UPX.txt Packer on tds3 demo version

Discussion in 'Trojan Defence Suite' started by gardelvis, Dec 22, 2003.

Thread Status:
Not open for further replies.
  1. gardelvis

    gardelvis Registered Member

    Joined:
    Dec 21, 2003
    Posts:
    4
    :'(Ichecked out my demo version of tds3 with avast antivirus and it reports an UPX.txt Packer ( I detect it first with avast reporting this as ( ASPack - categorized as a trojan packer ) . And then I downloaded Pest Patrol and it reported this UPX.txt in directory External Plug Ins or somewhat , so I have to remove the program .
    Is this UPX.txt archive coming with the demo ? Or do I have another Trojan or Worm ? Please , somebody help me !!!
     
  2. Paul Wilders

    Paul Wilders Administrator

    Joined:
    Jul 1, 2001
    Posts:
    12,472
    Location:
    The Netherlands
    gardelvis,

    This is a perfectly safe and sound file, used by many sortalike softwares. It should reside in (5,45 kb in size):

    C:\Program Files\TDS3\Ext.Unpk

    Here's the contents from this text file:

    Code:
    -----BEGIN PGP SIGNED MESSAGE-----
    
    
                     ooooo     ooo ooooooooo.   ooooooo  ooooo
                     `888'     `8' `888   `Y88.  `8888    d8'
                      888       8   888   .d88'    Y888..8P
                      888       8   888ooo88P'      `8888'
                      888       8   888            .8PY888.
                      `88.    .8'   888           d8'  `888b
                        `YbodP'    o888o        o888o  o88888o
    
    
                        The Ultimate Packer for eXecutables
              Copyright (c) 1996-2000 Markus Oberhumer & Laszlo Molnar
                   http://wildsau.idv.uni-linz.ac.at/mfx/upx.html
                              http://www.nexus.hu/upx
                                http://upx.tsx.org
    
    
    PLEASE CAREFULLY READ THIS LICENSE AGREEMENT, ESPECIALLY IF YOU PLAN
    TO MODIFY THE UPX SOURCE CODE OR USE A MODIFIED UPX VERSION.
    
    
    ABSTRACT
    ========
    
       UPX and UCL are copyrighted software distributed under the terms
       of the GNU General Public License (hereinafter the "GPL").
    
       The stub which is imbedded in each UPX compressed program is part
       of UPX and UCL, and contains code that is under our copyright. The
       terms of the GNU General Public License still apply as compressing
       a program is a special form of linking with our stub.
    
       As a special exception we grant the free usage of UPX for all
       executables, including commercial programs.
       See below for details and restrictions.
    
    
    COPYRIGHT
    =========
    
       UPX and UCL are copyrighted software. All rights remain with the authors.
    
       UPX is Copyright (C) 1996-2000 Markus Franz Xaver Johannes Oberhumer
       UPX is Copyright (C) 1996-2000 Laszlo Molnar
    
       UCL is Copyright (C) 1996-2000 Markus Franz Xaver Johannes Oberhumer
    
    
    GNU GENERAL PUBLIC LICENSE
    ==========================
    
       UPX and the UCL library are free software; you can redistribute them
       and/or modify them under the terms of the GNU General Public License as
       published by the Free Software Foundation; either version 2 of
       the License, or (at your option) any later version.
    
       UPX and UCL are distributed in the hope that they will be useful,
       but WITHOUT ANY WARRANTY; without even the implied warranty of
       MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
       GNU General Public License for more details.
    
       You should have received a copy of the GNU General Public License
       along with this program; see the file COPYING.
    
    
    SPECIAL EXCEPTION FOR COMPRESSED EXECUTABLES
    ============================================
    
       The stub which is imbedded in each UPX compressed program is part
       of UPX and UCL, and contains code that is under our copyright. The
       terms of the GNU General Public License still apply as compressing
       a program is a special form of linking with our stub.
    
       Hereby Markus F.X.J. Oberhumer and Laszlo Molnar grant you special
       permission to freely use and distribute all UPX compressed programs
       (including commercial ones), subject to the following restrictions:
    
       1. You must compress your program with a completely unmodified UPX
          version; either with our precompiled version, or (at your option)
          with a self compiled version of the unmodified UPX sources as
          distributed by us.
       2. This also implies that the UPX stub must be completely unmodfied, i.e.
          the stub imbedded in your compressed program must be byte-identical
          to the stub that is produced by the official unmodified UPX version.
       3. The decompressor and any other code from the stub must exclusively get
          used by the unmodified UPX stub for decompressing your program at
          program startup. No portion of the stub may get read, copied,
          called or otherwise get used or accessed by your program.
    
    
    ANNOTATIONS
    ===========
    
      - You can use a modified UPX version or modified UPX stub only for
        programs that are compatible with the GNU General Public License.
    
