Download TrojanHunter Now
Free 30-day trial!
Latest TrojanHunter Version:
TrojanHunter 5.0
Order Now
License file delivered within minutes.
Welcome, Guest. Please Login or Register.
Jul 25th, 2008, 6:18am
   Mischel Internet Security Forum
   TrojanHunter
   TrojanHunter Guard (Moderators: Helena, Gavin_Coe, Magnus)
   Not detecting "Troj/ServU-CT"		 « Previous topic | Next topic »
Pages: 1  Reply Reply  Notify of replies Notify of replies   Send Topic Send Topic   Print Print
   Author  Topic: Not detecting "Troj/ServU-CT"  (Read 465 times)
mrbister
Newbie
*





   


Gender: male
 Posts: 2
Not detecting "Troj/ServU-CT"
« on: Jan 8th, 2007, 4:05pm »		 Quote Quote  Modify Modify
Hi!
 
Can someone please tell me why TH doesn't detect the above trojan? More info:
http://www.sophos.com/virusinfo/analyses/trojservuct.html
 
I bought TH so I would be safe from such trojans, but apparently I was fooled...
« Last Edit: Jan 8th, 2007, 4:05pm by mrbister » IP Logged
siliconman01
Global Moderator
*****



Trojans! Chew 'em Up, Spit 'em Out...

   


Gender: male
 Posts: 5531
Re: Not detecting "Troj/ServU-CT"
« Reply #1 on: Jan 8th, 2007, 4:18pm »		 Quote Quote  Modify Modify
There are 4 variants of the ServU trojan in TH's rulesets.  I'm not sure how many variants of this critter are in the wild, however.
 
Did your Sophos AV catch this for you?  Keep in mind that it is common to encounter the "whoever sees it first sounds the alarm and locks the file" situation.  In other words, your AV may have trapped it and blocked TH from detecting it.  
 
If you have the file quarantined, could you please send it in to Mischel Internet Security.  If Gavin hasn't added it, he most certainly will.  
 
The link below describes how to submit.
 
http://www.misec.net/forum/board/FAQ/1139308293
IP Logged
______
TrojanHunter V5.0.962...No. 1 AT in my Book and on my Box!
mrbister
Newbie
*





   


Gender: male
 Posts: 2
Re: Not detecting "Troj/ServU-CT"
« Reply #2 on: Jan 8th, 2007, 4:24pm »		 Quote Quote  Modify Modify
hi - and thanks for quick reply.
I don't use Sophos, just sent a google link to you guys Smiley
I removed it manually so it's not quarantined. Maybe it's a new variant, dunno myself - I just noticed it running and cleaned it. Symantec does not report that trojan (go figure...). Maybe it's time to replace AV software...
IP Logged
siliconman01
Global Moderator
*****



Trojans! Chew 'em Up, Spit 'em Out...

   


Gender: male
 Posts: 5531
Re: Not detecting "Troj/ServU-CT"
« Reply #3 on: Jan 8th, 2007, 4:35pm »		 Quote Quote  Modify Modify
Well, it's hard to determine exactly what this may be.  Naming conventions are very erratic.  Just out of curiousity, what files did you delete manually?
IP Logged
______
TrojanHunter V5.0.962...No. 1 AT in my Book and on my Box!
Gavin_Coe
Trojan Analyst
*****





   
WWW  

Posts: 1924
Re: Not detecting "Troj/ServU-CT"
« Reply #4 on: Jan 8th, 2007, 7:19pm »		 Quote Quote  Modify Modify
These are one of the hardest things to detect without causing a false alarm - the ServU program is a completely legitimate FTP server.. thousands of organisations use it. As the writeup referred to says, ONE file is detected and the rest are clean.
 
Attackers use exploits which are unpatched to install such a service, so you should be sure you are patched. Often there is little else to indicate an infection. Your AV may include riskware detection (as an option) which then detects these programs, IRC clients which can be used as backdoors are also then detected for your knowledge and help with manual cleaning.
 
In some cases they are patched or heavily packed/modified ServU variants so they can just be detected by signature. We currently have many of these, not just 4. ServU-Based is the naming I generally use.
 
In this case TH will now be able to detect this particular variant so thanks for the link Smiley
« Last Edit: Jan 8th, 2007, 7:21pm by Gavin_Coe » IP Logged
Pages: 1  Reply Reply  Notify of replies Notify of replies   Send Topic Send Topic   Print Print

« Previous topic | Next topic »
Search
Members
Login
Register