Am i wrong or there's a misstake? (trojan scan) - Mischel Internet Security Forum

Jobs | About | Blog | Contact

Download TrojanHunter Now
Free 30-day trial!

Latest TrojanHunter Version:
TrojanHunter 5.0

Order Now
License file delivered within minutes.

Welcome, Guest. Please Login or Register.

Nov 21^st, 2008, 5:38pm

   Mischel Internet Security Forum
   TrojanHunter
   TrojanHunter Scanner (Moderators: Helena, Gavin_Coe, Magnus)
   Am i wrong or there's a misstake? (trojan scan)

« Previous topic | Next topic »

Pages: 1

Notify of replies

Send Topic

Author

Topic: Am i wrong or there's a misstake? (trojan scan) (Read 795 times)

devnull
Senior Member

Division By 0

Gender:

Posts: 277

Am i wrong or there's a misstake? (trojan scan)
« on: Apr 16^th, 2002, 11:30pm »

Quote

Modify

Hi there!

Hm, maybe i am not quite good at testing.. or there's a misstake.. anyway, here is the test resolution:

Found trojan file: C:\directory\otherdir\trojans\netbustrojai.rar/PATCH.EXE (Netbus.160)
Found trojan file: C:\directory\otherdir\trojans\mastpara98v9.7b.zip/Game.exe (Netbus.153)
Found trojan file: C:\directory\otherdir\trojans\Net Bus 1.60.rar/PATCH.EXE (Netbus.160)
Found trojan file: C:\directory\otherdir\trojans\cybersensor-trojan.zip/spyagent.exe (Cybersensor.100)
4 trojan files found

Now, there were other trojans as well, but i haven't a clue, why the software didn't find them.. :\. Most of the trojan files were renamed to "trojanname_exe.vir" & were packed by WinRAR (so the trojan files - all, not only the exe - were in a pack, with .rar extension). Um, the software - as you see above - found _some_ trojans, but not all.. I tried to unpack some of the trojans and used the right-click menu's built-in scan: still not all (but after unpacking, the software found a lot Wink

.. Any ideas?

Software version: 2.54.
Live update: today.

Missed trojans (without unpacking/renaming):

Amanda 2.0
Assault
BackDoor v2.02
BackDoor v2.03
BO 1.2 (same as below, earlier version)
BO2k (the Back Orifice one..)
Chupacabra
Cybersensor
Deep Throat 1.x
Deep Throat 1
Deep Throat 2
Delta 0.5 Beta
Divine Intervention
Fatal (Network) Error
Insane
Le Guardien
Master Paradise 98 v9.7b
Maverick Matrix
Net Bus 1.60
Net Bus 1.7
Net Bus 2.0 Pro
Net Bus 2.01
Net Sphere 1.30
Net Spy 2.0
Saran Wrap
Satan Backdoor
School (not find in my own executable!)
Schwindler 1.82
Setup Trojan
Spy v2.59 (it's a Hungarian trojan)
Striker
Sub 7 2.1 Gold Edition
Sub 7 2.2
The Thing 1.5
UDP Backdoor 2.0 (UNIX kind)
Vampire 1.2
Weima-meia 0.1
Whack-A-job (as i know, it's only a plug-in)
Wincrash
Wincrash 2 (it is only the setup)

Remember: the question is 'why thge software didn't find all of them in the packages'. I think: because i renamed the files in the packages.. maybe.. hm?

Ideas to the GUI:
* An option with a checkbox: "Do you want to open all the scans in the same window?"
* Other languages: maybe it's not only for the money (probably it is good for others), but for the name (famous everywhere

.. hm, well, it's up 2 u).
+ maybe it's a good idea, to create plug-ins for known download-managers: think about it ;]. Q: Where the trojans could come from? A: From downloads (mainly).

IP Logged

::[TWN]::

Randy_Bell
Global Moderator

TrojanHunter is the Best!

Gender:

Posts: 2883

Re: Am i wrong or there's a misstake? (trojan scan
« Reply #1 on: Apr 17^th, 2002, 12:01am »

Quote

Modify

I think I recall Magnus saying, in a thread on DSLReports, that TH won't detect a trojan in a self-extracting compressed RAR-file. Where did all these trojans come from? Are there really that many trojan samples available for download from the web? What is your point here?

