win32:sdbot-2325 [trj]

Discussion in 'Trojan Defence Suite' started by beethoven, Sep 6, 2005.

Thread Status:
Not open for further replies.
  1. beethoven

    beethoven Registered Member

    Joined:
    Dec 27, 2004
    Posts:
    1,044
    I hope it's not too late to expect some assistance here in this forum.
    I just did a scan with avast and was told that a trojan horse was found: Win32:SdBot-2325 [Trj]. What startles me is that the file in question is: "Program Files\TDS3\xDynamic\TDS.fps\DCSFPS13.bak".
    While I have been using TDS3 on two other pc, this particular pc only ever had the trial version. It is not heavily used on the net and I am wondering if this is not a fp.

    Anyone still out there dealing with TDS3 issues?
     
  2. Pilli

    Pilli Registered Member

    Joined:
    Feb 13, 2002
    Posts:
    6,217
    Location:
    Hampshire UK
    Hi beethoven,
    Looks like a backup file, simply delete it. Not sure what it is but may be some sort of recptacle for TDS3 scans. Anyway not that important now :)

    HTH Pilli
     
  3. Jooske

    Jooske Registered Member

    Joined:
    Feb 12, 2002
    Posts:
    9,713
    Location:
    Netherlands, EU near the sea
    If that is the only alarm it is a bit strange. That folder contains copies or critical system files from which they are replaced in case of missing or damaged files. So the original should (have been)/be alarmed on too.
    If you still have the file check it another time at one of the online file scanners.

    "fps" does not stand for "false positives" !
     
  4. beethoven

    beethoven Registered Member

    Joined:
    Dec 27, 2004
    Posts:
    1,044
    Avast had moved the file and changed the file ext, so it took me a while to locate it again. Once I did, the alert came back immediately. I then moved the file to quarantine (or the chest) as Avast calls it. Neither Jotti or kapersky online raised any alarm when submitting it.

    Nope, it was just this one file.

    o_O
     
  5. Jooske

    Jooske Registered Member

    Joined:
    Feb 12, 2002
    Posts:
    9,713
    Location:
    Netherlands, EU near the sea
    That fps folder.

    Submit the file to Gavin on the submit address in my signature for second opinion, with a link to this thread.

    Was it the first time avast alarmed on it?

    Submit a copy to avast and tell them it looks like a false positive, since it is a copy of the original file elsewhere on your system on which is no alarm.
    Maybe avast alarms as it is in another location then the windows or system(32) directory where it probably belongs.
    But you want that file there since it enables TDS to take good care for it.

    Look in the file properties: was it modified recently? If not, it must be a false positive.
     
  6. FanJ

    FanJ Guest

    In TDS-3 fps means File Protection System.

    See the subject File Protection System in the Help-file.

     
  7. beethoven

    beethoven Registered Member

    Joined:
    Dec 27, 2004
    Posts:
    1,044
    done :)

    Yes and only for the bak file within the TDS folder.

    As to a submission to Avast - will do so once I have figured out their submission address.

    Thanks Jooske

    and also thanks Fanj for the explanation of fps - it's always good to learn something new, though in this case I was merely talking about a false positive without reference to the file protection system. :D
     
  8. Gavin - DiamondCS

    Gavin - DiamondCS Former DCS Moderator

    Joined:
    Feb 10, 2002
    Posts:
    2,080
    Location:
    Perth, Western Australia
    Oh.. its UNRAR.DLL ? 31kb and if you send it to my profile email I can verify that

    Most likely a recent trojan has unpack routines built in or even uses a free RAR library which was then badly selected as detection signatures. Signatures are best selected from unique code not things like this :)
     
  9. BigAl_LBL

    BigAl_LBL Guest

    Was there any feedback on this? I have the same report and also wanted to know if it was a false positive. In my case it first appeared in unzip.dll.
     
  10. Gavin - DiamondCS

    Gavin - DiamondCS Former DCS Moderator

    Joined:
    Feb 10, 2002
    Posts:
    2,080
    Location:
    Perth, Western Australia
    Yes.. that would be a DEFINITE false alarm ! report to vendor so they can fix it
     
  11. beethoven

    beethoven Registered Member

    Joined:
    Dec 27, 2004
    Posts:
    1,044
    Great - thanks Gavin
     
  12. BigAl_LBL

    BigAl_LBL Guest

    Thank you
     
Thread Status:
Not open for further replies.