Author Topic: Trojan NOT detected ! Heuristic fails also :(  (Read 10024 times)

0 Members and 1 Guest are viewing this topic.

Offline Waldo

  • Sr. Member
  • ****
  • Posts: 397
  • Avast does the ownage
Trojan NOT detected ! Heuristic fails also :(
« on: August 08, 2003, 09:44:06 PM »
I almost got  infected by this trojan that came together with a download...

AVAST PRO with latest updates didn't reacted when i tried to install the software. ALthough i have my security settings put up to the max. (I let my resident shield scan really ALL files etc..)

When i sended the trojan in a NOT passworded zip file to AVAST support via Outlook XP  (full) with AVAST heuristics set to high, it didn't react either ?

I'm sure AVAST is "working OK". As I do have a little virus collection that i tested the good working afterwards with.

This is a report of my trojan scanner that saved my ass this time :) running the resident trojan guard.

If i didn't had Anti-trojan my pc was almost certain infected with some nasty.

Although my "Zone Alarm Pro with webfiltering" could possibel warm me when the trojan needs internet access. But I really don't like the idea of having a trojan running, blocked by Zone alarm or not. This should be prevented in the first place.

Anti-Trojan Version 5.5.421

Trojan-Search Start of search: 8/08/2003 21:34:25 - End of search: 8/08/2003 21:34:49

Port-Scan: (found known ports)

Not activated



Registry-Scan:

Not activated



Drive-Scan:

Number of scanned files: 3560
Number of found trojan-files: 5

Trojans found: HatredFriend 1.3
Trojans found: HatredFriend 1.3
Trojans found: HatredFriend 1.3
Trojans found: HatredFriend 1.3
Trojans found: HatredFriend 1.3
The following trojan-files were found:

Trojans found: HatredFriend 1.3
Path: d:\PROGRAMS_download\H-F3.zip->Binder.exe

Trojans found: HatredFriend 1.3
Path: d:\PROGRAMS_download\H-F3.zip->Client.exe

Trojans found: HatredFriend 1.3
Path: d:\PROGRAMS_download\H-F3.zip->Edit Server.exe

Trojans found: HatredFriend 1.3
Path: d:\PROGRAMS_download\H-F3.zip->Server.exe

Trojans found: HatredFriend 1.3
Path: d:\PROGRAMS_download\H-F3.zip->Test Server.exe



« Last Edit: August 09, 2003, 11:24:08 PM by Waldo »
**Guns are for show, knifes for a pro**

Offline hungrylilboy

  • Jr. Member
  • **
  • Posts: 28
Re:Trojan NOT detected ! Heuristic fails also :(
« Reply #1 on: August 08, 2003, 11:58:01 PM »
This is the second time now that avast has failed to find a trojan and a different trojan as well.
Will ne one from avast like to comment on this?
ps. i posted the backdoor topic. that being the first not to be picked up

Offline Lisandro

  • Avast team
  • Certainly Bot
  • *
  • Posts: 67247
Re:Trojan NOT detected ! Heuristic fails also :(
« Reply #2 on: August 09, 2003, 04:06:01 AM »
Where is the avast team  ::)

There are other users (CNET) that related win32.spy.justin.troj and win32/delf.BZ.troj infection...

Another ones, false positives with WIN32 Trojan-gen{VC}"

All of them relate reduction in system stability, deleted and corrupted files...

Come on avast team, any comments?  :'(


The best things in life are free.

Offline whocares

  • Super Poster
  • ***
  • Posts: 1698
  • I'm not a llama! :-)
Re:Trojan NOT detected ! Heuristic fails also :(
« Reply #3 on: August 10, 2003, 02:46:39 PM »
AVAST PRO with latest updates didn't reacted when i tried to install the software.
<->

This is a report of my trojan scanner that saved my ass this time :) running the resident trojan guard.

Not from Alwil, but I'd like to comment anyway:

-from the post it seems to me as if you had Trojan-GUARD and AVAST-Shield, i.e. two on-Access-Scanners, running at the same time ?
If so, very bad idea..

if you installed the Program without Avast-Shield reacting, how come, the Trojans are only found in your download-folders ?

Where did you donwload the nasty from anyway ? FS, P2P, Warez ?