IP Logged

devnull
Senior Member

Division By 0

Gender:

Posts: 277

Re: Am i wrong or there's a misstake? (trojan scan
« Reply #2 on: Apr 17^th, 2002, 12:49am »

Quote

Modify

Well:

* they are packed into .rar, not to .exe (not self-extracting).
* these trojans are on my computer (others as well on my pc & on cd-s & on web, ecw..): they are for tests, only (i'm not the bad guy :]). You asked: there're lot's of trojans on the web Shocked

)))))).
* I'm here to find answeres, that's all.

If the software is good or ok (there's no excellent software, as we can't stop the time/this is the reason ;]/), I'll recommend it: i could create a litte name, that's all.

IP Logged

::[TWN]::

Randy_Bell
Global Moderator

TrojanHunter is the Best!

Gender:

Posts: 2883

Re: Am i wrong or there's a misstake? (trojan scan
« Reply #3 on: Apr 17^th, 2002, 7:41am »

Quote

Modify

OK thanks, TWN -- I wasn't attacking you, please don't misunderstand -- just wondered where you were coming from. �It's unusual for a layperson (i.e. someone other than a professional like Magnus) to have so many samples of trojans lying around. �I would like to test TH on more samples myself. �I'd also like to test my copy of NAV, at the same time. �NAV didn't do very well in PC Flank's comparative test of antitrojans, in fact it came in last -- see http://www.pcflank.com/art17d.htm -- but I think NAV is a lot better than that!!

IP Logged

Magnus
Administrator

Ad astra per aspera.

Posts: 4120

Re: Am i wrong or there's a misstake? (trojan scan
« Reply #4 on: Apr 17^th, 2002, 8:08am »

Quote

Modify

TrojanHunter scans executable files. Files with the extension .vir aren't executable. Try renaming the files to .exe and see what happens.

IP Logged

devnull
Senior Member

Division By 0

Gender:

Posts: 277

Re: Am i wrong or there's a misstake? (trojan scan
« Reply #5 on: Apr 17^th, 2002, 4:14pm »

Quote

Modify

OK, I will give it a try. Thank you for the answer & for your time Magnus.

Randy_Bell: it's okey. Most of the virus-scanners have tests, a home-made.. A little problem is that i could do the same test with _my own_ trojans & viruses (i meant collection): so noone can cheat ;]. It' 2 easy to say: our software is better, bigger,.. g�sser

. And well, it could be.. .., if you'r using specific programs for testing ;].
Sorry for the next words, but one thing is true: the NAV is the worst in trojan scanning/cleaning (and not only my tests show that: please try to search the web for other tests, maybe i could paste here a part of my test: it's an InnouculateIT 5.2.9.0/McAfee 4.0.3/NAV 2001 for Windows 95 & Tauscan 1.5 test/maybe the test is too old now../). Hey: i didn't say viruses, remember the word >_trojan_< (the virus scanning is still good).

Hope there will be good news for everyone :], seeya'!

IP Logged

::[TWN]::

devnull
Senior Member

Division By 0

Gender:

Posts: 277

Here is a test.
« Reply #6 on: Apr 17^th, 2002, 5:44pm »

Quote

Modify

Wow,

... it looks much better ;]! I've added some more trojans to the scan Wink

.

