TSPY_small - Mischel Internet Security Forum

Jobs | About | Blog | Contact

Download TrojanHunter Now
Free 30-day trial!

Latest TrojanHunter Version:
TrojanHunter 5.0

Order Now
License file delivered within minutes.

Welcome, Guest. Please Login or Register.

Oct 13^th, 2008, 11:55am

   Mischel Internet Security Forum
   Malware
   Trojans (Moderators: Helena, Gavin_Coe, Magnus)
   TSPY_small

« Previous topic | Next topic »

Pages: 1

Notify of replies

Send Topic

Author

Topic: TSPY_small (Read 830 times)

rachael
Newbie

Posts: 11

TSPY_small
« on: Oct 6^th, 2007, 2:09pm »

Quote

Modify

My antivirus, Trend Micro Officescan, detected and removed something called TSPY_small, which was not detected by TrojanHunter. Trend Micro classified this thing as a trojan, but I'm thinking maybe it was just adware. Does anyone know what TSPY_small is, and why TH wouldn't detect it?

IP Logged

Hawkeyelom
Full Member

Gender:

Posts: 190

Re: TSPY_small
« Reply #1 on: Oct 6^th, 2007, 8:42pm »

Quote

Modify

Do a search on Google for TSPY_small and you will find lots of info that coluld help answer your questions.

IP Logged

siliconman01
Global Moderator

Trojans! Chew 'em Up, Spit 'em Out...

Gender: male

Posts: 5671

Re: TSPY_small
« Reply #2 on: Oct 7^th, 2007, 12:41am »

Quote

Modify

Quote:

and why TH wouldn't detect it?

Was the detection during a disk scan using Trend Micro or did it get detectd in memory?

If it was detected in memory, the probable answer to your question is that Trend Micro saw the infection first and then locked it so that THGuard would not be able to detect it.

IP Logged

______
TrojanHunter V5.0.962...No. 1 AT in my Book and on my Box!

rachael
Newbie

Posts: 11

Re: TSPY_small
« Reply #3 on: Oct 8^th, 2007, 9:15am »

Quote

Modify

The Trend Micro scan was a regularly scheduled one, so I'm assuming that would be a disk scan. I have never had any spyware at all on this machine, so it was kind of unsettling, but the thing is, I was wondering if it might have had something to do with my recent upgrade to spybot 1.5. When I was immunizing, there was a clash between spybot and spysweeper, in which spysweeper tried to block the changes that spybot was making to my host files with its new definitions. The traces that TM picked up on the malware all seemed to be in my hostfiles area, so I'm wondering if somehow that clash between the spybot and the spysweeper left some items unprotected. Does that sound like something that could have happened? I had absolutely no indication prior to the scheduled scan that the computer might be infested with anything -- no popups, no hijacks, no slowdowns, and no weird browser helper objects. Maybe TH was just wisely staying out of the clash of the antispywares. lol

On a related note, I was wondering how people were liking the Teatimer resident on the new spybot. It seems a bit over-aggressive to me.

To Hawkeye, thanks for the "advice" to do an internet search; I had already done some googling for an hour and a half or so before I posted, as anyone naturally would. The information about TSmall, even on the TM site, was cryptic, and the only other sites I would trust besides this forum are castlecops and cnet. So many of the antispyware sites are actually spyware themselves that I hesitate even to enter. At any rate, I'd prefer information from someone who knows what they're talking about, and you can never be sure of that when you just browse to some internet site you don't know a whole lot about. At any rate, all googling aside, I think the question I'm asking is a valid one.

IP Logged

siliconman01
Global Moderator

Trojans! Chew 'em Up, Spit 'em Out...

Gender: male

Posts: 5671

Re: TSPY_small
« Reply #4 on: Oct 8^th, 2007, 10:00am »

Quote

Modify

Does Trend Micro have this file/critter in Quarantine? If you can, unquarantine it and then send it in to Mischel Internet Security for analysis. The link below explains how to submit a suspected malicious file.

http://www.misec.net/forum/board/FAQ/1139308293

I suspect this is what Gavin/Magnus refer to as TrojanSpy.Small.xxx. There over 224 different variants of this in TH's rulesets.

After you get it sent in, let Trend Micro quarantine it again. Before doing that, however, locate the file and do a right click scan on it with TrojanHunter scanner. That will show whether TH can/will detect it.

I'll email Gavin and ask him to jump in on your post here. He probably will need to see the file first before he can answer your question directly.

IP Logged

______
TrojanHunter V5.0.962...No. 1 AT in my Book and on my Box!

rachael
Newbie

Posts: 11

Re: TSPY_small
« Reply #5 on: Oct 8^th, 2007, 10:39am »

Quote

Modify

TM Officescan is a centrally managed system, and it simply removes malware from the machines; I don't see any quarantine area. My log simply says that TSPY_small was "successfully removed" and no further action was necessary. When you click view, it gives more information. It says that the systems area affected was "hosts," and in the components column it says 127.0.0.1 and lists a bunch of malicious web addresses.