 ;D

Offline Lisandro

  • Avast team
  • Certainly Bot
  • *
  • Posts: 67247
Re:Trojan NOT detected ! Heuristic fails also :(
« Reply #4 on: August 10, 2003, 04:33:58 PM »
From the post it seems to me as if you (Waldo) had Trojan-GUARD and AVAST-Shield, i.e. two on-Access-Scanners, running at the same time ?
If so, very bad idea..

If you installed the Program without Avast-Shield reacting, how come, the Trojans are only found in your download-folders ?

Where did you donwload the nasty from anyway ? FS, P2P, Warez ? ;D

Waldo, do you really use two on-access scanners?...
« Last Edit: August 11, 2003, 02:45:26 PM by technical »
The best things in life are free.

Offline Waldo

  • Sr. Member
  • ****
  • Posts: 397
  • Avast does the ownage
Re:Trojan NOT detected ! Heuristic fails also :(
« Reply #5 on: August 10, 2003, 06:16:35 PM »
I do indeed use 2 on acess scanners (Avast & anti trojan) running at the same time.

Many people use 2 resident shields, as Anti trojan programs are designed to be used in coorperation with anti virus software.

And they will not interfier.

It is indeed BAD to run 2 viruscanners (guards) on the same time. This is asking for problems. something like using AVAST together with AVG etc..

But you can use programs like The cleaner, TDS3, Trojan hunter, Anti trojan, wormguard  etc.. without problems.

Just take a look at the "Wilders forum" about post regarding compability.

If i didn't had it running (I use it for almost 2 years) I was infected. I used Anti trojan v5.5  in coorparation with AVAST, AVG, Antivir PE, Kaspersky etc...(always at the same time)

I donwload the nasty that was bundled in a program from P2P.

I immedialtly deleted ALL files of the install (manualy) so I had only the infected ZIP files (in orginal download folder) left > so i could sent them to Avast support. and maybe keep them for investigation.

Waldo






« Last Edit: August 10, 2003, 06:35:58 PM by Waldo »
**Guns are for show, knifes for a pro**

Offline jdong

  • Jr. Member
  • **
  • Posts: 73
  • I'm NOT a llama!
Re:Trojan NOT detected ! Heuristic fails also :(
« Reply #6 on: August 11, 2003, 05:26:13 PM »
Unless you use KAV or a KAV/AVP-based AV (F-Secure, AVK), you should really consider getting an anti-trojan to complement your AV. AntiVirus programs are designed to combat viruses (gee, captain obvious reporting in!). You can't really trust it for AT.

Offline whocares

  • Super Poster
  • ***
  • Posts: 1698
  • I'm not a llama! :-)
Re:Trojan NOT detected ! Heuristic fails also :(
« Reply #7 on: August 11, 2003, 05:28:34 PM »
Hi,
as I deduce from http://www.anti-trojan.net/de/features.aspx
AT doesn't check file access, only lists startup-modifications
(on Access ? or on-Demand? Your log looks lik ean on-demand.AT-scan)
& functions like a normal on-demand trojan-scanner.

so it really shouldn't interfere with Avast Shield.

did you send the infected files to avast ? pwd-zipped ?
 ;)

Offline whocares

  • Super Poster
  • ***
  • Posts: 1698
  • I'm not a llama! :-)
Re:Trojan NOT detected ! Heuristic fails also :(
« Reply #8 on: August 11, 2003, 05:33:53 PM »
Hi jdong,

well I think that really depends on your behaviour..
-If someone downloads dubious exe-files from P2P (which you shouldn't do in the first place anyway) and doesn't scan them with several good scanners, even KAV won't always help.

- if you use your common sense together with a safely configured system, you can detect Trojans&Worms easily without an extra Trojanscanner



 ;)

Offline Waldo

  • Sr. Member
  • ****
  • Posts: 397
  • Avast does the ownage
Re:Trojan NOT detected ! Heuristic fails also :(
« Reply #9 on: August 11, 2003, 06:09:49 PM »
as I deduce from http://www.anti-trojan.net/de/features.aspx
AT doesn't check file access, only lists startup-modifications
(on Access ? or on-Demand? Your log looks lik ean on-demand.AT-scan)
& functions like a normal on-demand trojan-scanner.

did you send the infected files to avast ? pwd-zipped ?