Report:
Scanning directory C:\unpacked
Found trojan file: C:\unpacked\vampire 1.2\server.exe (Vampire.120)
Found trojan file: C:\unpacked\ultor\t5port.exe (Utlors.100)
Found trojan file: C:\unpacked\the Thing 1.5\netxvld.exe (Thething.150)
Found trojan file: C:\unpacked\The 1-900 trojan\EN-CID12.EXE (1-900Dialer.100)
Found trojan file: C:\unpacked\Sub7 2.2\server.exe (SubSeven.220)
Found trojan file: C:\unpacked\Striker 1.0\ServerS.exe (Striker.100)
Found trojan file: C:\unpacked\SnIpErNeT 2.1\server.exe (SniperNet.210)
Found trojan file: C:\unpacked\Setup\SetupTrojan.exe (SetupTrojan.100)
Found trojan file: C:\unpacked\Schwindler 1.82\Server.exe (Schwindler.182)
Found trojan file: C:\unpacked\Satan's backdoor\WinVMM32.exe (SatansBackdoor.102)
Found trojan file: C:\unpacked\Satan's backdoor (other)\Server.exe (SatansBackdoor.100)
Found trojan file: C:\unpacked\Sub7 2.1 Gold Edition\SERVER.EXE (Subseven.210)
Found trojan file: C:\unpacked\Prosiak 0.47\Prosiak.exe (Prosiak.047)
Found trojan file: C:\unpacked\Priority (Beta)\PSERVER.exe (Priority.100)
Found trojan file: C:\unpacked\PC Invader 0.7 alfa 9\PCInvServ.exe (PCInvader.070)
Found trojan file: C:\unpacked\NetSpy 2.0 (or known as Netmonitor)\Netmonitor.exe (NetSpy.200)
Found trojan file: C:\unpacked\NetSpy 2.0 (or known as Netmonitor)\netspy.exe (NetSpy.200)
Found trojan file: C:\unpacked\NetBus 1.7\Patch.exe (Netbus.170)
Found trojan file: C:\unpacked\Maverick Matrix\MainServer.exe (Matrix.130)
Found trojan file: C:\unpacked\Master's Paradise 98 v9.7b\Agent.exe (MastersParadise.970)
Found trojan file: C:\unpacked\Master's Paradise 98 v9.7b\Game.exe (Netbus.153)
Found trojan file: C:\unpacked\Le Guardien\Clavier.exe (LeGuardien.100)
Found trojan file: C:\unpacked\Khaled\khaled.exe (Khaled.100)
Found trojan file: C:\unpacked\Insane (Network)\Insane Network.exe (InsaneNetwork.500)
Found trojan file: C:\unpacked\Hack'a'Tack\Server.exe (Hack'a'Tack.112)
Found trojan file: C:\unpacked\Ghost 2.3\server.exe (Ghost.230)
Found trojan file: C:\unpacked\Gatecrasher 1\Port.exe (GateCrasher.100)
Found trojan file: C:\unpacked\Gatecrasher (other)\BUG.exe (GateCrasher.110)
Found trojan file: C:\unpacked\Frenzy 1.01\Server.exe (Frenzy.101)
Found trojan file: C:\unpacked\Fatal Error\fatalerr.exe (FatalError.100)
Found trojan file: C:\unpacked\Devil 1.3\server.exe (OpScript.100)
Found trojan file: C:\unpacked\Delta 0.5 Beta\Client.exe (Delta.050)
Found trojan file: C:\unpacked\Delta 0.5 Beta\Server.exe (Delta.050)
Found trojan file: C:\unpacked\Deep Throat 1.0\systempatch.exe (DeepThroat.100)
Found trojan file: C:\unpacked\Deep Throat 2\RemoteControl.exe (DeepThroat.200)
Found trojan file: C:\unpacked\Cybersensor\spyagent.exe (Cybersensor.100)
Found trojan file: C:\unpacked\Coma\comserv.exe (Coma.109)
Found trojan file: C:\unpacked\Chupacabra\server.exe (Chupacabra.100)
Found trojan file: C:\unpacked\Bugs\Bug's.exe (Bugs.100)
Found trojan file: C:\unpacked\Bo 1.2\BOSERVE.EXE (BackOrifice.120)
Found trojan file: C:\unpacked\Bladerun\SERVER.EXE (BladeRunner.080)
Found trojan file: C:\unpacked\Back Door 2.03\icqnuke.exe (Backdoor.200)
Found trojan file: C:\unpacked\Back Door 2.03\readme.exe (Backdoor.200)
Found trojan file: C:\unpacked\Back Door 2.02\icqnuke.exe (Backdoor.200)
Found trojan file: C:\unpacked\Back Door 2.02\readme.exe (Backdoor.202)
Found trojan file: C:\unpacked\Barok 2.0\server.exe (Barok.200)
Found trojan file: C:\unpacked\Back Construction 2.1\Server.exe (BackConstruction.120)
Found trojan file: C:\unpacked\Amanda 2.0\Server.exe (Amanda.200)
Found trojan file: C:\unpacked\NetBus 1.60\PATCH.EXE (Netbus.160)
Found trojan file: C:\unpacked\Web EX 1.4\Task_Bar.exe (WebEx.140)
[50 trojan files found from 84]

