Unknown trojan

Discussion in 'Trojan Defence Suite' started by Caspar107, Feb 22, 2003.

Thread Status:
Not open for further replies.
  1. Caspar107

    Caspar107 Registered Member

    Joined:
    Oct 27, 2002
    Posts:
    25
    Location:
    Apeldoorn, Netherlands
    After a full system scan with the trial of TDS I ran into an unknown trojan, wich pointed to the file statbar.exe, wich is part of the StatBar software installed on my computer.
    Is anything wrong here, or is it a known "bug" in the software?

    www.statbar.nl
     

    Attached Files:

  2. Pieter_Arntz

    Pieter_Arntz Spyware Veteran

    Joined:
    Apr 27, 2002
    Posts:
    13,331
    Location:
    Netherlands
    Hi Caspar, :)

    It´s X-rated in Pac´s Portal, but that´s probably because it´s a resource hog.
    I moved it here so DCS can check out if this is a f/p or the real thing.

    Regards,

    Pieter
     
  3. the Tester

    the Tester Registered Member

    Joined:
    Jul 28, 2002
    Posts:
    2,854
    Location:
    The Gateway to the Blue Hills,WI.
    Caspar.

    I just installed StatBar last night.
    Haven't run a TDS-3 scan yet,but I will soon.
    If this isn't a false positive,I'm interested in what Wayne and the DSC people have to say about StatBar.

    I like StatBar,but if it is a trojan type program it's "getting the boot" and real fast!
     
  4. the Tester

    the Tester Registered Member

    Joined:
    Jul 28, 2002
    Posts:
    2,854
    Location:
    The Gateway to the Blue Hills,WI.
    Caspar.

    I just ran TDS-3.
    I have TDS-3 set up so that it scans all running processes when it starts..
    It didn't give an alarm when it checked StatBar as a running process.
    I went to my program files and with the right-click feature I scanned the StatBar files(4 total including statbar.exe) with TDS-3.
    There were no alarms from TDS-3 .

    This is interesting.
    I checked out the link that you posted and it is the same StatBar.
    Have you updated TDS-3 lately?
    (I think you have to do that manually in the trial version).
    Wayne or one of the TDS-3 expert operators will be able to shed light on the detection.
     
  5. Pieter_Arntz

    Pieter_Arntz Spyware Veteran

    Joined:
    Apr 27, 2002
    Posts:
    13,331
    Location:
    Netherlands
    Good one, the Tester.

    Caspar, this is the Direct download link for the latest TDS-3 update: http://tds.diamondcs.com.au/radius.td3
    Replace the old radius.td3 file in the TDS-3 folder by the one you get from there.

    Regards,

    Pieter
     
  6. Caspar107

    Caspar107 Registered Member

    Joined:
    Oct 27, 2002
    Posts:
    25
    Location:
    Apeldoorn, Netherlands
    I ran the full system scan with TDS including the lastest manual update already the first time.


    But now I see that TDS is saying:
    WARNING Your Radius.td3 database needs to be updated.
    I put the file in the TDS directory after wich I was prompted to overwrite the excisting file, so I did, but it still says I need an update.

    Reïnstall the program is a solution?
     
  7. Caspar107

    Caspar107 Registered Member

    Joined:
    Oct 27, 2002
    Posts:
    25
    Location:
    Apeldoorn, Netherlands
    I reïnstalled the TDS program an did a manual update again, after a full system scan the StatBar.exe alarm is back.

    By the way, still the update warning but I can see the program is saying:
    Database updated 23-02-2003 o_O
     
  8. LowWaterMark

    LowWaterMark Administrator

    Joined:
    Aug 10, 2002
    Posts:
    17,875
    Location:
    New England
    Hi Caspar,

    As long as you are running an evaluation copy of TDS-3, it will always remind you to update the radius file. It's just the way it works - a kind of permanent reminder.

    Best Wishes,
    LowWaterMark
     
  9. the Tester

    the Tester Registered Member

    Joined:
    Jul 28, 2002
    Posts:
    2,854
    Location:
    The Gateway to the Blue Hills,WI.
    I was under the impression that StatBar wasn't a service.
    But I saw it connected out once.(Active Ports showed that)
    I wonder if that has anything to do with the TDS-3 detection?

    I have it running and have been monitoring connections with Kerio and Active Ports.No more connections yet.

    Caspar.
    Do you use the time synchronization with StatBar?
    I haven't used that feature.
    It would call out for that.
    If so,you should get a firewall alert or you would have to give permission for an internet connection.
     
  10. Loki

    Loki Registered Member

    Joined:
    May 26, 2002
    Posts:
    193
    Location:
    Lake Worth, Florida, USA
    Caspar,

    I would zip the file and send it to support TDS. That way they can examine your file. They will email you with the results.

    Loki :cool:
     
  11. Jooske

    Jooske Registered Member

    Joined:
    Feb 12, 2002
    Posts:
    9,713
    Location:
    Netherlands, EU near the sea
    Great, for the submission this address:
    support@diamondcs.com.au
    and give the URL where you found it.

    They can refine the databases where needed/possible and like Loki said, write the results. There must be at least some code in it causing the alarm. And they will be grateful being able to refine the databases any further.

    Thanks a lot for the alert, we wait with you for the results.
     
  12. Caspar107

    Caspar107 Registered Member

    Joined:
    Oct 27, 2002
    Posts:
    25
    Location:
    Apeldoorn, Netherlands
    Yeah, I used that feature once but not anymore, and I gave my Norton Firewall permission for it. At this moment there are no active connections from StatBar anymore so it should be something else.

    I submitted the file yesterday with the feature in TDS to mail the alert, is this enough or should I zip the file and mail it to support@diamondcs.com.au?
     
  13. Loki

    Loki Registered Member

    Joined:
    May 26, 2002
    Posts:
    193
    Location:
    Lake Worth, Florida, USA
    Hi Caspar,

    Using the submit file feature should be fine, but like Jooske said you should email them with were you downloaded the file from and of course it would not hurt to zip it and send it. The more information you can provided the better response time you will get. They are very fast to respond.

    Loki :cool:
     
  14. Caspar107

    Caspar107 Registered Member

    Joined:
    Oct 27, 2002
    Posts:
    25
    Location:
    Apeldoorn, Netherlands
    OK, I will email the file then
     
  15. Caspar107

    Caspar107 Registered Member

    Joined:
    Oct 27, 2002
    Posts:
    25
    Location:
    Apeldoorn, Netherlands
    Very quick answer from TDS

    Well, no newer version available.
     
  16. Jooske

    Jooske Registered Member

    Joined:
    Feb 12, 2002
    Posts:
    9,713
    Location:
    Netherlands, EU near the sea
    Quick as ever possible, great.
    Keep an eye on it when there is a new version finally.
    Would not put it on the exclusion list, just keep it as it is and only watch for possible modifications just in case at a next alert. So you have your testfile! :)
     
Thread Status:
Not open for further replies.