05.Jun.2000
Jan Andersen via email
|
VirusHelp Denmark: TCP trojan on the run
The coder of "SAFE" Zbigniew `Zeeball` Trzcionkowski has informed VirusHelp
Denmark that some new TCP-trojans are on the run:
Organization: Virus Help Denmark
From: "Jan Andersen" vht-dk@post4.tele.dk
Date: Mon, 5 Jun 2000 08:29:40 +0200
Subject: [vht-dk] TCP Trojan's on the wild
Hi All....
Today we recived information from Zbigniew `Zeeball` Trzcionkowski the
programmer of "SAFE", that there is some new TCP trojan on the loose.
Please read the text that Zbigniew wrote:
;---------------------------------------------------------------------
TCP:4097 remote shell
and
LIBS:rexxfifo.library size: 1136
If You have such then please:
- delete this fake library
- repalce fake LoadWB with the original one
- reboot
The fake LoadWB don`t have $VER string, but to confuse user it have
size and parts of file from the original LoadWB v38.9.
The trojan is fake LoadWB that decrypts and executes rexxfifo.library
which hides original LoadWB also remote shell is opened - TCP:4097.
Installer: (faked YAM?)
Please wait to xvs.library will be updated to remove this in easy way.
;---------------------------------------------------------------------
;---------------------------------------------------------------------
TCP:2421 remote shell
...and maybe several infected files.
Yes. There is another link-virus. The memory patch is detected as
STD Vaginitis #1 and removed correctly by xvs.library.
The infected files aren`t.
The virus is changed only little bit and is almost same as Fungus
or Vaginitis. Even static crypt key ($DEAD) is same.
Installer: jizzer size: 15368
attacks C:mount as first (adds 700 bytes with virus)
Wait for xvs.library to be updated. To see infected files
look into Safe/VaginitisClone dir of this Safe release!
I wasn`t able to spread this virus to testfiles,
so maybe this is only used to infect c:mount,
so after analyzes of disassembly i`ll be able to say why.
;---------------------------------------------------------------------
;---------------------------------------------------------------------
TCP: 2001 remote shell
and
fake process called `SetPatch`
and
LIBSi:rexxfunc.library size: 1136
and
L:wb.handler size: 4716
If You have such then please:
- delete those fake library and fake handler,
- replace LoadWB with the original one
- reboot
The fake LoadWB looks like original one, but it is fake.
Installer: `miamispoof` size: 8468
(The file is StoneCracked and then modified to
prevent decrunching)
;---------------------------------------------------------------------
So to be sure please check Your system for:
LIBS:rexxfunc.library size: 1136
LIBS:rexxfifo.library size: 1136
L:wb.handler size: 4716
C:mount (is bigger)
...and wait for new xvs.library from Alex van Niel.
This text is public domain :-)
;---------------------------------------------------------------------
Thanx to Paul for sending the files and to Zbigniew for the text.
The warning from VHT-DK is atthaced to this email, please spread
the warning as much as you can...... ( Thanx).....
Kind Regards.....
Jan Andersen
Virus Help Denmark
vht-dk@post4.tele.dk
http://www.vht-dk.dk
[News message: 05. Jun. 2000, 08:00] [Comments: 0]
[Send via e-mail] [Print version] [ASCII version]
|