Organization: Virus Help Denmark From: "Jan Andersen" vht-dk@post4.tele.dk Date: Mon, 5 Jun 2000 08:29:40 +0200 Subject: [vht-dk] TCP Trojan's on the wild Hi All.... Today we recived information from Zbigniew `Zeeball` Trzcionkowski the programmer of "SAFE", that there is some new TCP trojan on the loose. Please read the text that Zbigniew wrote: ;--------------------------------------------------------------------- TCP:4097 remote shell and LIBS:rexxfifo.library size: 1136 If You have such then please: - delete this fake library - repalce fake LoadWB with the original one - reboot The fake LoadWB don`t have $VER string, but to confuse user it have size and parts of file from the original LoadWB v38.9. The trojan is fake LoadWB that decrypts and executes rexxfifo.library which hides original LoadWB also remote shell is opened - TCP:4097. Installer: (faked YAM?) Please wait to xvs.library will be updated to remove this in easy way. ;--------------------------------------------------------------------- ;--------------------------------------------------------------------- TCP:2421 remote shell ...and maybe several infected files. Yes. There is another link-virus. The memory patch is detected as STD Vaginitis #1 and removed correctly by xvs.library. The infected files aren`t. The virus is changed only little bit and is almost same as Fungus or Vaginitis. Even static crypt key ($DEAD) is same. Installer: jizzer size: 15368 attacks C:mount as first (adds 700 bytes with virus) Wait for xvs.library to be updated. To see infected files look into Safe/VaginitisClone dir of this Safe release! I wasn`t able to spread this virus to testfiles, so maybe this is only used to infect c:mount, so after analyzes of disassembly i`ll be able to say why. ;--------------------------------------------------------------------- ;--------------------------------------------------------------------- TCP: 2001 remote shell and fake process called `SetPatch` and LIBSi:rexxfunc.library size: 1136 and L:wb.handler size: 4716 If You have such then please: - delete those fake library and fake handler, - replace LoadWB with the original one - reboot The fake LoadWB looks like original one, but it is fake. Installer: `miamispoof` size: 8468 (The file is StoneCracked and then modified to prevent decrunching) ;--------------------------------------------------------------------- So to be sure please check Your system for: LIBS:rexxfunc.library size: 1136 LIBS:rexxfifo.library size: 1136 L:wb.handler size: 4716 C:mount (is bigger) ...and wait for new xvs.library from Alex van Niel. This text is public domain :-) ;--------------------------------------------------------------------- Thanx to Paul for sending the files and to Zbigniew for the text. The warning from VHT-DK is atthaced to this email, please spread the warning as much as you can...... ( Thanx)..... Kind Regards..... Jan Andersen Virus Help Denmark vht-dk@post4.tele.dk http://www.vht-dk.dk