Avast alerted for Trident TPE var 1.4

Hi malware fighters,

While connecting to a similar forum like this Avast one (same type and version) I got an alert for Trident TPE var 1.4 - this is a trojan dropper. I closed the connection, when advised by Avast. Later I checked for either history.doc, tpe.obj, tpe-gen.com. tpe-gen.obj or tpe-v11.asm, traces of these could not be found.
The forum I visited was scanned as clean by DrWeb link checker and MacAfeeSiteAdvisor.
At the same time I was listening to a WinAmp Radio Stream through my VLC media player.
What vector Trident TPE var 1.4 used here? Can someone explain? Going to do an extensive A-squared and Ewido-micro scan. Hear from you experts…

polonus

I can think of one guy that says we have none of those here, so your wait may be long :wink:

Anyway, I think TPE is an engine that turns the underlying malware into a polymorphic version. Maybe if you can identify the underlying trojan it will make more sense.

EDIT:

Here’s a link that may interest you

http://www.awprofessional.com/articles/article.asp?p=366890&seqNum=5&rl=1

MtE was quickly followed by many similar engines, such as TPE (Trident Polymorphic Engine), written by Masouf Khafir in Holland in 1993.

Today, hundreds of polymorphic engines are known. Most of these engines were only used to create a couple of viruses. After a polymorphic decryptor can be detected, using it becomes a disadvantage to virus writers because any new viruses are covered by the same detection. Such detections, however, usually come with the price of several false positives and false negatives. More reliable techniques detect and recognize the virus body itself.

This opens up the possibility for virus writers to use the same polymorphic engine in many different viruses successfully unless such viruses are handled with heuristic or generic detection methods.

Hi mauserme.

Did the scanning with a-squared. Ran a complete online scan with the latest Bitdefender. Nothing there.
Performed chkdsk and everything seemed normal. Because this Trident TPE var 1.4 is “an oldie” from 1993, I also checked mem in DOS: conventional 65536 bytes total & 65536 bytes available for DOS. As I disconnect could it be the dropper did not materialize, because no traces of history.doc and tpe.obj could be found either (part of Trident TPE var 1.4), because the encrypted object file is connected to an executionable file and that is the dropper. That is basically how it works. Most varieties of TPE are rather harmless, only one is dangerous. Can you comment? PS the chkdsk cluster info said 4096 bytes. Is that standard? Funny that these old polymorphic viruses seem to make a comeback somehow. Or was this a FP?

polonus

Hi Polonus,

A false positive on a forum? No!

http://forum.avast.com/index.php?topic=18914.0

Hi FwF,

That is what I thought, because the alert came when I connected to madamemmastent.smfforfree !
I was going there with PocketFlock on a 1 GB USB stick (that has not been removed from the USB hub for over three months). Noscript on. And at that moment Avast alerting the connection as Trident TPE var 1.4, and I did what it said in the window: disconnect. Went to the forum site again to-day nothing there.
These are the results of DrWeb’s av link checker: File size: 53946 bytes

index.php%3ftopic=41.msg359 - archive HTML

index.php%3ftopic=41.msg359/JavaScript.0 - OK
index.php%3ftopic=41.msg359/Script.1 - OK
index.php%3ftopic=41.msg359/JavaScript.2 - OK
index.php%3ftopic=41.msg359/JavaScript.3 - OK
index.php%3ftopic=41.msg359/Script.4 - OK
index.php%3ftopic=41.msg359 - OK

So what happened here. I tend to think of a FP! Because something must have physically put the TPE object onto my system. Right? makes me wonder.

polonus

Me too.

Unless some script kiddie is trying to flex his pubescent muscles a bit it seems like TPE is virtually useless these days.