forum the file not removed from a HJT log, so maybe the file can be legit as well, could be your file got infected itself (interesting option), so the submission to await Gavin's opinion is good, especially as you think it is calling out:
    with Port Explorer up you can see which process exactly is the one calling out and look at packets or kill it.
    You might like to zip it before handling it further, so the calling stops. Further you might like to have a look for yourself in the meantime at the file by going to www.kaspersky.com/remoteviruschk.html at the bottom submit the file and get in a few seconds there on line a first opinion.
     
  6. winetou

    winetou Registered Member

    Joined:
    May 22, 2003
    Posts:
    13
    Kaspersky on-line check says that file is infected with winshow trojan downloader ( I think it's adware, kaspersky doesn't specify, my Norton even though updated says nothing about the file, says it's clean ) :

    Current object: msxmidi.exe

    msxmidi.exe Packed: UPX
    msxmidi.exe Infected: TrojanDownloader.Win32.WinShow.p

    Actually it looks like I was wrong, firewall reported the destination IP to be the same as the one dialed by TDS3 that's why I thought it was dialing diamondcs.site, but it's not actually , it's just my ISP.

    It looks like this file is not the actual winshow virus/adware, but tried to download it and got caught.
     
  7. Jooske

    Jooske Registered Member

    Joined:
    Feb 12, 2002
    Posts:
    9,713
    Location:
    Netherlands, EU near the sea
    Gavin will definitely tell you more about the file, as now we all want to know! You did submit it, did you?
    You did not find another original on your system somewhre else? Maybe deleted already (i hope) --
    you last sentense: "tried to download it but got caught"
    Do you mean you think the file was trying to download it or you yourself?
    If the file was trying to call, it means it would be active on your system; one reason more to zip it and send it in to Gavin. And to do another scan to make sure you're really clean!
     
  8. winetou

    winetou Registered Member

    Joined:
    May 22, 2003
    Posts:
    13
    The original file was in the windows directory and my firewall alarmed me that it was trying to dial out.

    I did a search to find the file ( by name given by firewall ) and search returned 2 files, exactly the same, one was in the windows folder which I assume is the original and the second one was in TDS/xDynamic/TDS.Unpk folder.

    I did submit both ( renamed one to msxmidiWin ) just in case there was a difference between the two.


    I think this file was downloaded somehow and then it tried to download the actual trojan which seems to be winshow.dll ( from what I found out researching winshow ). There is no winshow on my PC, I guess because firewall stopped msxmidi from downloading it. So it looks like I'm clean.
     
  9. Jooske

    Jooske Registered Member

    Joined:
    Feb 12, 2002
    Posts:
    9,713
    Location:
    Netherlands, EU near the sea
    Right, now you tell about the second copy or better said the original elsewhere on your system the story fits exactly. The one in the TDS Unpk folder is the copy of the same, there for being unpacked and scanned and normally should have been deleted after that action or with the next scan. Now Gavin has his copies you can delete the one in the Unpk folder anyway, the other if you would think it could be part of a program which will stop functioning without the file on your system you can rename, for instance by adding an extention behind it, msxmidi.exe.tmp which can't run, or keep it zipped, or after Gavin's reaction delete it. Sounds like a good catch!
     
  10. dvk01

    dvk01 Global Moderator

    Joined:
    Oct 9, 2003
    Posts:
    3,131
    Location:
    Loughton, Essex. UK
    winshow downloader is a part of the cws hijacker family

    the way it gets on the computer is via an infected applet on a malicious website

    the only cure is to make sure you are updated and patched against the exploit called a byte verifyer exploit, either by installing the M$ virtual machine update from windows update or by uninstalling it completely and instaling SUN java which is immune to the bug

    to be sure of being clean from it as there are several hundred variants and winshow is only one of them do this

    First download CWshredder from http://www.merijn.org/cwschronicles.html
    then
    Run CWSHREDDER, check you have the current version, press check for update and let it update
    Close all browser windows, click on the cwshredder.exe then click "FIX" (Not "Scan only") and let it do it's thing.

    and make sure you follow the advice about the security updates listed at the bottom of the page, in order to prevent re-infection, otherwise you will be continually reinfected
    the patches are :
    http://support.microsoft.com/default.aspx?kbid=828026
    http://www.microsoft.com/technet/treeview/default.asp?url=/technet/security/bulletin/ms03-011.asp
    *Note: The simplest way to make sure you have all the security patches is to go to Windows update and install all "Critical Updates & service Packs"

    If Merijn.org is still down due to the DDOS attack on it, the alternative download sites for cwshredder are:
    http://www.wilderssecurity.com/attachments/cwshredder1510.zip
    http://www.thespykiller.co.uk
    http://www.majorgeeks.com/downloads31.html

    you might like to read more about it here
    http://www.wilderssecurity.com/showthread.php?t=14086
     
  11. Jooske

    Jooske Registered Member

    Joined:
    Feb 12, 2002
    Posts:
    9,713
    Location:
    Netherlands, EU near the sea
    So with this to make sure also get Hijackthis and post in the HJT forum to see if everything is alright and if you really did not get the whole nasty on your system.
    Or from the DCS sites the AutoStartViewer if the HJT is still unreacheable.
     
  12. dvk01

    dvk01 Global Moderator

    Joined:
    Oct 9, 2003
    Posts:
    3,131
    Location:
    Loughton, Essex. UK
    For future info HJT is always available from these forums and if you are viewing them then they haven't been attacked

    http://www.wilderssecurity.com/showthread.php?t=12516

    Unfortunately many of the CWS entries do not show in a hijackthis log, or autostart viewer in TDS either,especially in XP/2000/2003 The only Known way of fixing or finding them all is CWshredder. TDS finds & cures some, Adaware/SPybot find & cure some and most antiviruses cure some of them

    It is the most pernicious/devious problematic ad spawning trojan ever invented
     
Thread Status:
Not open for further replies.