This link brings you to the On-acces scanner  feature included in Anti-trojan  v5.5

(your link doesn't show all the features  ;))

This "Guard" is the feature that detected my trojan in the first place. NOT the ON-demand scanner !

I did a scan with On demand afterwards because this is the only way to have a report file to post in the forums. (ON-acces doesn't create reports, it just blocks installations)

http://www.anti-trojan.net/en/hlp55710.aspx

I did not password protected the file sent to Avast (but i included a warning) because i wanted to see if the "Heuristics" of the Outlook XP provider should detect it...wich it don't.


Waldo
« Last Edit: August 11, 2003, 06:41:17 PM by Waldo »
**Guns are for show, knifes for a pro**

Offline Waldo

  • Sr. Member
  • ****
  • Posts: 397
  • Avast does the ownage
Re:Trojan NOT detected ! Heuristic fails also :(
« Reply #10 on: August 11, 2003, 06:28:35 PM »


well I think that really depends on your behaviour..

- if you use your common sense together with a safely configured system, you can detect Trojans&Worms easily without an extra Trojanscanner




It depends indeed on your behavior (But behavior has nothing to do with beeing protected or not).

Offcourse you can be carefull and smart, but this doesn't change anything on the behavior (detecting) of a scanner.

Also, not many people know how to setup "a safe machine" like you stated, so most people are  looking for 100 % protection "out-of-the-box" Offcourse this can't be done. But this is what people expect of Anti virus software & firewalls

Not many people can setup a good rule-set for there firewalls either, So there's a big change they don't recognise a trojan working.

If your Antivirus and firewall don't give you enough protection, there's only 2 solutions and this is using layered defence > some Anti-Trojan program. Or just disconnect from internet.

This doens't concers anybody, I know. But most Pc users are real "noobs" if it goes about security in general.

So having a "extra" program running can indeed save your ass. I'm sure you agree with this.

This a copy & paste from the AVAST website :

avast! 4 Professional Edition
 Professional Edition is a collection of high-end technologies having the same purpose: to give you the top grade protection against computer viruses.  
 
Antivirus kernel

New version of avast! antivirus kernel features outstanding detection abilities, together with high performance. You can expect 100% detection of In-the-Wild viruses (the ones what are really spreading amongst people) and very good detection of Trojan horses, all that with only a minimum number of false alarms.


This proves (and is normal) that they offer almost "100% virus detection" but can't provide the user with the same amount of detection with Trojans or worms.

That's why Anti-trojan programs are made. And are used very commonly in coorperation with Av's.

Waldo
« Last Edit: August 11, 2003, 06:41:33 PM by Waldo »
**Guns are for show, knifes for a pro**

Offline whocares

  • Super Poster
  • ***
  • Posts: 1698
  • I'm not a llama! :-)
Re:Trojan NOT detected ! Heuristic fails also :(
« Reply #11 on: August 11, 2003, 06:51:27 PM »
Hi Waldo,

a) behaviour&Noobs: mostly agree
b) Still think At-Watch shouldn't interfere with avast, so avast RS should have detected it ..
Does your Avast RS scan Archives ?
have you set it to scan on read and write ?

if you send in a malware sample, you should ALWAYS encrypt/pwd-protect  it .
Otherwise it might get cleaned/blocked on the way to avast, and you would never know..
 ;)

Offline Waldo

  • Sr. Member
  • ****
  • Posts: 397
  • Avast does the ownage
Re:Trojan NOT detected ! Heuristic fails also :(
« Reply #12 on: August 11, 2003, 06:59:53 PM »
Hi Waldo,

a) behaviour&Noobs: mostly agree
b) Still think At-Watch shouldn't interfere with avast, so avast RS should have detected it ..
Does your Avast RS scan Archives ?
have you set it to scan on read and write ?

if you send in a malware sample, you should ALWAYS encrypt/pwd-protect  it .
Otherwise it might get cleaned/blocked on the way to avast, and you would never know..


A : :)

B : Indeed AVAST should have detected it, but it didn't :( good I had Anti trojan

c : Avast RS scan archives. yes,  i have it set on read & write (create & modify) ALL files.

d : About the password for sending > never thought it could get blocked...I don't think it will, but it's possibel.  Something to remember next time. But i did it this time on purpose to check the heuristics out.

Waldo
« Last Edit: August 11, 2003, 07:01:23 PM by Waldo »
**Guns are for show, knifes for a pro**