Unknown Trojan Not Picked Up By TDS

Discussion in 'malware problems & news' started by Bubba HoTep, Sep 23, 2004.

Thread Status:
Not open for further replies.
  1. Bubba HoTep

    Bubba HoTep Registered Member

    Joined:
    Sep 23, 2004
    Posts:
    9
    About a week ago when running a Pest Patrol search I turned up what is classified by Pest Patrol as an "Unknown Trojan" Key Logger. When I select and remove the lil bugger, I get an error message, [Unable to load function: FT_THUNK {KERNEL32.dll}] But than it goes on to apparently delete the files. It than requires a reboot to be finalized and a rescan shows the files to be removed.

    However when I run a specific application they reload. (Warcraft III, sorry.. I'm an avid gamer). So not knowing what more to do... I purchased TDS and bought the license. I have run the program, updated, when they are removed and when pest patrol says they are there and TDS does not find anything.

    This is highly annoying as I just spent nearly $50.00 for a pretty trojan program that does not seem to see the trojan. Pest Patrol logs seem to suggest that this particular trojan creation date is 8/9/04. So it seems pretty new.

    The files that are picked up are: sintfnt.dll, sintf32.dll, sintf16.dll, cmdlineext02.dll.

    Now just so everyone reading this knows. I have spybot s&D, Updated Adaware, Hijack This, Reg Organizer, Pest Patrol, TDS, and I do regular scans with Trend Micro's House Call.

    Does anyone have any suggestions on what I should do next? I would appreciate any and all feedback.

    Thanks

    Bubba HoTep :ninja:
     
  2. LowWaterMark

    LowWaterMark Administrator

    Joined:
    Aug 10, 2002
    Posts:
    17,876
    Location:
    New England
    Actually, from your description it seems more likely that Pest Patrol was making a false positive identification rather than TDS missing it since you said the files come back whenever you run Warcraft III. It is not hard to connect the presence of files that monitor and log keyboard, mouse and other input devices, with an interactive game program.

    I'm not saying it is certain that Pest Patrol is wrong, just that it is a bit suspicious that these files regenerate as part of running a legitimate game program.

    The best thing to do would be to take a copy of those files, zip them into a single archive file, and email them to the makers of TDS to analyze for you. It's the only way to know for sure what these files are and whether TDS (or Pest Patrol) should even be flagging them.

    submit@diamondcs.com.au
     
  3. Bubba HoTep

    Bubba HoTep Registered Member

    Joined:
    Sep 23, 2004
    Posts:
    9
    I just re-ran Trend Micro's House Call last night and found one non-cleanable.

    BKDR AGENT.CE

    Does anyone know what this file does? It is embedded deep in a Documents & Settings folder.

    Thanks

    Bubba
     
  4. Blackspear

    Blackspear Global Moderator

    Joined:
    Dec 2, 2002
    Posts:
    15,115
    Location:
    Gold Coast, Queensland, Australia
    More info here

    Hope this helps...

    Let us know how you go...

    Cheers :D
     
  5. Sweetie(*)(*)

    Sweetie(*)(*) Registered Member

    Joined:
    Aug 10, 2004
    Posts:
    419
    Location:
    Venus
  6. ChrisP

    ChrisP Suspended Member

    Joined:
    Jun 6, 2003
    Posts:
    447
    Location:
    UK
    TDS didnt detect this? Tut tut.
     
  7. Bubba HoTep

    Bubba HoTep Registered Member

    Joined:
    Sep 23, 2004
    Posts:
    9
    I re-updated Trend Micro House Call this morning and have viewed the first 30minutes of the run and found that is not picked up on the insect where it was on last scan..

    Thanks for the links on this bug. I have noted that it would need to access the net through a port and given DSL I have no open ports on my firewall. Not to mention my Zone Alarm Pro will I'm sure detect anything trying to access the internet.

    Hopefully I will be rid of this tonight. Given that it appears to be a new backdoor variant I can understand why there is so little about it out. I'm sure we'll see more in the weeks and months to come. Still a little peeved that TDS did not pick it up either yet Pest Patrol knew something was wrong and Trend Micro House Call confirmed it.

