www.elitec0ders.Net up to no good?

**halv** · April 18th, 2005, 05:25 PM

Did you actually look at the code or are you just 'confident' that nothing has changed ? With a site like yours, I would not be so sure that nobody has tried to break into it and mess with stuff.

enjoy

~Halv

**br0nd** · April 19th, 2005, 05:43 AM

yes i looked in to it , it seems oke , just have a look ,

http://www.virustotal.com/ says this

AntiVir 6.30.0.7 04.18.2005 TR/PSW.Prostor.A
AVG 718 04.19.2005 no virus found
BitDefender 7.0 04.19.2005 Trojan.PWS.Prostor.A
ClamAV devel-20050307 04.19.2005 no virus found
DrWeb 4.32b 04.18.2005 Trojan.PWS.Prostor
eTrust-Iris 7.1.194.0 04.19.2005 no virus found
eTrust-Vet 11.7.0.0 04.18.2005 no virus found
Fortinet 2.51 04.19.2005 W32/Prostor.A-tr
F-Prot 3.16b 04.19.2005 security risk named W32/Prostor.A@pws
Ikarus 2.32 04.19.2005 Trojan.PSW.Prostor.A
Kaspersky 4.0.2.24 04.19.2005 Trojan-PSW.Win32.Prostor.a
McAfee 4471 04.18.2005 BackDoor-CMZ
NOD32v2 1.1069 04.19.2005 Win32/PSW.Prostor.A
Norman 5.70.10 04.18.2005 no virus found
Panda 8.02.00 04.19.2005 Trojan Horse
Sybari 7.5.1314 04.19.2005 Trojan-PSW.Win32.Prostor.a
Symantec 8.0 04.18.2005 PWSteal.Refest
VBA32 3.10.3 04.18.2005 no virus found

Troj/Prostor-A is a password-stealing Trojan.

When run, Troj/Prostor-A attempts to steal passwords saved in Outlook Express, Internet Explorer and MSN Explorer.

Stolen information is displayed onscreen or saved to a file on the local machine.

http://www.sophos.com/virusinfo/anal...jprostora.html

PSGUI.EXE - infected by Trojan-PSW.Win32.Prostor.a
http://www.kaspersky.com/scanforvirus

only symantic saying bullshit lol , well dont know ,may be the author of that backdoor using my source?? may be ..

**nihil** · April 19th, 2005, 09:13 AM

Hmmm,

Perhaps this is the answer:

http://www3.ca.com/securityadvisor/p...x?id=453089162

The two executables have exactly the same name in the prostor-a trojan. Given that the purpose is to display protected storage passwords, it would be reasonable to expect something like this in password stealing trojans?

Looks like a bit of code theft to me

Incidentally RAV detects both files as Trojan Spy:Win32/Small.AF

A-squared only detects the 4Kb file, and thinks that it is Prostor-A

I suspect it is a partial detection situation, a bit like droppers and packagers being recognised, even if the actual malware is not?

The actual files do look too small for a fully blown password stealing trojan?

Cheers

**br0nd** · April 19th, 2005, 09:40 AM

>The actual files do look too small for a fully blown password stealing trojan?

http://securityresponse.symantec.com...al.refest.html

PWSteal.Refest is a Trojan Horse that installs itself as a BHO (Browser Helper Object) for Internet Explorer and steals online banking information when it is submitted in web forms.

Type: Trojan Horse
Infection Length: 81,920 (.exe), 45,056 (.dll)

and ps.exe psgui.exe is just 4 kb 15kb somthing ...

**nihil** · April 19th, 2005, 11:06 AM

Yes, Symantec certainly seem to be giving a false positive there. What they are describing does not even work in the same way and is much larger.

RAV are doing the same, their one (small.AF) is a java script downloader. It should be detected by Kaspersky, Antivir and BitDefender, and was not.

I can understand the Prostor-A detection (which was the majority opinion) as it looks like this code has been used in it? certainly the executables have the same names.

**ikalo** · April 20th, 2005, 12:25 PM

br0nd:

did you try to contact AV companies that detect your program as virus? Maybie they could fix their virus defs so your program is not false detected.

**br0nd** · April 20th, 2005, 02:06 PM

lol no need, let them show anything , it is ther problam , not my hehe

**halv** · April 20th, 2005, 02:28 PM

br0nd,

most people who use computers beyond email and the internet will be concerned about this if they wanted to use your software. There is an implicit 'trust' that must be built. By starting out with even a hint of malicious software then you lose that trust and it takes a LOT of time to regain that from communities such as these.

This may not mean much to you now, but in the future it may.

If nihil's research is correct then you should change the name of your .exe when it get compiled and then see if it gets flagged as viri or not.

By contacting the AV companies, you are taking a proactive step. They can post a note to their virus definitions part of their web site explaining that there is a chance of a false positive (as your are claiming with your software).

~Halv

***Maestr0*** · April 21st, 2005, 05:17 AM

So, let me get this straight..... You downloaded a file that.... well, basically it
STEALS PASSWORDS. And now you're freaked out because Symantec thinks that this file
STEALS PASSWORDS. Hmmmm.

Seriously, think about it. Symantec will quarantine Foundstone tools and countless others (You've never seen this before?) because if you DONT know what the program is doing on your machine, its probably not good. If you downloaded it and you know that its used to STEAL PASSWORDS, what the hell is the problem?

PS. I ran them both, they did not attempt to add any registry keys.
PPS. I also doubt its based on the filename, but on the methods and behavior of the file. I think Symantec is correct in detecting this behavior as potentially malicious, because potentially IT IS.

-Maestr0

**ZT3000** · April 21st, 2005, 06:10 AM

Downloaded the same file, same place as IronGeek.

Panda Antivirus told me, both Trojan and Virus was contained within the zip file (both .exe files), not disinfectable.

That's all I need to know. Why mess with it?

Thread: www.elitec0ders.Net up to no good?

Thread Tools

Display

Posting Permissions