November 14th, 2004, 11:20 AM
found a trojan / virus which my AV doesn't detect
i was looking for a crack for a certain program, this was not to use a program illegally, but to learn how it works (since i was not able to crack it myself)..
by this search i came across http://resource.crack-cd.com , when you press any of those links you will receive a program called assassin-254.exe. as curious as i am i ran the program. after 1 minute the program started to connect to www.dalexcars.com at port 80. When it is connected it downloads the following files to your C:\DOCUME~1\<current user>\LOCALS~1\Temp\ directory:
if all works fine, it closes the connection, starts the above programs and terminates itself.
i have found that http://resource.crack-cd.com has the following link in their pages: http://china.dalexcars.com/assassin.html , this is where they get the program from.
unfortunately both of the downloaded programs were not downloaded correctly, they both have a size of 0 kb, otherwise i would have had more info on what these programs do.
i have done a whois on both sites and i have found that they both have the
same registration service, although they both have a different administrative contact.
i will send an email with this information to the address given for abuse, but what i would like to know, how can i make this program be known at AV programs?
if anyone would like to know more about this program, then follow this link, this is the link to the zip-file i have created which contains the program itself, both downloaded programs, a textfile with the explaination of what the program does, and the disassembled file from the original program.
i have made this announcement so that people who read this can take care of themselves and NOT run this program, since it can't be trusted!
November 14th, 2004, 03:59 PM
Kaspersky identifies Assassin as a trojan downloader.Win32.Inservice.i. Nod identifies it as the same trojan. Neither Norton or McAfee have a definition for it yet.
Most AV's don't detect trojans.
November 14th, 2004, 04:45 PM
Maybe. I use AVG which is not known to be the best AV out there but it still detects trojans about 60% of the time. When it comes to getting rid of them tho.....then it's like 30%. What's really funny is that adaware detects trojans more often than AVG, lol. Is there a decent trojan detection and removal tool besides swat-it?
Most AV's don't detect trojans.
November 14th, 2004, 04:49 PM
I am now using A-Squared (sorry can't produce the little squared symbol). It is a free one also from:http://www.emsisoft.com/en/software/free/
Seems to do ok and on a par with Swatit....but much faster.
\"Life should NOT be a journey to the grave with the intention of arriving safely in an attractive and well preserved body, but rather to skid in sideways, Champagne in one hand - strawberries in the other, body thoroughly used up, totally worn out and screaming WOO HOO - What a Ride!\"
November 14th, 2004, 09:02 PM
well, the story continues... i've tried mailing the provider, but the mail address does not exist!
as for my AV, i'm using AVG 6.0 free edition fully updated, and yes, most of the times it DOES recognize trojans, but not this time
i'm glad i am also running kerio which pointed me to the fact that this trojan wanted to create an outgoing connection, otherwise i would have reinstalled my system
November 14th, 2004, 09:32 PM
I recently had a run-in with something like windows.crack-cd.com and yes, it did try to download the assassin trojan (i guess it was firefox that asked if I wanted to install it, to which i said no). Looks like all sub-domains of crack-cd.com probably try to infect the machines that visit the site.
As for trojan detection/removal tools, I have used "The Cleaner" twice at work. It found what I wanted it to find, but I've not used it enough to say if it's a must buy.
Quick note: No, I was not looking for pirated copies of xp or stuff like that. I just installed xp-home using my sp2 slip-streamed unassisted disc onto a friend's computer. I forgot that I had my cd-key hard coded into the install and I needed to find a way to change the key to the correct one (at the time I had forgotten about the call-in activation method, which worked when I changed the key).
You are so bored that you are reading my signature?
November 15th, 2004, 06:42 AM
try http://www.virustotal.com next time. It runs the virus through multiple virus scanners. It is quite useful for "new" malware.