      - We grant you special permission to freely use and distribute all UPX
        compressed programs. But any modification of the UPX stub (such as,
        but not limited to, removing our copyright string or making your
        program non-decompressible) will immediately revoke your right to
        use and distribute a UPX compressed program.
    
      - UPX is not a software protection tool; by requiring that you use
        the unmodified UPX version for your proprietary programs we
        make sure that any user can decompress your program. This protects
        both you and your users as nobody can hide malicious code -
        any program that cannot be decompressed is highly suspicious
        by definition.
    
      - You can integrate all or part of UPX and UCL into projects that
        are compatible with the GNU GPL, but obviously you cannot grant
        any special exceptions beyond the GPL for our code in your project.
    
      - We want to actively support manufacturers of virus scanners and
        similar security software. Please contact us if you would like to
        incorporate parts of UPX or UCL into such a product.
    
    
    
    Markus F.X.J. Oberhumer                   Laszlo Molnar
    markus.oberhumer@jk.uni-linz.ac.at        ml1050@cdata.tvnet.hu
    
    Linz, Austria, 25 Feb 2000
    
    
    
    -----BEGIN PGP SIGNATURE-----
    Version: 2.6.3ia
    Charset: noconv
    
    iQCVAwUBOLaLS210fyLu8beJAQFYVAP/ShzENWKLTvedLCjZbDcwaBEHfUVcrGMI
    wE7frMkbWT2zmkdv9hW90WmjMhOBu7yhUplvN8BKOtLiolEnZmLCYu8AGCwr5wBf
    dfLoClxnzfTtgQv5axF1awp4RwCUH3hf4cDrOVqmAsWXKPHtm4hx96jF6L4oHhjx
    OO03+ojZdO8=
    =CS52
    -----END PGP SIGNATURE-----

    As you see, there's no need in any way to uninstall TDS3 for this ;) - and no, your system is not compromised in any way.

    regards.

    paul
     
  3. Jooske

    Jooske Registered Member

    Joined:
    Feb 12, 2002
    Posts:
    9,713
    Location:
    Netherlands, EU near the sea
    Hello gardelvis and welcome to the forum.
    As you can see the file is a TXT format, and a txt can never run, so can never be any trojan, let alone a life infection.

    As Paul was so kind to post you can see it is a txt file, and there is of course the unpacker itself to unpack files to be able to detect possible malicious code in a protected folder, after which the copied and scanned code is deleted again.

    This unpacker is a very known one, as also the other companies whose software you use should have known and added to their definitions since 1996, even if it had been the executable engine itself.


    Do the following: TDS installed, update the definitions from the website http://tds.diamondcs.com.au/radius.td3 and put that update in the TDS-3 directory overwriting the current one which came with the installation.
    Depending on your system configuration (more drives/partitions, network, whatever you have) you can add to the TDS > Edit Config Scans Text > Scans >Full system Scans.txt all available scans and all logical drives, save and via System Testing > Scan Control > check all possible options and on the next tab too including the worm slider all to the highest sensitvity > OK > open it again for Full System Scan.
    As this is a rather heavy process you might like up to speed up the process with closing all unnecessary programs and windows till it's finished. A good moment is when you're not around for a while.
    In the bottom console you'll find possible alerts. Rightclick on an alert to get a menu to investigate a file and to save all alerts to one textfile.
    I'm interested to read about your possible finds so we can help you advising what to do with those alerts.
    Of course hoping you find nothing wrong and your system will be very clean.
     
  4. gardelvis

    gardelvis Registered Member

    Joined:
    Dec 21, 2003
    Posts:
    4
    The story is this : Recently with avast and tds-3 I detected a trojan horse in a file which were on C:\ddm.exe ( I have a dual booting system with windows XP and Windows 98 first edition ). When I tested the directory of tds-3 with avast home edition 4 it said that the files were impossible to scan because of being packed with ASPACK ( known as a trojan packer ).
    Then , after several tests on XP and Windows Avast 4 finally found a Win32:Blaster-C first on my swapfile and then the terrible Win32:Crypto . I suscribed also to the forum of avast and a person nicknamed as Avat Evangelist told me that these were false alarms. But I suspect I´ve got The Crypto thing since every time I connect to the Web my firewall ( which is a Sygate Personal Firewall last home version ) tells me once and another time that a NEW DLL IS LOADED FROM INTERNET EXPLORER ( AND I DIDN´T UPGRADE IT ).
    So, In your opinion . Am I Infected by those things ?
    Also I checked my pc with PC_CILLIN online ( it didn´t report anything ) and also I downloaded the FixBlaster.exe from SYmantec . So IF you can help me I´d
    be very grateful to you . Best Regards and Merry Christmas
     
  5. gardelvis

    gardelvis Registered Member

    Joined:
    Dec 21, 2003
    Posts:
    4
    After All these things I've explained on re:3 I reinstalled tds3 and scanned with avast and it reports that the directory is compressed by aspack . Please help me !!!
     
