Trojan Program Thread

From: Mike Peterson (slidefxat_private)
Date: Fri Oct 19 2001 - 12:03:26 PDT

  • Next message: Lindsay: "Strange tcpdump file"

    It looks like the mystery Trojan is Mini Oblivion by
    the Rat Pack.  I have passed the iexplore.exe to
    Symantec.
    
    General Description was that
    iexplore.exe was placed in c:\winnt\system32
    Five registry keys were found
    HKEY_LOCAL_MACHINE....Windows\CurrentVersion\Run\Default
    Web browser "C:\winnt\system32\iexplore.exe" 
    HKEY_LOCAL_MACHINE....Windows\CurrentVersion\RunServices\Default
    web browser "C:\winnt\system32\iexplore.exe" 
    HKEY_LOCAL_MACHINE....WindowsNT\CurrentVersion\Winlogon\Shell
    "explorer.exe iexplore.exe"
    HKEY_CURRENT_USER\Software\Microsoft\Windows
    NT\CurrentVersion\Windows\Run "iexpIore.exe"
    HKEY_CURRENT_USER\Software\Microsoft\Windows
    NT\CurrentVersion\Windows\Load "iexpIore.exe"
    
    Thanks for everyone who responded.
    
    Web Page for Mini Oblivion
    http://www.sinred.com/trojans/minioblivion.shtml
    (Not written by me)
    
    > Does anyone have information on a IRC Trojan with
    > the
    > following characteristics.
    > 
    > Opens IRC channels on 6667 and connects to some IRC
    > channel on 6668.
    > 
    > It sets a registry key
    > 
    >
    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Default
    > web browser  =  "c:\winnt\system32\iexplore.exe"
    > 
    > And changes the shell
    > 
    >
    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WindowsNT\CurrentVersion\Winlogon\Shel
    > l
    > changes it from "Explorer.exe" to "Explorer.exe
    > iexplore.exe"
    > 
    > I found a 9 KB file named iexplore.exe in
    > c:\winnt\system32 and also found the iexplore.exe
    > process running.
    
    
    __________________________________________________
    Do You Yahoo!?
    Make a great connection at Yahoo! Personals.
    http://personals.yahoo.com
    
    ----------------------------------------------------------------------------
    This list is provided by the SecurityFocus ARIS analyzer service.
    For more information on this free incident handling, management 
    and tracking system please see: http://aris.securityfocus.com
    



    This archive was generated by hypermail 2b30 : Fri Oct 19 2001 - 13:05:20 PDT