WD - not detecting Trojan-Clicker.Win32.Agent.jh

  • Thread starter Thread starter emagon4523
  • Start date Start date
E

emagon4523

greetings - new to this group and windows defender.
i'm not sure if this is the correct newsgroup but reading posts in here it
seems like similar posts can be found.

i'm looking at deploying Windows Defender to desktops in a small company as
a free virus/malware detector. i only want something that detects an
infection, i don't need a cleaner. when i discover a system is infected i
wipe it and re-image with a clean os.

i've used spybot, adaware, avg, trend, norton, etc. for years and they all
seem to have their good/bad. windows defender seems to be fairly unobtrusive
and has yet to cause any conflicts with applications. so that and
considering it is free and made by the same folks that created the OS it
seems like it could be a potential solution. the software explorer feature
is a great tool to analyze the system.

so i have installed it and have been beta testing it. i have a system that
is exhibiting spyware infected behavior so i ran defender with the latest
definition it has (4/4/07 1.17.2437.5) and it failed to detect the following
infection:

C:\WINDOWS\Temp\svcipa.exe Infected: Trojan-Clicker.Win32.Agent.jh


But this was detected by the KAPERSKY on-line scan and the Windows Live
OneCare.

i don't expect any scanner to be 100% but that file is in a pretty obvious
location (c:\windows\temp) and according to this site
http://www.sophos.com/virusinfo/analyses/trojdagonitb.html and some other
research i did this this Trojan has been around since 2005/2006 so it's not
something new.

is that something you would have expected WD to detect?
 
Hello emagon4523,

Usually Trojans are detected by Anti-virus, WD detected primary Spyware
and others malware.

Еиçеl
 
I don't know exactly how Microsoft draws the line between viruses and
spyware, but there is one. Windows Defender both defends against and cleans
up spyware infections. It isn't an antivirus. Microsoft has several
antivirus products--Windows Live OneCare is one--and it incorporates Windows
Defender's spyware defenses into one console. The other is Microsoft
Forefront client security, now nearing the end of its public beta stage, I
believe.
 
I was incorrect - Windows LiveOne care did not detect this trojan either.

so more or less this 2+ year old trojan is not detected by Windows Defender
or the LiveOne Care.
that's dissapointing and the reason i don't look to microsoft products to
detect or clean virus or spyware.
all i'm asking is for it to detect it, i'm not going to clean it - i will
wipe the os.

that's all i want - just something that says 'you have a problem'

you'd think microsoft could make a product that at least does that.

LiveOne claims it can but i just proved to myself that it didn't.
 
Where did you find information indicating that OneCare detects a particular
virus?

Have you run the Malicious Software Removal Tool on this system?

I want to submit a malware sample to Microsoft.
Please send your virus, worm, or trojan horse submission to
(e-mail address removed). Send your spyware or other malware submission
to (e-mail address removed).



( I know you didn't ask for that but I like to post it periodically, and
this seems like a back-handed opportunity!)

Some references suggest that you should zip samples, and password protect
them with the password "infected" but I think that this is probably
unnecessary unless there are corporate a/v gateways the message needs to
pass through.

OneCare has passed VirusBulletin's 100% certification in the past, but did
not pass in the most recent such testing. It isn't clear to me whether this
is because of a specific strategy about targetting a specific population of
viruses, or some other reason.

--
 
Sorry for the accidental attachment--it isn't viral--just a left-ove when I
pasted html into a plain text message. Outlook could do this better.

--
 
thanks for replying-

the only verification i have is that i ran LiveOne Care on the system with
this infection in this location:

C:\WINDOWS\Temp\svcipa.exe Infected: Trojan-Clicker.Win32.Agent.jh

and it did not detect it.
the liveone care site is where the claim is made:

"Windows Live OneCare safety scanner is a free service designed to help
ensure the health of your PC."

a.. Check for and remove viruses
b.. Get rid of junk on your hard disk
c.. Improve your PC's performance
so i thought Live OneCare was an on-line all in one 'spyware, virus'
solution vs running Windows defender and the MSRT seperately on the
workstation.

honestly, your average user is not dilligent enough to keep 2 programs
updated and running to protect their pc. people see a product called Windows
Defender that is made by microsoft and they are most likely thinking it's
going to defend thier version of windows completely. i gave it a try and it
didn't detect somethign another piece of software did.

and we haven't even talked 'root kits' here yet.

so IMO 'windows defender' is useless to me now and IMO misleading to folks.
it has a couple of nice features and it's better than nothing. but there
really is no complete software package that can protect your OS. my
protection is to build a clean OS and benchmark it's performance BEFORE i
put it on the internet and then put it on the internet and compare the
benchmarks.

i was hping to use Windows Defender as a type of benchmark tool but it
failed my beta testing.


unfortunately i wiped that system and can't submit the svcipa.exe file to
you now. if i do caome across it again i will submit to that address.

but we should keep on the folks at MS to keep developing this thing, we need
something - it's a jungle out there!.
 
I'm sure you'll hear from Bill on this, but I have a few thoughts as well
and some points that need to be clarified. You should know that the free
Windows Live OneCare Safety Scanner which is what you ran, is a different
product than Windows Live OneCare which is not browser based but a
subscription fee based product that is resident on a subscriber's system.
If you just call it OneCare without mentioning Safety Scanner the common
assumption is your referring to the fee based product.

