It looks like the mystery Trojan is Mini Oblivion by the Rat Pack. I have passed the iexplore.exe to Symantec. General Description was that iexplore.exe was placed in c:\winnt\system32 Five registry keys were found HKEY_LOCAL_MACHINE....Windows\CurrentVersion\Run\Default Web browser "C:\winnt\system32\iexplore.exe" HKEY_LOCAL_MACHINE....Windows\CurrentVersion\RunServices\Default web browser "C:\winnt\system32\iexplore.exe" HKEY_LOCAL_MACHINE....WindowsNT\CurrentVersion\Winlogon\Shell "explorer.exe iexplore.exe" HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows\Run "iexpIore.exe" HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows\Load "iexpIore.exe" Thanks for everyone who responded. Web Page for Mini Oblivion http://www.sinred.com/trojans/minioblivion.shtml (Not written by me) > Does anyone have information on a IRC Trojan with > the > following characteristics. > > Opens IRC channels on 6667 and connects to some IRC > channel on 6668. > > It sets a registry key > > HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Default > web browser = "c:\winnt\system32\iexplore.exe" > > And changes the shell > > HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WindowsNT\CurrentVersion\Winlogon\Shel > l > changes it from "Explorer.exe" to "Explorer.exe > iexplore.exe" > > I found a 9 KB file named iexplore.exe in > c:\winnt\system32 and also found the iexplore.exe > process running. __________________________________________________ Do You Yahoo!? Make a great connection at Yahoo! Personals. http://personals.yahoo.com ---------------------------------------------------------------------------- This list is provided by the SecurityFocus ARIS analyzer service. For more information on this free incident handling, management and tracking system please see: http://aris.securityfocus.com
This archive was generated by hypermail 2b30 : Fri Oct 19 2001 - 13:05:20 PDT