Missed:
Y3k Rat 1.7, Wincrash, wincrash(only the setup program), web EX 1.3 ( Huh

=the program found the Web EX 1.40, but what's with this version?), Weima-meia (a netbus plug-in), Uns 1.2, UDP Backdoor 2.0(a UNIX kind), The Thing (the program didn't find the infected file, but found the main file), Tapiras, Sub7 Bonus (just the setup), Spy 2.59 (a Hungarian trojan), Saran wrap (a BO plug-in), Remote Hack, Reboot (probably, it's not a real trojan: not much functions, i mean), Rat 1.1(it's a back door infected file, not an other trojan), Psychwadr, Phasma 1.3 Beta, NetBus 2.01 (only the setup program), Invasor, DonaldDick 1.5x, Divine Intervention, Cria (tojan family), Bo2k (only the Back Orifice setup).

IP Logged

::[TWN]::

devnull
Senior Member

Division By 0

Gender:

Posts: 277

Re: Am i wrong or there's a misstake? (trojan scan
« Reply #7 on: Apr 17^th, 2002, 5:46pm »

Quote

Modify

The "only setup" kinds are not a real threat (they are _like_ - most cases when you run the setup program, you don't know whether it will set up a server on your pc ;] - normal app's setups) . But i didn't write anything about plug-ins (there were more sub7 plugs as well..).

I wonder why the program not use alphabetic scan :\. If you - authors, only - need any of the above files, please e-mail me (i'll upload them for free onto a server/as soon as i have time Wink

/).

Now, i'm wating for reactions - _time_ - for the above tests.

IP Logged

::[TWN]::

norw
Newbie

I love YaBB 1 Gold!

Posts: 14

Re: Am i wrong or there's a misstake? (trojan scan
« Reply #8 on: Apr 17^th, 2002, 7:34pm »

Quote

Modify

A note: TH only scans for servers.

IP Logged

norw

devnull
Senior Member

Division By 0

Gender:

Posts: 277

Re: Am i wrong or there's a misstake? (trojan scan
« Reply #9 on: Apr 18^th, 2002, 11:52pm »

Quote

Modify

on Apr 17^th, 2002, 7:34pm, norw wrote:

A note: TH only scans for servers.

Notes: usually I have both the server & client. But there are trojans which are not capable to use a real server (f.e. it use a system backdoor - if the victim's computer not patched or there is no patch for that) or has no client side at all: let think about an exe file, which opens a port and you - the attacker - are wise enough, to use this ability (f.e. an open telnet for everyone).

About your note: it's not enough, to search only for servers - i think the program should search for trojan plug-ins (because there are plug-ins which are ready to change the original trojan's codes: so the software couldn't recognise it) as well.

IP Logged

::[TWN]::

Magnus
Administrator

Ad astra per aspera.

Posts: 4120

Re: Am i wrong or there's a misstake? (trojan scan
« Reply #10 on: Apr 19^th, 2002, 10:56am »

Quote

Modify

If you think you have any trojans that TrojanHunter doesn't detect then either attach them to an e-mail and send them to submit@trojanhunter.com or upload them somewhere and send the URL to the same address.

Just to clarify, here are a few points to keep in mind about what TrojanHunter doesn't detect, and why:

1. If a trojan has a setup application that displays a license agreement, installs the client and server into a folder etc. then that file will not be detected because it doesn't actually install/run the server.

2. Trojan plug-ins are harmless. (I don't see how your scenario would work even in theory as the executable is memory-mapped by the operating system when the plug-in DLL executes, and so there's no way to modify the host executable.) TrojanHunter will probably detect plug-ins soon though, as this seems to be necessary given that some trojan scanner tests include plug-ins.

