| Port No | 3410 |
| Service Name | OptixPro |
| RFC Doc | 0 |
| Protocol | TCP |
| Description | Like Optix Lite, the Pro version has a security program terminator feature that, when activated, will close all popular security programs down every 60 seconds (Optix Lite cycled every 45 seconds). TDS-3 easily detects Optix Pro due to precision scanning techniques with advanced routines such as the critical Process Memory Space scanning. TDS-3 also has specific routines to target Optix Pro with file scanning, it would be extremely difficult (and probably not worth the hackers effort) to infect a TDS-3 system with all protection enabled, even with highly modified Optix Pro servers. TDS-3 Execution Protection will use the advanced signatures and block the execution of Optix Pro servers, preventing the infection from occurring in the first place. In the unlikely event that a TDS-3 protected system is infected, users can simply rename TDS-3.EXE to be able to launch the application. Even a completely unknown trojan with this ability can be detected with the Process Memory Space scan as TDS-3 looks for such suspicious process terminating characteristics. |
| Reference Link | More Information |
| Attack | Name:OptixPro Firewall and Antivirus killing - The trojan contains an astounding 209 process names (or registry keys in special cases*) which are hard-coded into the server file, effectively covering all well known and (and some not so well known) anti-virus programs, anti-trojan programs, firewalls, and process viewers/monitors. If the option to kill these programs is enabled, on execution of the trojan the users defences are killed, and every 60 seconds the program checks the process list again for and of the names. Essentially this means all security programs known to the trojan (estimated to be around 80 programs) can be shut down and they cannot run again as the trojan will recognise them in the next scan 60 seconds later. *In some cases a process will not be terminated correctly. In this case, the trojan deletes the vital registry key that loads the program on startup, and there is an option to then force the PC to reboot. Infected removal instructions - Rename the filenames of your main programs (eg. TDS-3.EXE), and use that to kill the server. Stay offline while you do this. Simply run a Process File scan and TDS should detect Optix Pro, even if modified. Process Memory scan will detect the server if this fails. To disinfect, simply Kill and Delete the process. Once you have done this, run a trace scan to find the leftover files, and possibly registry entry. Be sure to check if there is a file wmmiexe.exe in the Windows folder - if there is you'll need to change the above entry in the registry. DiamondCS Support can help with this by sending a registry file which fixes the association for EXE files, or download it here (cleanrun.reg). |
Catch threats immediately
We work side-by-side with you to rapidly detect cyberthreats
and thwart attacks before they cause damage.