May 2nd, 2002, 04:05 PM
May 2 Alerts
Discovered on: April 30, 2002
Last Updated on: April 30, 2002 at 12:09:22 PM PDT
When Trojan.Fatkill is run, it corrupts the hard disk.
Type: Trojan Horse
Payload Trigger: Running Trojan.Fatkill
Payload: Overwrites the File Allocation Table of the hard disk.
Causes system instability: The computer may not restart properly.
Trojan.Fatkill is a DOS program that overwrites the File Allocation Table of the hard disk so that it becomes corrupted. This may result in the computer being unable to restart.
Discovered on: May 1, 2002
Last Updated on: May 1, 2002 at 06:19:07 PM PDT
W32.Tendoolf is a variant of Backdoor.Subseven, which appears to be able to spread through email. The email message has the following characteristics:
Message: I just found this program, and, i dont know why... but it reminded me of you. check it out.
The mailing routine has not been successfully reproduced in a laboratory environment.
Discovered on: April 26, 2002
Last Updated on: April 26, 2002 at 04:48:47 PM PDT
Backdoor.Evilbot is a backdoor Trojan. It is used as a remote attack tool by hackers using IRC.
Type: Trojan Horse
When Backdoor.Evilbot is executed, it copies itself as \%SYSTEM%\Sysedit.exe.
Backdoor.Evilbot allows access to the infected computer by a hacker. It also attacks other computers using IRC.
Discovered on: April 24, 2002
Last Updated on: April 25, 2002 at 12:39:11 PM PDT
Backdoor.RemoteNC is a backdoor Trojan that can allow a hacker to gain access to your system. The hacker then can delete, copy or execute files on your computer.
Type: Trojan Horse
Infection Length: 143,360 bytes
Systems Affected: Windows NT, Windows 2000, Windows XP
When Backdoor.RemoteNC is executed it opens a random (usually it is 1025, 1035, 1041, 1047, 1054 , or similar) port and listens for a connection.
The hacker then can connect and have access to your system to delete, rename, copy, execute and any other commands that can be used by Cmd.exe.
NOTE: This backdoor Trojan does not function properly on Windows 95/98/Me systems. On these systems it allows a hacker to connect to the infected system, but the hacker cannot send any damaging commands to the infected system. This is because Windows 95/98/Me systems do not use the Cmd.exe file, but instead use the Command.com file. The Trojan is coded to use only Cmd.exe and its commands, which will function only on Windows NT/2000/XP systems.
Troj/Diablo is a backdoor Trojan horse. If the Trojan server is installed on a computer, it will monitor and log all keyboard keystrokes made by the user.
The keystrokes are logged into a file which can be sent via email or FTP to the potential attacker. The attacker can be notified by ICQ, when log files are uploaded onto an FTP server.
The filename and extension used by the Troj/Diablo server are configurable. Possible Troj/Diablo file extensions can be:
EXE, SCR, PIF, COM, CMD and BAT.
When the Trojan server is run, it copies itself into the Windows Startup folder so that it automatically runs every time Windows is started.
Alias: Backdoor.Autoupder , Downloader-W , Win32/Downloader-W.A.Trojan, TROJ_SUA.A , TrojanDownloader.Win32.Minstaller
Win32.MinStaller trojan has the ability the install, run and delete files on a user's computer via scripting directives which are stored on an external site.
The initial component (mnsvc.exe) downloads a program (ausvc.exe) which auto-updates various components as directed.
Currently the trojan can install the following files on a user's harddisk:
ausvc.exe (Auto-Updating component)
absr.exe (Browser Helper Object)
bvt.exe (Browser Helper Object)
mbtcd.bak (data file)
ea.bin (data file)
pl.dat (data file)
undo.exe (Uninstalls the trojan and all components)
Users Note: The trojan follows directives for the installation, retrieval and removal of files that are stored externally on a website (where the content is liable to change). Hence it is possible that the functionality of the trojan may also change according to what content is downloaded and installed on the affected machine.
Alias: I-Worm.Kagra, VBS/Kagra.A.Worm, VBS.Karga@mm
Category: VB Script
Please note: This description contains text that could be found offensive by some users. However, for clarity, and in order for users to accurately recognize this worm, the text of this description remains uncensored.
VBS.Horty.A is a worm spreading via the e-mail system, using Microsoft Outlook.
The worm arrives attached to a message with the Subject line:
"Jenna Jameson pornostar free super****+photo addresses"
and the following message body:
"Do you wanna see super pornostar,Jenna Jameson,in a special
super****?Double click on the attachment of this mail,and get
also some interesting sex-sex-sex addreses... "
The attached file is called:
sigh...and that's not all...but you get the idea...UPDATE TIME!
I used to be With IT. But then they changed what IT was. Now what I'm with isn't IT, and what's IT seems scary and weird." - Abe Simpson
May 2nd, 2002, 04:07 PM
Thanks Zigar! Like you said, time to update!
May 2nd, 2002, 05:34 PM
that Subseven worm is bad news...greenies for you
May 2nd, 2002, 05:39 PM
For some1 bad news....for some1 good
Not all ppl good as you think
May 2nd, 2002, 07:13 PM
Ahh, more updates from the harbinger of doom......j/k. Thanks Zig, I ran my update this morning, so hopefully I'm covered.
/me crossing my fingers!
Outside of a dog, a book is man's best friend. Inside of a dog it's too dark to read.
May 2nd, 2002, 09:43 PM
Thanks man..... That one worm is weird.... The little keylogger.....