  6. Paul Wilders

    Paul Wilders Administrator

    Joined:
    Jul 1, 2001
    Posts:
    12,472
    Location:
    The Netherlands
    gardelvis,

    ASPACK is essentially a very well known and used software; have a look over here. So the mere fact software is compressed using ASPACK does not imply there's something fishy going on. This goes for TDS3 as well ;)

    As for W32 Crypto: as far as I know, this is a [/i]virus[/i] and not a trojan (as you know TDS is not an antivirus), and isn't in the wild yet. Do you have some additional info about this W32 Crypto virus that infected your system before?

    I would recommend submitting the file(s) in question to your antivirus company for examination. A copy can be submitted as well to DCS.

    Merry Christmas to you as well.

    regards.

    paul
     
  7. Jooske

    Jooske Registered Member

    Joined:
    Feb 12, 2002
    Posts:
    9,713
    Location:
    Netherlands, EU near the sea
    How about confronting PestPatrol and Avast with their detections of a TEXT file describing UPX as a trojano_O?
    A text file CAN NOT run! For PP detecting also INFO about nasties if you configure it to report and scan text files too i can imagine that part, but it should not react on read text files about legal normal software.
    Sending the files with your comments to them enables them to refine their detection databases.

    Go to http://www.avp.ru/ get to the language version you prefer, at the bottom find "online virus scan" submit the file and in a few seconds you have their reply.

    The detected files, zip a copy and do as Paul asked, submit to TDS lab and you will hear their comments.
    The original TDS UPX TEXT or EXE files are no trojans, viruses, worms, scripts, dialers, keyloggers or other illegal things.

    Info about the Win32:Crypto learns already in the first couple of lines you can't have that infection, as it immediately disables Avast and other scanners, which seem to be working on your system still.
    http://www.avp.ch/avpve/newexe/win32/crypto.stm
    Read the rest of the article and any suspicious finds, submit them to TDS lab, they will love to help you out where they can, even though it's no trojan.
    BTW: for enhancing your security, you probably will love to register your TDS copy, as that enables you to install the exec protection, which scans every executable for possible malicious code before it is allowed to run at all or block it before it's first breathtaking, not a bad idea.
    For worms make sure to have WormGuard running too and you will love Port Explorer to keep a real time eye on all connections and data traffic from and to your system.
    For the XP partitions you will love the ProcessGuard, so vital processes can't be stopped anymore (or any you protect with it) while you might like in the meantime to encrypt important data on all your system with the CryptoSuite, so trojans nor other spying eyes can get to that at all anymore.
    On the DiamondCS products sites you will find a lot of security enhancement to make internet a nice and secure experience again!

    Post your experiences back please.

    PS: in the meantime i wonder about the ddm.exe : is that a legal file or a recent one?
    in case you also find a Sysu.exe you better look here the ddm mentioned in the article "have your taksbar and desktop icons disappeared" even though you night not have those things happening yet, the ddm alarms me. And here and here for removal instructions if you fi...logging for each partition separately anyway!
     
  8. Pieter_Arntz

    Pieter_Arntz Spyware Veteran

    Joined:
    Apr 27, 2002
    Posts:
    13,331
    Location:
    Netherlands
    Hi Jooske,

    ddm as in Dynamic Desktop Media is spyware.
    And becoming a very common nuisance very quickly.

    Regards,

    Pieter
     
  9. Jooske

    Jooske Registered Member

    Joined:
    Feb 12, 2002
    Posts:
    9,713
    Location:
    Netherlands, EU near the sea
    That's right Pieter, thanks, Symantec names it part of Adware.DynamicUpdater, with the name you mentioned for the DDM part of it.
    It fits with the story Gardelvis sees updates each time as indeed the thing is updating itself as adware is used to.
    suppose it has nestled itself into the IE browser.

    I'm surprised even though the symantec sites say linux is not effected, i see it on linux forums mentioned too now.
    Hope postings of the hijackthis files can help Gardelvis to be cleansed out completely from every nasty before it was even invented!


    Gardelvis, first cleaning out, good tools and sure you'll get some very good advices about some extras you can find in the forums here (thinking of the JavaCool protection too).
     
  10. gardelvis

    gardelvis Registered Member

    Joined:
    Dec 21, 2003
    Posts:
    4
    Thanks to Paul,Jooske and other people I don't remember for your answers . Finally I decided to format my disks and in the forum of avast ( in which I'm suscribed with the same user name ) a person told me that this were all false alarms. So thank you very much for all the replies
    AND HAVE A HAPPY NEW YEAR :)
     
Thread Status:
Not open for further replies.