November 22nd, 2002, 11:41 PM
November 21 late in the evening DialogueScience, Inc. virus alert service registered the appearance of a dangerous Trojan detected by Dr.WebŪ anti-virus program as Trojan.Seoul. The virus source is likely to be in the Republic of Korea. It might be "dedicated" to the AVAR (Association of anti Virus Asia Researchers) forum that is taking place in Seoul these days.
A relevant hot add-on to Dr.WebŪ anti-virus program version 4.29, detecting Trojan.Seoul was issued at 21:04, November 21. As the virus code is highly complicated, the specialists of Anti-virus Laboratory of Igor Daniloff and of DialogueScience, Inc. keep analysing the code and the destructive features of the Trojan.
At present it is clear that the virus is a multi-component program, with some components being encrypted. When activated the virus searches for special system activity monitoring tools and debuggers. If found the virus kills them in memory and deletes all the files on the hard drive of the computer. If such processes are not found it creates the correspondent entry in the Windows system registry securing its automatic launching after the system restart. When run after the next reboot the virus displays a message box on the screen with the inscription "What foolish thing you've done" and after that starts deleting all the files on the hard drive.
The virus is also capable of mass-mailing its copies, this feature is being tested now.
November 23rd, 2002, 12:48 AM
hmph. I checked NAV's virus list and no Trojan.Seoul. I just updated today too. Well, I'll keep an eye out for it (I might check around the internet, see what I can find). Appreciate the info though.
The object of war is not to die for your country but to make the other bastard die for his - George Patton
November 23rd, 2002, 01:35 AM
This might be particuliarly scary, since my most frequent backdoor visitor is from Seoul, Korea. I will check Symantec.com frequently for the update.
Thanks for the warning.
November 23rd, 2002, 09:07 AM
Just to clarify, this info came from a security forum. I gather the poster is acquainted with people at Dr. Web. I checked their website but found nothing. Since this trojan only showed itself less than 24 hrs ago, I guess that's reasonable. Checking several other av sites turned up nothing either.
November 23rd, 2002, 07:34 PM
The latest backdoor on Norton's site is Backdoor.Assasin.C as of 22/11/02.
There is already a virus names seoul but it is very old and is a bootsector infector tranmitted by floppies...... I think I remember those types...... Old age is a terrible thing....
Don\'t SYN us.... We\'ll SYN you.....
\"A nation that draws too broad a difference between its scholars and its warriors will have its thinking done by cowards, and its fighting done by fools.\" - Thucydides
November 23rd, 2002, 07:44 PM
I found that old one, Tiger Shark and am still trying to find out about this new one. This thing, from what I know (which ain't much) is brand new as of 11-21, not seen before in the wild and I hope Dr. Web AV hasn't generated a false alarm. Or, maybe I should hope they have.