IP Logged

devnull
Senior Member

Division By 0

Gender:

Posts: 277

Re: Am i wrong or there's a misstake? (trojan scan
« Reply #11 on: Apr 19^th, 2002, 2:02pm »

Quote

Modify

You've got an e-mail Wink

IP Logged

::[TWN]::

devnull
Senior Member

Division By 0

Gender:

Posts: 277

Re: Am i wrong or there's a misstake? (trojan scan
« Reply #12 on: Apr 20^th, 2002, 10:13pm »

Quote

Modify

Um... a little problem.. seems to be:

...
Found trojan file: C:\unpacked.rar/RemoteControl.exe (DeepThroat.200)
Found trojan file: C:\unpacked.rar/Server.exe (Hack'a'Tack.112)
Found trojan file: C:\unpacked.rar/Server.exe (Hack'a'Tack.112)
Found trojan file: C:\unpacked.rar/server.exe (Hack'a'Tack.112)
Found trojan file: C:\unpacked.rar/server.exe (Hack'a'Tack.112)
Found trojan file: C:\unpacked.rar/server.exe (Hack'a'Tack.112)
Found trojan file: C:\unpacked.rar/server.exe (Hack'a'Tack.112)
Found trojan file: C:\unpacked.rar/Server.exe (Hack'a'Tack.112)
Found trojan file: C:\unpacked.rar/server.exe (Hack'a'Tack.112)
Found trojan file: C:\unpacked.rar/server.exe (Hack'a'Tack.112)
Found trojan file: C:\unpacked.rar/server.exe (Hack'a'Tack.112)
Found trojan file: C:\unpacked.rar/Server.exe (Hack'a'Tack.112)
Found trojan file: C:\unpacked.rar/Server.exe (Hack'a'Tack.112)
Found trojan file: C:\unpacked.rar/Server.exe (Hack'a'Tack.112)
Found trojan file: C:\unpacked.rar/server.exe (Hack'a'Tack.112)
Found trojan file: C:\unpacked.rar/Server.exe (Hack'a'Tack.112)
Found trojan file: C:\unpacked.rar/SERVER.EXE (Hack'a'Tack.112)
Found trojan file: C:\unpacked.rar/SERVER.EXE (Hack'a'Tack.112)
Found trojan file: C:\unpacked.rar/Server.exe (Hack'a'Tack.112)
Found trojan file: C:\unpacked.rar/ServerS.exe (Striker.100)
...

Any ideas fot this? I tested your update: now the software can find your mentioned trojans - the new BioNet as well Wink

, other scanners are not able to find that ;] -, but there is this problem (i've done it twice: got the same resolution).

IP Logged

::[TWN]::

Magnus
Administrator

Ad astra per aspera.

Posts: 4120

Re: Am i wrong or there's a misstake? (trojan scan
« Reply #13 on: Apr 21^st, 2002, 1:07pm »

Quote

Modify

How many server.exe files are in the unpacked.rar archive? Are they in "folders" in the archive?

IP Logged

devnull
Senior Member

Division By 0

Gender:

Posts: 277

Re: Am i wrong or there's a misstake? (trojan scan
« Reply #14 on: Apr 21^st, 2002, 9:51pm »

Quote

Modify

on Apr 21^st, 2002, 1:07pm, Magnus wrote:

How many server.exe files are in the unpacked.rar archive? Are they in "folders" in the archive?

Hi Magnus: i have onley one main directory, then directories by trojan names (so my answer: yes, i have directories). The name of the main directory is "unpacked", in this directory, i've the others, fe:

...
C:\unpacked.rar:unpacked\sample trojan\files.*
C:\unpacked.rar:unpacked\other name\otherfiles.*
ecw.
..

(there were no files next to the main "unpacked" directory, the TH. shows that it's like "C:\unpacked.rar:filenames.*", in the Hack'a'Tack directory, there is only one server file: there's no other hack'a'tack infected file /as i know/.)

So: i packed the unpacked directory into one file, that's all.

Number of sub-directories: 71.
Number of server-sides: ~60 (mentioned trojans).
Number of server.exe-s: 17 (in the sub-directories, with this names).

Do you need any other information?

IP Logged

::[TWN]::

Pages: 1

Notify of replies

Send Topic


« Previous topic \| Next topic »

Search

Members

Login

Register