amiga-news DEUTSCHE VERSION
.
Links| Forums| Comments| Report news
.
Chat| Polls| Newsticker| Archive
.

[Login] [Register] [Forgot your password?]

< Next messagePrior message >
05.Jun.2000
Jan Andersen via email


VirusHelp Denmark: TCP trojan on the run
The coder of "SAFE" Zbigniew `Zeeball` Trzcionkowski has informed VirusHelp Denmark that some new TCP-trojans are on the run:

Organization: Virus Help Denmark
From: "Jan Andersen" vht-dk@post4.tele.dk
Date: Mon, 5 Jun 2000 08:29:40 +0200
Subject: [vht-dk] TCP Trojan's on the wild

 Hi All....

 Today we recived information from Zbigniew `Zeeball` Trzcionkowski the
 programmer of "SAFE", that there is some new TCP trojan on the loose.
 Please read the text that Zbigniew wrote:

 ;---------------------------------------------------------------------
 TCP:4097 remote shell

 and

 LIBS:rexxfifo.library size: 1136

 If You have such then please:

 - delete this fake library
 - repalce fake LoadWB with the original one
 - reboot

 The fake LoadWB don`t have $VER string, but to confuse user it have
 size and parts of file from the original LoadWB v38.9.

 The trojan is fake LoadWB that decrypts and executes rexxfifo.library
 which hides original LoadWB also remote shell is opened - TCP:4097.

 Installer: (faked YAM?)

 Please wait to xvs.library will be updated to remove this in easy way.
 ;---------------------------------------------------------------------


 ;---------------------------------------------------------------------
 TCP:2421 remote shell

 ...and maybe several infected files.

 Yes. There is another link-virus. The memory patch is detected as
 STD Vaginitis #1 and removed correctly by xvs.library.
 The infected files aren`t.
 The virus is changed only little bit and is almost same as Fungus
 or Vaginitis. Even static crypt key ($DEAD) is same.

 Installer: jizzer size: 15368

           attacks C:mount as first (adds 700 bytes with virus)


 Wait for xvs.library to be updated. To see infected files
 look into Safe/VaginitisClone dir of this Safe release!
 I wasn`t able to spread this virus to testfiles,
 so maybe this is only used to infect c:mount,
 so after analyzes of disassembly i`ll be able to say why.
 ;---------------------------------------------------------------------


 ;---------------------------------------------------------------------
 TCP: 2001 remote shell

 and

 fake process called `SetPatch`

 and

 LIBSi:rexxfunc.library size: 1136

 and

 L:wb.handler  size: 4716


 If You have such then please:

 - delete those fake library and fake handler,
 - replace LoadWB with the original one
 - reboot

 The fake LoadWB looks like original one, but it is fake.

 Installer: `miamispoof` size: 8468
            (The file is StoneCracked and then modified to
            prevent decrunching)
 ;---------------------------------------------------------------------


 So to be sure please check Your system for:

 LIBS:rexxfunc.library size: 1136
 LIBS:rexxfifo.library size: 1136
 L:wb.handler  size: 4716
 C:mount                (is bigger)

 ...and wait for new xvs.library from Alex van Niel.


 This text is public domain :-)

 ;---------------------------------------------------------------------

 Thanx to Paul for sending the files and to Zbigniew for the text.

 The warning from VHT-DK is atthaced to this email, please spread
the warning as much as you can...... ( Thanx).....

 Kind Regards.....

Jan Andersen
Virus Help Denmark
vht-dk@post4.tele.dk
http://www.vht-dk.dk


[News message: 05. Jun. 2000, 08:00] [Comments: 0]
[Send via e-mail]  [Print version]  [ASCII version]
< Next messagePrior message >

.
Masthead | Privacy policy | Netiquette | Advertising | Contact
Copyright © 1998-2024 by amiga-news.de - all rights reserved.
.