Vinzenz Feenstra’s WebLog

August 7, 2006

How to remove Trojan.Downloader.uj

by Vinzenz Feenstra @ 3:23 pm. Filed under News, Downloads, Articles, Security, Tutorials

I have previous posted about the Windows threat ‘Trojan.downloader.uj’ and that I have build a removal help tool for it.

I think it would be best for all if I post here some removal steps for this special threat which is really tricky, since it is a trojan but uses userland rootkit techniques.

Here are the steps:

  1. Download the file "rmdlagentuj.exe" from following location: http://fileserver.ewido.net/public.cgi?id=20845
  2. Execute the file "rmdlagentuj.exe" if it was successful you will get a message dialog where you will be asked to reboot
  3. Reboot your computer (Important!)
  4. Execute a complete system scan with ewido anti-spyware 4.0 ( http://www.ewido.net )

Or you can try Grisoft AVG Anti-Rootkit Beta 1.0.0.13, but be careful it is a beta!
Thats’s all the threat should be removed now.

Aliases for this threat are:

Antivirus Alias
AntiVir TR/Dldr.Agent.uj.1
Authentium W32/Downloader.LTB
Avast Win32:Agent-IU
AVG Downloader.Agent.BAH
BitDefender Trojan.Downloader.FFZ
CAT-QuickHeal TrojanDownloader.Agent.uj
ClamAV Trojan.Downloader.Agent-262
DrWeb Trojan.DownLoader.4316
eTrust-InoculateIT Win32/SillyDL.51200!Trojan
eTrust-Vet Win32/Alureon.Y
Ewido Downloader.Agent.uj
Fortinet RuinDl.G!tr
F-Prot security risk named W32/Downloader.LTB
F-Prot4 W32/Downloader.LTB
Ikarus Trojan-Downloader.Win32.Agent.uj
Kaspersky Trojan-Downloader.Win32.Agent.uj
McAfee Downloader-ASI
Microsoft TrojanDownloader:Win32/Agent.RR
NOD32v2 a variant of Win32/Small.FB
Norman W32/DLoader.NNL
Panda Trj/Ruins.MB
Sophos Troj/RuinDl-G
Symantec Downloader
TheHacker Trojan/Downloader.Agent.uj
UNA TrojanDownloader.Win32.Agent.68D6
VBA32 Trojan.DownLoader.4316

I hope this is helpful.

Regards,

Vinzenz Feenstra



Tags: , , , , , , ,

August 5, 2006

Should we be scared about future rootkits?

by Vinzenz Feenstra @ 11:36 am. Filed under News, Articles, Security

I was reading  blog entry of Joanna Rutkowska, a really smart and good looking (*fg*) expert in security and rootkits from Poland, and I was really asking myself, should we be scared about rootkits in the future? To give you a short answer: Yes we should!

Ok of course such rootkit can maybe be blocked before they’re installed or while it tries to installs itself or any other malware tries to install it. I am reading about the technology and the evolution of the knowledge in this area for a while and I need to say that it is really scary how fast the evolution moves forward.

Last year I was reading something about DKOM (Direct Kernel Object Manipulation), after thinking about the concept I was sure something like this is comparative easy to detect. Also hooking SSDT, IAT, EAT or using Inline Hooks (Detours) is almost harmless if you know how to get rid of it (see my previous post Trojan.Downloader.uj which is about an userland rootkit)

Anyway this year, only about 6 months later I read something which really scared me. joanna Rutkowska held some presentations about rootkits again and there she demonstrated a rootkit she is calling ‘deepdoor’. After taking a look at what she can do with this threat I was really asking myself how should you detect something like this. Ok there will be some smart guy who will be abled to detect (I am sure there will be one!). But now (ok it was already in June, but it doesn’t matter) she is writing about ‘Blue Pill’. Think about this: You are running VMWare on your computer and host another windows in there. This no great deal, that’s right but what would you say if somebody tells you that you’re hosting VMWare already in a virtual environment?

Huh? That’s really scary. And I must admit that using the name ‘Blue Pill’ is a really good choosen name.

I am right in the beginning in understanding how malware works and how it can be detected and removed but if I read something like this I am really asking myself how should we prevent ourselves from such threats?

I hope that we will be abled to have an idea how to get a ‘Red Pill’ for such threats and are abled to remove or at least to warn the users about such a threat.

Further reading about this subject you can find at:

Edit: (8th August 2006) I found another really interesting blog entry about this at http://www.ryanpmanning.com/?p=56

Be aware! Be scared!
Regards,
Vinzenz Feenstra



Tags: , , , , , ,

July 9, 2006

The ewido anti-spyware 4.0 final was released

by Vinzenz Feenstra @ 3:43 am. Filed under News, Articles, Security, ewido

Hey guys,

First of all I must admit that this is not really a brand new news but ewido anti-spyware 4.0 is somehow my baby although I don’t have developed it from the beginning and I don’t have developed everything, but an huge amount of it.

So I’d like to talk about ewido anti-spyware 4.0 a little bit ;)

Back in July 2005 I have started working as freelancer for ewido networks, the company who has started developing the ewido security suite several years ago. My first job was to implement an autostart analysis module for this version 4.0 and at this time ewido 4 has still the old graphical user interface style. About one month after starting working at ewido networks I was asked to become an employee, that was an overwhelming majority offer for me since I am just a self-educated person who has made an apprenticeship as cook, and becoming an employee as software developer was always my dream. One month later, on September 1st 2005, I was the first official employee of ewido networks and I walked on air :) From this time I have implemented a lot of features, and overhauled almost every code line already exist.

Now back to ewido anti-spyware 4.0 ewido anti-spyware 4.0 was released on the 19th June 2006 and has the following new features:

I think these are a lot of new features. ewido anti-spyware 4.0 can be used for free too, but you won’t have automatic updates, the resident shield and no scheduled scans. And you can try ewido anti-spyware 4.0 now 30 days with all features for free in the trial version. You should take a look at ewido anti-spyware 4.0.

Visit http://www.ewido.net and download ewido anti-spyware 4.0ewido anti-spyware protects you against Spyware like Tracking-Cookies, KeyLoggers etc, Ad-Ware, Trojans, Internet-Worms, Browser-Hijacker and Dialers.

You should really take a look and improve your protection. ewido anti-spyware 4.0 was designed to be used beside existing anti-virus software to improve the protection of the users since anti-virus applications are not protecting you against everything.

And using ewido anti-spyware 4.0 improves the detection rate.

Check out ewido anti-spyware 4.0 :)

Here are somescreenshots:

 ewido anti-spyware 4.0 status screen
ewido anti-spyware 4.0 help file

I know that sounds like an ad but I’m so proud of it.

:)

Regards,

Vinzenz



July 4, 2006

GTKmm Tutorial Part 2

by Vinzenz Feenstra @ 3:48 pm. Filed under Code, Articles, GTKmm, C++, Programming

Hi,

Part two of my german GTKmm Tutorial can be found here

Regards,

Vinzenz



Tags: , , , , ,

GTKmm Tutorial Part 1

by Vinzenz Feenstra @ 3:47 pm. Filed under Code, Articles, GTKmm, C++

Hi,

I’ve written a german GTKmm Tutorial. It is the first of a series and can be viewed here

If you’re looking for an english tutorial please take a look here

Regards,

Vinzenz :)



Tags: , , , ,

archives:

December 2008
M T W T F S S
« Mar    
1234567
891011121314
15161718192021
22232425262728
293031  

internal links:

categories:

Search

other:

Advertisement