IP Logged

siliconman01
Global Moderator

Trojans! Chew 'em Up, Spit 'em Out...

Gender: male

Posts: 5671

Re: TSPY_small
« Reply #6 on: Oct 8^th, 2007, 3:51pm »

Quote

Modify

I would like to see what is in your Hosts file.

Would you please do this:

1. Using Windows Explorer, navigate to folder etc which is located at C:\Windows\System32\Drivers\etc.

2. Open folder etc

3. In folder etc you will find a file named Hosts. It will not have an extension....just the name Hosts.

4. Right click on Hosts and open it with NOTEPAD.

5. From NotePad, do a Select All and Copy everything in Hosts

6. Paste this back here into a new post.

7. Close NotePad and Windows Explorer.

IP Logged

______
TrojanHunter V5.0.962...No. 1 AT in my Book and on my Box!

rachael
Newbie

Posts: 11

Re: TSPY_small
« Reply #7 on: Oct 8^th, 2007, 5:31pm »

Quote

Modify

Siliconman: I tried to do as you said, but it's telling me my message is too long to post in the forum. Here is the start of it, but it's basically all the things put in there by spybot.

# Copyright (c) 1993-1999 Microsoft Corp.
#
# This is a sample HOSTS file used by Microsoft TCP/IP for Windows.
#
# This file contains the mappings of IP addresses to host names. Each
# entry should be kept on an individual line. The IP address should
# be placed in the first column followed by the corresponding host name.
# The IP address and the host name should be separated by at least one
# space.
#
# Additionally, comments (such as these) may be inserted on individual
# lines or following the machine name denoted by a '#' symbol.
#
# For example:
#
# 102.54.94.97 rhino.acme.com # source server
# 38.25.63.10 x.acme.com # x client host

127.0.0.1 localhost
# Start of entries inserted by Spybot - Search & Destroy
127.0.0.1hityou.com
127.0.01www.hityou.com
127.0.0.1180searchassistant.com
127.0.01www.180searchassistant.com
127.0.0.1180solutions.com
127.0.01www.180solutions.com

IP Logged

siliconman01
Global Moderator

Trojans! Chew 'em Up, Spit 'em Out...

Gender: male

Posts: 5671

Re: TSPY_small
« Reply #8 on: Oct 8^th, 2007, 11:06pm »

Quote

Modify

That's okay. �What you have supplied is enough. �Here's what has happened on your system. �You recently installed SpyBot which adds entries into the Hosts file. �There are probably several thousand entries that have been added to the Hosts file by SpyBot as part of its web protection/ad blocking method. �

Trend Micro has an option to scan and check the Hosts file to see if a malicious entry has been made into the Hosts file by a criminal program. �HOWEVER, Trend Micro does not have the intelligence to program this specific check correctly. �They just look for URLs. �They do not make the proper checking to see if the specific URLs are opted to 127.0.0.1 (which effectively sends that URL out into a black hole).

You did not have an infection in the first place. �In TM you will find a option concerning scanning the Hosts file. �You need to turn this option off in Trend Micro if you are using SpyBot or any other security program that intentionally loads up the Hosts file with malicious URLs to guard against. �

The very first active entry in your Hosts file is

127.0.0.1 � �localhost

This MUST always be the first entry. �Entries that follow are then

127.0.0.1 � A malicious URL

Windows (IE) sees this malicious URL and assigns it to localhost which is the black hole....vapor. �IE will not go to that URL. �

(A # sign is a comment line in the Hosts file.)

BTW, I suspect that Trend Micro may have several hundred of the valid Hosts file entries that SpyBot installed. �You may wish to re-update these within SpyBot so that you are protected.

The link below provides more information concerning the HOSTS file and its use.

http://www.mvps.org/winhelp2002/hosts.htm

« Last Edit: Oct 9^th, 2007, 3:59am by siliconman01 »

IP Logged

______
TrojanHunter V5.0.962...No. 1 AT in my Book and on my Box!

rachael
Newbie

Posts: 11

Re: TSPY_small
« Reply #9 on: Oct 9^th, 2007, 6:46am »

Quote

Modify

Thanks so much for the explanation, Siliconman. That's what I was sort of suspecting might have happened, but I've always used Spybot and never had this problem with Trend Micro. Here's an alternative scenario that I was thinking might have caused this: a conflict between spy sweeper and spybot. Usually I turn spy sweeper off when I update definitions on spybot, because spy sweeper will always try to block the update. On the day I upgraded to sb 1.5, I forgot to turn off spy sweeper and it tried to block the update. I told it to allow spybot to do its thing, but I'm thinking that perhaps it still vaporized some of the spybot hosts, and then trend micro, when it came up for its scheduled scan a couple days later, thought that some malicious program had been messing with the hosts files.

At any rate, thanks again - I can't believe how fast you guys respond to queries. Cheesy

IP Logged

Pages: 1

Notify of replies

Send Topic


« Previous topic \| Next topic »

Search

Members

Login

Register