Troj_istbar.c

View Poll Results: Is the question worth an answer

Voters
7. You may not vote on this poll
  • ya worth a query of course !!

    3 42.86%
  • you stupid guy read the AO documentation!

    4 57.14%
  • hey i too was wondering the same question!

    0 0%
  • well not me

    0 0%
Results 1 to 6 of 6

Thread: Troj_istbar.c

  1. #1
    Junior Member
    Join Date
    Apr 2004
    Posts
    3

    Thumbs up Troj_istbar.c

    Hello People,
    I just joined AntiOnline today. I was reading some interesting posts about viruses. I went to a site that was listed in the forum. It was Trend Micro's Housecall site, http://housecall.trendmicro.com/hous...tart_corp.asp.
    I used the free scan option on the page. I run Symantec Corporate Edition 8.0 on my computer. Housecall found a trojan, named,
    "TROJ_ISTBAR.C", in "C:\Documents And Settings\"Username"\Local Settings\Temp. The file was named, "istsv.exe". I then scanned "C:\Documents And Settings\"Username"\Local Settings\Temp\istsv.exe" with Symantec. Symantec did not detect the virus. I then manually deleted it. Has anyone heard of this Trojan before? If so, I what does this virus do, exactly, if known? How long has this virus been around? Is it new?
    Also, I am thinking about notifying Symantec of this, but I am wondering if the company is aware of it, if not, would Symantec use this info to charge more for its product? I would like to notify Symantec for the sake of us consumers, but the thought of a large corporation making money off of this info appalls me. But then again, if Syamntec's products are not up to date, people should be made aware of this. Any advice would be greatly appreciated, Emails, IM's, however you would like to contact me would be fine.
    Thanks for taking the time to read this post,
    Midnight
    midnight45cal@yahoo.com

    P.S. My name in the file path is replaced by "username" for privacy purposes

  2. #2
    Member
    Join Date
    Sep 2003
    Posts
    69
    Similar to the earlier variant TROJ_ISTBAR.B, this memory-resident Trojan is downloaded as an Internet Explorer (IE) toolbar from the following Web site:

    http://xxxto<BLOCKED>bar.com/ist/scripts/istsvc_config.php
    Once installed, it creates a folder named ISTsvc, where it drops an exact copy of itself as ISTSVC.EXE, in the program directory.


    This Trojan drops several links, most of which point to pornographic Web sites, in the Internet Explorer Favorite folders.



    Source, a list of all links are on this page

    http://www.trendmicro.com/vinfo/viru...=TROJ_ISTBAR.C

    i found the url for istbar.a, but i dont think its a good idea to post it , message me if u want it




    Thats all i could turn up
    Signature image is too tall!

  3. #3
    Super Moderator: GMT Zone nihil's Avatar
    Join Date
    Jul 2003
    Location
    United Kingdom: Bridlington
    Posts
    17,190
    Hi, and welcome to AO.

    "Trojans" are quite strange beasts by definition as they are technically apparently begnign items that do "something else" as well They are typically not well detected by traditional AV products as they do not (usually) behave like viruses. Their usual purpose is to permit unauthorised access and steal information. You must have "heuristic scanning", "scan all files", and "scan compressed files" turned on, and even then they will probably only spot the packager, rather than the actual malware.

    It is the same for adware and spyware? You need rather more specialist software for the job.

    http://www.diamondcs.com.au

    Take a look at TDS3 and Worm Guard and get a free copy of RegistryProt whilst you are there (most stuff tries to make registry entries )

    As for detection................that depends on how your AV works..............I was recently sent a trojan for analysis, it was renamed to a .txt file to make it harmless...................

    EZArmour spotted it, and would not let me download it. AVG on another machine allowed me to download it, but immediately spotted it when I tried to rename it to a .exe file so that I could unpack the code. Both did their jobs, but in different ways?

    Housecall is a very thorough scan, your resident scan may not have the defaults set as stated, or may only catch trojans in its interactive scanner when the file is opened.

    I must warn you though that Norton did not score very highly in a recent UK trojan detection test.

    Hope this helps
    If you cannot do someone any good: don't do them any harm....
    As long as you did this to one of these, the least of my little ones............you did it unto Me.
    What profiteth a man if he gains the entire World at the expense of his immortal soul?

  4. #4
    T3h Ch3F
    Join Date
    Sep 2001
    Posts
    716

    Greetings.

    Hello Midnight, welcome to AO!

    Regarding your post/question. I suspect the Virii. known to you and. I are more than well known to the companies that thrive on protecting the general public from them.

    At least I would hope so. If you are looking for simple removal of the ISTBAR. troj.


    http://www.trendmicro.com/vinfo/viru...=TROJ_ISTBAR.B


    Just a suggestion, use some spaces when posting , I almost lost my eyesight reading your post. hehe.

    Good ppl. here!

    Welcome!

