Page 1 of 1

Found a Trojan (Not)

Posted: Sun Jan 07, 2007 10:50 pm
by BGH
I was posting on another forum about an install that I was doing and a budy showed me http://www.ultimatebootcd.com/ . It sounds like a top notch set of tools and I can't wait to ad it to my collection. I'm posting here today as an FYI sort of as a thank you for such great work.


I downloaded UBCD4Win from generalcomputersupport.com and got a
Trojan.PWS.Ras.A

Found it with Bitdefender

Posted: Mon Jan 08, 2007 12:39 am
by Constance
Well, 2 things :
- these here website and forum are not affiliated in any way with UBCD4Win
- this may be a false positive... but you're not supposed to download UBCD4Win, you're supposed to build it using tools provided. I'd recommend to download from the official website or one of its official mirrors, listed here : http://ubcd4win.com/downloads.htm

Do not trust any other website about this, unless you know it's a website you can trust in general.
You may also compare the md5 hash for the file you already downloaded with the one written on the page I provided a link to, to check if your download is ok or corrupted by any mean...

See also : http://ubcd4win.com/faq.htm#false

Posted: Mon Jan 08, 2007 1:10 am
by BGH
I wasn't sure if it was a false positive since I couldn't find any information
about the Trojan found.

As for building it, I kind of discovered that after I found a disk image.
Thanks for the response.

Posted: Mon Jan 08, 2007 2:01 am
by Constance
Well, did your anti-virus tell you in which precise file it supposedly had found this trojan ?
Looks like there is something about this particular "trojan" in their FAQ.

Anyway, I downloaded the file from the website you said and checked the MD5 hash using Hashtab : seems ok, so the file isn't corrupted.

Posted: Mon Jan 08, 2007 6:06 am
by baronvonfoxbat7734
Due to several of the utilities that are included in the UBCD4Win, many times a year several AV vendors accidentally detect trojans and such when there is none. Another thing that pops up is that some files are flagged as hacktools and some people confuse that for trojans as well. Not that you have, just a info statement.

As Constance mentioned, if in doubt double check the hash before running to double check it has not been tampered with. If it says exactly what file is offensive, you can upload the file to http://virusscan.jotti.org/ and have it check the file against all the other AV vendors out there. Sometimes it is just one that flags that file and sometimes several vendors flag the file. It is a good benchmark to test the file.

Posted: Mon Jan 08, 2007 12:15 pm
by BGH
I believe it was a keystroke logger of some kind. I'll see if I can't find some reference to it. I've had false positives before and no big deal. What made me curious about this one was that windows would not delete it to the recycle bin. I had to use the virus software to yank it out.


k:\temp folder\plugin\system-info\information\keyfinderpe\keyfinder.exe infected: Trojan.PWS.Ras.A

I am not a programmer and what I know about computers can fit into a thimble. By that, I'm saying that I know way more than Forest Gump, but less than a motivated teenager.

Thanks for the help.

Posted: Mon Jan 08, 2007 12:25 pm
by baronvonfoxbat7734
keyfinder... gotcha. What that nice little tool is all about is simply allowing you to see what product keys are installed for your MS products and maybe a few others as well. It is not malicious by itself. If in the wrong hands (1337 h4x0rz) it can be used to steal the product keys of valid products and post them on warez sites.

Summary, no worries big buddy on that little gem of a file. It is not going to harm you more than M$ already has. ;-)

-=EDIT=-

It can also be used by SysAdmins to copy out a key that someone has lost the key to. Such as if the system is dead and needs to be rebuilt but the office key is missing, this little tool can get the key to re-install the office product back onto the machine and such. Very handy in those types of situations and of which is why it is included.

Posted: Mon Jan 08, 2007 4:23 pm
by BGH
THank you for the follow up.
Could someone please put false alarm in the thread subject or something so this wonderful piece of work doesn't get an undeserved bad rep.

:oops:

Posted: Mon Jan 08, 2007 4:59 pm
by BGH
Constance wrote:Well, 2 things :
- these here website and forum are not affiliated in any way with UBCD4Win
- this may be a false positive... but you're not supposed to download UBCD4Win, you're supposed to build it using tools provided. I'd recommend to download from the official website or one of its official mirrors, listed here : http://ubcd4win.com/downloads.htm

Do not trust any other website about this, unless you know it's a website you can trust in general.
You may also compare the md5 hash for the file you already downloaded with the one written on the page I provided a link to, to check if your download is ok or corrupted by any mean...

See also : http://ubcd4win.com/faq.htm#false

After doing some reading on one of the links you posted, I realized that the solution was there for me to find. I just didn't look close enough. Thumbs up Cola.

Posted: Tue Jan 09, 2007 11:09 am
by Constance
:)
BTW I think you can edit the thread title yourself by editing the first message.