Re: The Cleaner reports WinPCap contains WinRAT trojan

From: Gideon Lenkey (glenkey@infotech-nj.com)
Date: Sat Feb 16 2002 - 10:07:17 PST

Next message: Larry W. Cashdollar: "Re: slocate bug."

Previous message: Brenna Primrose: "RE: The Cleaner reports WinPCap contains WinRAT trojan"
In reply to: dumbwabbit: "The Cleaner reports WinPCap contains WinRAT trojan"
Next in thread: Ryan Verner: "Re: The Cleaner reports WinPCap contains WinRAT trojan"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

I'm going out on a limb on this one. I don't use WinPCap (or Windows much
for that matter), but if you downloaded multiple versions from the
vendors' site and they all report having the same 'trojan' it is probably
a false positive detect. Especially since no other products found it.

If WinPCap offers a hash checksum, use it to confirm you have downloaded
what the vendor packaged. Also, take a walk up the whole stack of the
machine running WinPCap, and see if anything you don't know about is open
for business. If it's not, then the 'WinRAT', if it's there, is certainly
not talking to anyone... yet.. :)

--Gideon

* PGP Key ID 0x92556BEC * pgp.mit.edu      *


On Sat, 16 Feb 2002, dumbwabbit wrote:

/* Forgive the cross-posting, but I think this *may*
/* merit it.
/*
/* WinPCap is a packet capture driver/architecture for
/* Windows platform, allowing Windows users to do such
/* things as run NMapNT, the NT port of Nmap.
/*
/* Upon scanning a file archive on one of my pen testing
/* laptops, using the latest updated version of The
/* Cleaner (a trojan AV product from MooSoft), The
/* Cleaner reports that versions 2.01, 2.1, 2.2, and 2.3
/* beta, along with the Developer Pack of WinPCap are all
/* infected with or contain the WinRAT (aka Windows
/* Remote Administration Toolkit) client/server trojan. I
/* "tested" this further by re-downloading the WinPCap
/* files from the original website, located at:
/* http://netgroup-serv.polito.it/winpcap/install/default.htm
/* All files downloaded from this location scanned by The
/* Cleaner are reported as containing WinRAT.
/*
/* I have sent copies of these files to MooSoft asking if
/* they can verify this, and I have emailed the authors
/* of WinPCap as well. That was 3 days ago.
/*
/* McAfee VirusScan 4.51 and 6, both with latest DATs
/* (4186) do not find anything.
/* I do not have access currently to Norton or Trend or
/* another AV product.
/* I also cannot find any helpful information about the
/* WinRAT trojan online (MooSoft's description contains
/* absolutely NO information regarding this trojan other
/* than listing it - see
/* http://www.moosoft.com/winrat.php).
/* I have not yet heard back from WinPCap authors, nor
/* MooSoft. Therefore, I would like to ask if anyone else
/* can verify or disprove this "finding".
/*
/* __________________________________________________
/* Do You Yahoo!?
/* Yahoo! Sports - Coverage of the 2002 Olympic Games
/* http://sports.yahoo.com
/*

Next message: Larry W. Cashdollar: "Re: slocate bug."
Previous message: Brenna Primrose: "RE: The Cleaner reports WinPCap contains WinRAT trojan"
In reply to: dumbwabbit: "The Cleaner reports WinPCap contains WinRAT trojan"
Next in thread: Ryan Verner: "Re: The Cleaner reports WinPCap contains WinRAT trojan"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

This archive was generated by hypermail 2b30 : Sat Feb 16 2002 - 11:22:12 PST