    I'll repost this evening and let people know where I am at.

    Bubba
     
  8. Detox

    Detox Retired Moderator

    Joined:
    Feb 9, 2002
    Posts:
    8,507
    Location:
    Texas, USA
    But you did submit the file/s to DCS for analyzation, right?
     
  9. Bubba HoTep

    Bubba HoTep Registered Member

    Joined:
    Sep 23, 2004
    Posts:
    9
    Unfortunately I did not. When Trend Micro gave me the option to delete I deleted it. If it comes back I will send in the file.

    I have been on this forum now a day or two. My normal course of action for the past 10 years has been to find these and remove them as quickly and easily as possible.

    Again, I will be certain to take care of that for future matters but have not as of yet.

    Bubba
     
  10. Jooske

    Jooske Registered Member

    Joined:
    Feb 12, 2002
    Posts:
    9,713
    Location:
    Netherlands, EU near the sea
    Please keep us informed how it goes.
    And submit your finds please.
    What is also very helpful and necessary is to close other scanners completely (including their resident protection) when using another scanner.
    TDS does not need to be closed, only don't have it actively scanning with TDS at the same time of using any other scanner.
    This is to give full access to all files by the other scanners.
    If i'm not sure i zip a file and submit it and/or get an extra scan of that file with my other scanners and online at kaspersky's for instance.
     
  11. Bubba HoTep

    Bubba HoTep Registered Member

    Joined:
    Sep 23, 2004
    Posts:
    9
    Ok, after yet another Trend Micro complete scan I have turned up nothing. So it appears to have deleted the BKDR_AGENT.CE

    However, the other "Unknown Trojans" detected by Pest Patrol continue to show up. The 4 files mentioned in my above posts. Should I send these in and have them checked?

    If so, what utility do people use to zip them? I don't have Winzip and when I looked it only has a 20 or so day trial before you have to purchase a license. Is there a utility built into XP already?

    Feedback appreciated, as it currently stands I'm well on my way to Hari Kari. Get obsessed with these irritations. I appreciate everyone's assistance.

    Bubba
     
  12. Blackspear

    Blackspear Global Moderator

    Joined:
    Dec 2, 2002
    Posts:
    15,115
    Location:
    Gold Coast, Queensland, Australia
    You can have the files checked here, as well you can send them to submit@diamondcs.com.au and samples@nod32.com and there is more information on submitting samples here

    Let us know how you go...

    Cheers :D
     
  13. Bubba HoTep

    Bubba HoTep Registered Member

    Joined:
    Sep 23, 2004
    Posts:
    9
    Thanks for the info.... but does XP have a zip utility or will I need to go out and buy one?

    Bubba
     
  14. Blackspear

    Blackspear Global Moderator

    Joined:
    Dec 2, 2002
    Posts:
    15,115
    Location:
    Gold Coast, Queensland, Australia
    XP has it's own, however you can also download Ultimate Zip from here

    Hope this helps...

    Cheers :D
     
  15. Bubba HoTep

    Bubba HoTep Registered Member

    Joined:
    Sep 23, 2004
    Posts:
    9
    I thought I would share this information with everyone, note where it came from. There is also something else I found out on another forum and I will be posting that in the near future and it is highly interesting.

    "Hello,


    In regards to the files SintfNT.dll, Sintf16.dll, Sintf32.dll, these
    are used in/for the copy protection for Diablo II and Warcraft III. I am
    unsure if these are normally native Windows files or something the copy
    protetion generates if they are not there. In testing something I
    deleted them, reinstalled Diablo II and the files came back. In all I would
    tend to say you are getting a false positive from Pest Patrol and you
    might want to check with the makers of it as to why or at least let them
    know and send the files in to them so they can look at them. As for
    the fourth file you mention I could not find it on my system(s). Here
    again I would send this one in to Pest Patrol and have them look at it to
    see why it keeps getting reported.