In regard to the MSRT which only detects and cleans a small subset of
common viral infections...
from http://support.microsoft.com/?kbid=890830
Q7: Is this tool a replacement for an antivirus product?
A7: No. We strongly recommend that you install and use an up-to-date
antivirus product. For more information, visit the following Microsoft
Protect Your PC Web site:
http://www.microsoft.com/athome/security/default.mspx
(http://www.microsoft.com/athome/security/default.mspx)

You actually may have encountered a false positive on your detection, since
Microsoft's AV engine does appear to detect this Trojan as
Trojan:Win32/Zonebac.A. Unfortunately, your detected file is now
unavailable for you to do this comparison yourself, but googling yields
this VirusTotal file analysis for various AV engines done on 3/15/2007.

from:
http://64.233.179.104/translate_c?h...v=/search?q=Win32.Agent.jh+OneCare&hl=en&sa=G

Antivirus Version Update Result
AhnLab-V3 2007.3.21.1 03.21.2007 Win-Trojan/Agent.37234
AntiVir 7.3.1.44 03.21.2007 TR/Agent.37320
Authentium 4.93.8 03.20.2007 W32/Downloader.BFIJ
Avast 4.7.936.0 03.20.2007 Win32:Trojan-gen. {UPX!}
AVG 7.5.0.447 03.21.2007 Downloader.Generic3.VVP
BitDefender 7.2 03.21.2007 Trojan.Clicker.Agent.ND
CAT-QuickHeal 9.00 03.20.2007 TrojanClicker.Agent.jh
ClamAV devel-20070312 03.21.2007 Trojan.Clicker-73
DrWeb 4.33 03.21.2007 Win32.HLLM.Limar
eSafe 7.0.14.0 03.20.2007 suspicious Trojan/Worm
eTrust-Vet 30.6.3497 03.21.2007 no virus found
Ewido 4.0 03.21.2007 Hijacker.Agent.jh
FileAdvisor 1 03.21.2007 no virus found
Fortinet 2.85.0.0 03.21.2007 W32/Tibs.gen
F-Prot 4.3.1.45 03.20.2007 W32/Downloader.BFIJ
F-Secure 6.70.13030.0 03.21.2007 Trojan-Clicker.Win32.Agent.jh
Ikarus T3.1.1.3 03.21.2007 Trojan-Proxy.Win32.Horst.ls
Kaspersky 4.0.2.24 03.21.2007 Trojan-Clicker.Win32.Agent.jh
McAfee 4988 03.20.2007 QLowZones-42
Microsoft 1.2306 03.21.2007 Trojan:Win32/Zonebac.A
NOD32v2 2131 03.21.2007 Win32/TrojanDownloader.Agent.AWF
Norman 5.80.02 03.20.2007 W32/DLoader.CFDX
Panda 9.0.0.4 03.20.2007 Trj/Clicker.ZJ
Prevx1 V2 03.21.2007 no virus found
Sophos 4.15.0 03.13.2007 no virus found
Sunbelt 2.2.907.0 03.16.2007 no virus found
Symantec 10 03.21.2007 Trojan.Zonebac
TheHacker 6.1.6.078 03.20.2007 Trojan/Clicker.Agent.jh
UNA 1.83 03.16.2007 TrojanClicker.Win32.Agent.A034
VBA32 3.11.2 03.21.2007 Trojan-Clicker.Win32.Agent.jh
VirusBuster 4.3.7:9 03.20.2007 Trojan.DL.Agent.SPJ
Webwasher-Gateway 6.0.1 03.21.2007 Trojan.Agent.37320
 
It is a jungle out there, and the last Virus bulletin tests of OneCare were
dissappointing.

I know that there is some confusion about whether Windows Defender is an
antivirus. Microsoft has never made such as statement--it has been
developed from the beginning as an antispyware application.

Can you imagine the furor if Microsoft distributed a free antivirus
application?
It would certainly keep the legal system busy, anyway.

In general, the whole point of OneCare and Windows Defender (or even
Microsoft Forefront Client Security)--is that the user need do nothing at
all except keep automatic updates turned on to keep the apps running and
updated.

So--I like the ease of use, and ease of updating, but from an antivirus
perspective, I'm less certain about the level of protection. It seems to me
that Microsoft has everything to lose in this area, so I'd like to think
that they are carefully focussing on stuff which is known to be in the
wild--but I can't tell, and tests such as yours are worriesome.

OneCare does essentially incorporate Windows Defender. It doesn't do
anything in relation to MSRT, but if you have Automatic Updates on, you
should get MSRT every month anyway. And MSRT has the least footprint of any
antivirus product ever (albeit it isn't really an antivirus in the normal
sense of that term.)


--
 
Hmm - better thoughts than mine, I think. I did wonder whether this was the
online scan versus the installed product, but the detection capabilities
should be identical--in fact, for the most current definitions, use of the
online scan is urged--i.e. if you think you have something which is new and
undetected, try the online scanner for the most current definitions.


--
 
too many tools, too confusing.

i should probably state here that i don't really trust any windows based
virus/malware scanner. i'm still a believer in booting to a clean OS and
having that scan the suspect os. i **miss** the days of mcafee boot
floppies. i'm a big fan of BartPE and the UBCD but keeping those up to date
is always an issue. i've really been more or less lost for the last few
years without my clean boot floppies - just looking for something that i can
use.

ideally i'd like to see developers concentrate on USB/CD based bootable
scanners/detectors. that is the only technology that has yet to disappoint
me in this battle against malicious stuff.

i'd actually say the 'software explorer' part of defender should become a
part of the windows OS.
i know there are lots of tools and toys that help you analyze your OS
performance and that should really be the true measure of if your system is
infected or not - because as you can see no software is going to ever detect
anything/everything.

and i was able to come across another system infected with the svcipa.exe -
i sent it to that address you posted.
go ahead and copy it to your system and run these ms scanners and tell me if
it is detected.
 
Back
Top