VX Heaven

Library Collection Sources Engines Constructors Simulators Utilities Links Forum
[Previous] [Index] [Next]

Trojan Simulator

Author: Mischel Internet Security

Description from the distribution site:

For years you have been able to test your virus scanner with the harmless "Eicar" test file. Using the just released "Trojan Simulator" you can now test your trojan scanner in the same manner, using a harmless demonstration trojan. This is a risk-free way to see how your security software behaves in a real-world situation.

Installation is simple: Simply unzip all files contained in to any directory. To start, simply double-click TrojanSimulator.exe.

How it works

When you run Trojan Simulator, you will be presented with a screen showing some informational text about Trojan Simulator. Clicking the Install button will install the demo trojan on your system. The demo trojan simulates a real trojan server by hiding its main window and writing an autostart entry to the registry. Clicking the Uninstall button removes the autostart entry from the registry and then unloads the demo trojan server from memory. While the demo trojan is running, you get a chance to observe the behavior of any installed security software.

Technical details

When run with the /install parameter, TSServ.exe loads into memory and adds an autostart entry to the registry. An information dialog will pop up notifying that the demo server was successfully installed along with the path to the server and its process ID. Most trojans don't really present a dialog saying they've successfully installed themselves in your system! (Although many will present a fake error message to make it look like the executable file was corrupt or that some other problem occured that prevented the file from being run. In reality the trojan server is already running in memory when this dialog is shown.)

When run with the /uninstall parameter, TSServ.exe removes its autostart entry and then unloads all copies of itself from memory. If you run TSServ.exe without any parameters, nothing will happen - the program simply starts and exits.

Ways Trojan Simulator can be detected

When the Trojan Simulator server is installed, it will exist as an active process in memory. It will also have an autostart entry in the system registry. Most virus scanners are not that good at dealing with trojans, so it's likely that your virus scanner, if it detects the Trojan Simulator server, will neither be able to remove the process from memory nor be able to remove the registry entry. Any decent trojan scanner should take care of this if the server is detected.

The demo trojan server can be detected on the system in the following ways:


TrojanSimulator.zip321608TSJan 2003MD5 sum 6a1ac6675073bab8ec61839e1d1434d6

By accessing, viewing, downloading or otherwise using this content you agree to be bound by the Terms of Use! aka