Trojan.Seoul

Printable View

November 22nd, 2002, 11:41 PM
Chuck56

Trojan.Seoul

November 21 late in the evening DialogueScience, Inc. virus alert service registered the appearance of a dangerous Trojan detected by Dr.Web® anti-virus program as Trojan.Seoul. The virus source is likely to be in the Republic of Korea. It might be "dedicated" to the AVAR (Association of anti Virus Asia Researchers) forum that is taking place in Seoul these days.
A relevant hot add-on to Dr.Web® anti-virus program version 4.29, detecting Trojan.Seoul was issued at 21:04, November 21. As the virus code is highly complicated, the specialists of Anti-virus Laboratory of Igor Daniloff and of DialogueScience, Inc. keep analysing the code and the destructive features of the Trojan.

At present it is clear that the virus is a multi-component program, with some components being encrypted. When activated the virus searches for special system activity monitoring tools and debuggers. If found the virus kills them in memory and deletes all the files on the hard drive of the computer. If such processes are not found it creates the correspondent entry in the Windows system registry securing its automatic launching after the system restart. When run after the next reboot the virus displays a message box on the screen with the inscription "What foolish thing you've done" and after that starts deleting all the files on the hard drive.

The virus is also capable of mass-mailing its copies, this feature is being tested now.
November 23rd, 2002, 12:48 AM
ShagDevil

hmph. I checked NAV's virus list and no Trojan.Seoul. I just updated today too. Well, I'll keep an eye out for it (I might check around the internet, see what I can find). Appreciate the info though.
November 23rd, 2002, 01:35 AM
cosjohn

This might be particuliarly scary, since my most frequent backdoor visitor is from Seoul, Korea. I will check Symantec.com frequently for the update.
Thanks for the warning.
November 23rd, 2002, 09:07 AM
Chuck56

Just to clarify, this info came from a security forum. I gather the poster is acquainted with people at Dr. Web. I checked their website but found nothing. Since this trojan only showed itself less than 24 hrs ago, I guess that's reasonable. Checking several other av sites turned up nothing either.
November 23rd, 2002, 07:34 PM
Tiger Shark

The latest backdoor on Norton's site is Backdoor.Assasin.C as of 22/11/02.

There is already a virus names seoul but it is very old and is a bootsector infector tranmitted by floppies...... I think I remember those types...... Old age is a terrible thing.... :(
November 23rd, 2002, 07:44 PM
Chuck56

I found that old one, Tiger Shark and am still trying to find out about this new one. This thing, from what I know (which ain't much) is brand new as of 11-21, not seen before in the wild and I hope Dr. Web AV hasn't generated a false alarm. Or, maybe I should hope they have.