    Galdron



    Edit- Well for &*% sakes I type so slow Nihil made me look a foo! lol

    Oh well Nihil makes a hell of a lot more sense than I do anyway!
    Get some good religion from Bad Religion.

  5. #5
    Junior Member
    Join Date
    Apr 2004
    Posts
    3
    Hello,
    I would like to thank you guys for the welcome to AO. Galdron, I will use more spaces for my future posts. lol
    I wanted to get the URL from you ScriptersX, but as I am new, I haven't figured out how to message people yet, I'll learn.
    Thanks for the info Nihil.
    Ok, Housecall finally got done with my scan, and there were a total of 12 viruses found, 2 Trojans:

    1. TROJ_ISTBAR.C istsv.exe --------------Created 8-27-03/1:27 am
    File Path C:\Documents And Settings\"Username"\Local Settings\Temp\istsv.exe

    2. TROJ_ACHUM.A MSMGT.exe----------Created 8-27-03/1:27 am
    File Path C:\Windows\ MSMGT.exeS

    BKDR_SANDBOX.A was found to be on my computer 10 times, each with a diffeerent file name:


    Fff85.exe------- Created 11-28-03/10:49 pm
    File path C:\Windows\system32\ Fff85.exe
    Ikr2.exe---------Created 11-28-03/10:49 pm
    File path C:\Windows\system32\ Ikr2.exe
    NhayDF.exe---Created 11-28-03/10:49 pm
    File path C:\Windows\system32\ NhayDF.exe
    PikqWgD1.exe- Created 11-28-03/10:49 pm
    File path C:\Windows\system32\ PikqWgD1.exe
    Ssa9.exe--------- Created 11-28-03/10:49 pm
    File path C:\Windows\system32\ Ssa9.exe
    Tbx3gPf.exe---- Created 11-28-03/10:49 pm
    File path C:\Windows\system32\ Tbx3gPf.exe
    UsgioZ.exe------ Created 11-28-03/10:49 pm
    File path C:\Windows\system32\ UsgioZ.exe
    XkwA.exe------- Created 11-28-03/10:49 pm
    File path C:\Windows\system32\ XkwA.exe
    Xszw.exe---------Created 2-20-04/10:15 am
    File path C:\Windows\system32\ Xszw.exe
    Zfl8.exe---------- Created 11-28-03/10:49 pm
    File path C:\Windows\system32\ Zfl8.exe


    As you can see by the dates created, the Trojans were created at the same time as each, as were the 10 BKDR_SANDBOX.A files. Is it possible that one of each virus replicated?
    Housecall would've deleted them but to be safe, I manually deleted them and then ran Housecall again, no viruses this time. Does anyone know what any of these viruses do, exactly, and where they come from? I am running Windows XP Professional 2002. My settings have been loading up slower than usual for some time, I cannot figure out why, yet. The OS loads fine, but applying my settings after log on takes up more time than usual. Is it known if any of the above viruses would be the cause of that?
    I adjusted my AV settings to your suggestions Nihil, hopefully that will improve Symantec's performance.
    Once again, thanks for the welcome, I am sure I will be visiting AO quite often. ScriptersX, could you give me a hint on how to message people here? lol
    Midnight
    (midnight45cal@yahoo.com)

  6. #6
    Senior Member
    Join Date
    Nov 2001
    Posts
    4,786
    this thread is definitly informative

    Symantec classifies this as adware thereby making it detectable only by its products that support "expanded threats".

    from their site:

    "Expanded threats exist outside of commonly known definitions of viruses, worms, and Trojan horses that may provide unauthorized access, threats to system or data security, and other types of threats or nuisances. Expanded threats may be unknowingly downloaded from Web sites, email messages, or instant messengers. They can also be installed as a by-product of accepting the End User License Agreement from another software program related to or linked in some way to the expanded threat.

    and in reguard to ISTBAR:

    "September 22, 2003

    This threat can be detected only by Symantec products that support expanded threats.

    Adware.Istbar is an adware component, which does one or more of the following:

    Installs an Internet Explorer toolbar
    Acts as a Home page and search hijacker
    Pops up advertisements, often pornographic in nature

    Symptoms

    The existence of the file: C:\Program Files\ISTsvc\ISTsvc.exe.

    The files are detected as Adware.Istbar.

    Transmission
    Various distribution channels exist. For example, Adware.Istbar can be downloaded and installed from affiliate sites, typically pornographic in nature."

    =+=+=+=+=+=+=+

    now i understand that labeling adware/spyware as a trojan can open them up to legal action i cant seem to find any info on exactly which products support expanded threats and how to be sure this feature is activated.
    Bukhari:V3B48N826 “The Prophet said, ‘Isn’t the witness of a woman equal to half of that of a man?’ The women said, ‘Yes.’ He said, ‘This is because of the deficiency of a woman’s mind.’”

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •