D+ Give A Great Alert About DNS- Trojan Dropper Test

I did this test to prove and make a point to Aigle. I had to shut off my trusty NOD32 to run this test but D+ kicked in and did its job by alerting me twice. Once for the explorer.exe alert and the other one about trying to modify a file. Screen shots don’t lie.

[attachment deleted by admin]

Ok, i see.

1- explorer.exe trying to execute C:\Documents and Settings\Chet\desktop\My Briefcase\DNS_RK_trojan dropper.exe

2-DNS_RK_trojan dropper.exe trying to modify C:\Documents and Settings\Chet\desktop\My Briefcase\DNS_RK_trojan dropper.exe (its own file)

To be clear - i don’t know if CFP passes or not. Your screenshots don’t show anything substantial.
I’ll wait for someone who actually knows what he’s doing.

There’s the first screenshot, which actually show heuristics working - only i’ve seen many FP’s with D+'s heuristics. Heuristics are a good feature, but for this test, …
The 2nd screenshot shows it’s changing its own file…

Do you actually read the alerts?

Thanks for running this test. :-TU

You missed a point. I want to know if you get an alert similar to this or not? This is the main poit to test. Please let us know. I will be thankfull.

Also if you will not mind, I will suggest you to post screeenshots of only the pop up alerts, rather than whole desktop.

Thanks again

[attachment deleted by admin]

A waring alert is a warning alert. What more do you want. D+ shows an alert and warns you if you want it to run or not. I merely showed a screen shot of the warning. After that I selected block. So what if I am posting a complete screen shot. I was also showing you that I shut off my NOD32. In order for me to get an alert such as EQSecure I need to let the dropper run. If I allowed it I am sure I would have but I blocked it and was done with the test. If you want me to go farther then send me the file again. If I saw an alert like that when I wasn’t testing and got that alert for no reason you better believe I would block it.

Sorry if I seem like I am being a ■■■■ but honestly Aigle. You have made some threads here and over at Wilders stating that D+ fails which is clearly not true. You even put a big red mark through Comodo in your thread at Wilders with a fail next to Comodo. Whats that about? Your D+ bashing with nothing to back it up. Sure I may not be as knowledgeable as you when it comes to testing but my screen shots prove that D+ is working like it should. Maybe not up to your par but plenty for the average user. I will continue to work with you and run as many tests as you would like me to. BTW once again I am on XP Home SP3. I change my wallpaper and icons around every week if you go to the desktop thread under General\Off topics. There you will find how many times I change the way my pc looks. Pretty funny how everyone is fooled and thinks I am on Vista just cause I have Vista icons. Stardock gets the credit there. So be sure to tell your buddies over at Wilders that I am on XP NOT Vista. As in matter of fact I am going to change my desktop around again I think.

I believe you dear. No need to stress all this.

I did post you the link again. My threads are not against CFP, but you fail to understand this fact.

Psl let me know the results, all the pop ups until you get a driver/ service install/ loading alert. I want to see it indeed.

Thanks a lot!

Not sure if I did this right but I let the dropper run. It labeled as a test. You can see from my Procexp screen shot that the dropper is aloud to run then after it runs I get an msi installer showing up but no D+ alert after that. Is this what you mean? That is as far as it got.

[attachment deleted by admin]

When I run Root Repeal I do not see the driver named " msliksurserv.sys" running.

Hmmmm…the person who gave me this malware told me that it installs a rotkit driver that is detected ONLY by root repeal ARK. EQS shows a driver install but CFP does not.

I need to investigate it more. Thanks for ur testing.

Well Root Repeal is beta. Its hard for me to test even when I disable NOD32. As soon as I re enable NOD32 it cleans and deletes the dropper. Makes me think that this dropper test is an anti virus test and not a HIPS test. If you have a good av it will stop the driver from installing from what I gather.

The only reason D+ never gave me an alert is cause the msi installer never installed anything. It just sat there.

Hi Guys

If you PM me the code, I will get our guys to analyse it and give you a response back.


Sent you a PM Melih with a link.

Hi Vettetech ! I PMed you a newer sample of it. It,s complete sample now. Do u get anything like this? Pls do check with rootrepeal or gmer also.


[attachment deleted by admin]

Hi, I PMed you two samples, one is new and works perfect I think. Pls let us know the results.


thanks I will


Hi Vettetech, did u run the test with second sample- installer.exe?


to be honest, i’m not sure what point this proves, except that Defense+ stopped the execution of the file. aigle’s screenshots show eqsecure detecting the installation or loading of drivers from the trojan. this behavior based blocking is completely different from not letting a file run at all. after all, the point is not to stop anything from running, but to know that something exhibits dangerous behavior when it is inadvertently allowed to run. the screenshots don’t lie, but they also don’t say much :slight_smile:

your second set of screenshots show an attempt to “modify a protected file or directory”, just like the second screenshot in your first set of screenshots. but doesn’t modifying a directory just mean writing a file to it, deleting a file in it, or changing a file already in it? all these actions are completely different than allowing a driver to be loaded.

i can sense a lot of tension in this debate, but there need not be any. the real argument is not whether comodo+ can stop this trojan (it can easily by stopping it from running), but whether it can prevent the loading of the trojan’s driver(s) IF allowed to run. all we have to do now is await Melih’s response (or a response from someone who has done this test) :slight_smile:

Please do not post in topics which are outdated August 2008

Topic Locked