RE: WARNING: Trojan Horse Disguised as Message from SecurityFocus and TrendMicro

From: aleph1at_private
Date: Thu Oct 04 2001 - 11:26:09 PDT

  • Next message: Nick FitzGerald: "Re: SHELLCODE x86 NOOP"

    Folks,
    
      A final follow up on this issue. It appears the zip file extracted
    by the FIX_NIMDA.exe trojan, FIX_NIMDA.zip, that when extracted creates
    the folder FIX_NIMDA with four files (FIX_NIMDA.exe, readme.txt, SLIDE.DAT,
    and slide.exe) is an older version of TrendMicro's tool and thus not
    malicious. Interestingly, the extracted tool is version 1.22 but the
    readme.txt file was from version 1.23.
    
      A few folks wrote to let us know they have found this zip file, as
    opposed to the FIX_NIMDA.com executable distributed now by TrendMicro,
    in a number of different web sites. These all appear to be earlier
    version of TrendMicro's tool and not infected.
    
      All this being said do keep in mind that while the zip file that
    gets extracted is not malicious the trojan does installed the BioNet
    trojan, installed the KeyEye keystroke logger, and open up all your
    drives via shares while its extracting the zip file.
    
    -- 
    Elias Levy
    SecurityFocus
    http://www.securityfocus.com/
    Si vis pacem, para bellum
    
    ----------------------------------------------------------------------------
    This list is provided by the SecurityFocus ARIS analyzer service.
    For more information on this free incident handling, management 
    and tracking system please see: http://aris.securityfocus.com
    



    This archive was generated by hypermail 2b30 : Thu Oct 04 2001 - 12:53:02 PDT