My guess is that the trojan may use code from WinPCap, rather then the other way around. - xfesty --=-- :: Ryan Verner :: xfesty/irc.whackpack.com :: :: ICQ :: 76626240 :: :: <festyat_private> :: :: <xfestyat_private> :: :: "I'm stuck in this dream; its changing me. I am becoming." :: ----- Original Message ----- From: "dumbwabbit" <dumbwabbitat_private> To: <vuln-devat_private>; <focus-virusat_private>; <security-basicsat_private> Sent: Sunday, February 17, 2002 12:35 AM Subject: The Cleaner reports WinPCap contains WinRAT trojan | Forgive the cross-posting, but I think this *may* | merit it. | | WinPCap is a packet capture driver/architecture for | Windows platform, allowing Windows users to do such | things as run NMapNT, the NT port of Nmap. | | Upon scanning a file archive on one of my pen testing | laptops, using the latest updated version of The | Cleaner (a trojan AV product from MooSoft), The | Cleaner reports that versions 2.01, 2.1, 2.2, and 2.3 | beta, along with the Developer Pack of WinPCap are all | infected with or contain the WinRAT (aka Windows | Remote Administration Toolkit) client/server trojan. I | "tested" this further by re-downloading the WinPCap | files from the original website, located at: | http://netgroup-serv.polito.it/winpcap/install/default.htm | All files downloaded from this location scanned by The | Cleaner are reported as containing WinRAT. | | I have sent copies of these files to MooSoft asking if | they can verify this, and I have emailed the authors | of WinPCap as well. That was 3 days ago. | | McAfee VirusScan 4.51 and 6, both with latest DATs | (4186) do not find anything. | I do not have access currently to Norton or Trend or | another AV product. | I also cannot find any helpful information about the | WinRAT trojan online (MooSoft's description contains | absolutely NO information regarding this trojan other | than listing it - see | http://www.moosoft.com/winrat.php). | I have not yet heard back from WinPCap authors, nor | MooSoft. Therefore, I would like to ask if anyone else | can verify or disprove this "finding". | | __________________________________________________ | Do You Yahoo!? | Yahoo! Sports - Coverage of the 2002 Olympic Games | http://sports.yahoo.com |
This archive was generated by hypermail 2b30 : Sat Feb 16 2002 - 11:29:34 PST