PDA

View Full Version : Question about TeaTimer


tomdkat
2010-04-05, 23:18
I currently run Spybot 1.6.2 w/ TeaTimer enabled on a Windows 2000 system I use for testing.

My Windows 2000 installation recently (and INTENTIONALLY) got infected with "AntiVirus Soft" and was able to get it removed with Malwarebytes.

Before running Malwarebytes, I ran a Spybot scan and it detected "Fake.Sysguard". It removed the registry entry and subsequent Spybot scans were clean.

In the TeaTimer log, I see where the malware added its registry entries without problem.

My question: if Spybot was able to detect this malware as "Fake.Sysguard", why didn't TeaTimer block it from updating the registry?

Thanks!

Peace...
Matt
2010-04-05, 23:21
Hi tomdkat,

was Spybot able to remove this Rogue or only parts of it?

Can you sent me a PM where you downloaded the installer for this Rogue? :thanks:
tomdkat
2010-04-06, 00:25
Spybot removed part of it. I'll send you a PM with the requested info. :)

Peace...
Matt
2010-04-06, 10:24
Spybot removed part of it. I'll send you a PM with the requested info. :)
Thank you for your PMs. :thanks: I will analyse this Rogue on my virtual machine. ;)

This seems to be a new variant of "Fraud.Sysgaurd". Well, I've already sent Team Spybot some detection rules against this Rogue on the weekend. But I'll try to sent them some samples as well. ;)
tomdkat
2010-04-06, 18:10
Thanks! :)

So, if this is a new variant of "Fraud.Sysguard" is that why TeaTimer didn't block the installer from updating the registry, in the first place?

When the malware was installing itself, TeaTimer didn't prompt me to allow or deny the registry updates so I'm a bit confused.

Peace...
Matt
2010-04-06, 20:08
So, if this is a new variant of "Fraud.Sysguard" is that why TeaTimer didn't block the installer from updating the registry, in the first place?
Yeah, that could be a reason. When Spybot has this new variant in its database (tomorrow or next week), also TeaTimer should block it or give out a message.



When the malware was installing itself, TeaTimer didn't prompt me to allow or deny the registry updates so I'm a bit confused.
Right click on the TeaTimer icon and choose "paranoid mode". Does TeaTimer now give out a message? ;)
tomdkat
2010-04-18, 19:19
Right click on the TeaTimer icon and choose "paranoid mode". Does TeaTimer now give out a message? ;)I enabled "Paranoid mode" and attempted to install another rogue security app and TeaTimer did notify me of a blocked process that was trying to update the registry (I believe). It even mentioned the name of the threat in the popup. :)

The rogue app was blocked from being fully installed. :)

Peace...