    I know you said you have checked your system multiple times however
    from the list of software you use like TDS, Zone Alarm, etc. I am not
    seeing an actual anti-virus program listed there. Do you have an actual
    anti-virus program like Norton, Panda, Kaspersky, Fprot, etc.? If you
    don't you may seriously want to look in to getting one as anti
    Trojan/spyware software isn't ment for detecting viruses, just as AV software isn't
    ment for detecting trojans/spyware even though each can at times detect
    some of the more popular trojans/viruses respectively.

    Regards,
    Norm H.
    Anti-Piracy Team
    Blizzard Entertainment"

    More to follow.

    Bubba
     
  16. Blackspear

    Blackspear Global Moderator

    Joined:
    Dec 2, 2002
    Posts:
    15,115
    Location:
    Gold Coast, Queensland, Australia
    So it appears the "Unknown Trojans" detected by Pest Patrol are false positives, have you sent these off to Pest Patrol for analysis?

    Now that your system is clean you may want to take a look here for further discussion on security and how to make your system that much stronger, and here for more discussions.

    Hope this helps…

    Let us know how you go…

    Cheers :D
     
  17. Bubba HoTep

    Bubba HoTep Registered Member

    Joined:
    Sep 23, 2004
    Posts:
    9
    The following was taken from Security Forums regarding this same issue. I hope the links come through with this as they are super and anyone who is dealing with these files would find them very interesting. If they don't come through see this link to the forums.

    http://www.security-forums.com/forum/viewtopic.php?t=20775&highlight=

    These files are part of some incidious "copy protection" schemes devised by software/music lobbies to basically cripple your system into being unable to copy their products - a well known such "protection" used by a certain "reputable" record company works by secretly installing a driver on your computer that cripples your CD-ROM drive's ability to digitally extract audio, thus making it impossible for you to copy an audio CD without heavy distortion. Way to go, we're all thiefs now, we buy their junk and they cripple our machines in return.

    Quick Google on the subject revealed some interesting results, this one for example.

    These files were placed in your system either by one of Blizzard's products, or some other game you have installed, or even by some music CD you inserted in your computer (yes, they are actually at a stage where they secretly installing things in your computer without your knowledge just by inserting a legally bought music CD on the drive).

    This is yet another reason why I strongly recommend people disable autorun notification on their drives. At least that way you can be sure that when you put a CD on, it'll only run if you want it to run - which in case of a music CD will help you be sure you're not running anything other than you opening your favorite CD Player application and hitting play.
     
  18. Sweetie(*)(*)

    Sweetie(*)(*) Registered Member

    Joined:
    Aug 10, 2004
    Posts:
    419
    Location:
    Venus
    Very interesting, I know the RIAA etc have been messin with P2P music files for a while now but this is new, if what you said is true then it breaches the Digital Millennium Copyright Act sighed by bill clintonin 1996.
     
  19. Bubba HoTep

    Bubba HoTep Registered Member

    Joined:
    Sep 23, 2004
    Posts:
    9
    Not to beat the proverbial horse senseless but, this was from an update. Meaning, everytime you connect to say "Battlenet" through Blizzard to play online, the program checks for the most current updates. This did not start occurring until the very latest update towards the middle to end of September.

    I've been reading more and more about this on multiple forums. What's more, it's not just Blizzard but on a google search these were found as part of a piece of music cd.

    It's all been done very very quietly. So whose worse? People who pirate software, music or movies or the companies who are placing items on peoples pc's unbeknownst to the owner. Nobodies clean anymore.

    Think I'll go shower.

    Bubba *puppy*
     
  20. Merchito

    Merchito Guest

    I have encountered the same, exactly same problem wit Pest Patrol detecting "sintfnt.dll" and "sintfnt32.dll", and having them back after deletion. I am an hardcore gamer, and I can assure you that those "pests" come back when running many games. Actually, I am playing Archangel (jowood), and it keeps reinstalling those dlls every time I launch the game.

    I am not sure what those files really are. But it seems to me, from what informations I gathered, that it is assiociated to a "Securom V2"... Whatever it is.
     
Loading...
Thread Status:
Not open for further replies.