Re: The Cleaner reports WinPCap contains WinRAT trojan

From: Ryan Verner (xfestyat_private)
Date: Sat Feb 16 2002 - 09:19:52 PST

Next message: dumbwabbit: "Update: The Cleaner reports WinPCap contains WinRAT trojan"

Previous message: Larry W. Cashdollar: "Re: slocate bug."
In reply to: dumbwabbit: "The Cleaner reports WinPCap contains WinRAT trojan"
Next in thread: dumbwabbit: "Update: The Cleaner reports WinPCap contains WinRAT trojan"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

My guess is that the trojan may use code from WinPCap, rather then the other
way around.

- xfesty

--=--

:: Ryan Verner :: xfesty/irc.whackpack.com ::
:: ICQ :: 76626240 ::
:: <festyat_private> ::
:: <xfestyat_private> ::

:: "I'm stuck in this dream; its changing me. I am becoming." ::

----- Original Message -----
From: "dumbwabbit" <dumbwabbitat_private>
To: <vuln-devat_private>; <focus-virusat_private>;
<security-basicsat_private>
Sent: Sunday, February 17, 2002 12:35 AM
Subject: The Cleaner reports WinPCap contains WinRAT trojan


| Forgive the cross-posting, but I think this *may*
| merit it.
|
| WinPCap is a packet capture driver/architecture for
| Windows platform, allowing Windows users to do such
| things as run NMapNT, the NT port of Nmap.
|
| Upon scanning a file archive on one of my pen testing
| laptops, using the latest updated version of The
| Cleaner (a trojan AV product from MooSoft), The
| Cleaner reports that versions 2.01, 2.1, 2.2, and 2.3
| beta, along with the Developer Pack of WinPCap are all
| infected with or contain the WinRAT (aka Windows
| Remote Administration Toolkit) client/server trojan. I
| "tested" this further by re-downloading the WinPCap
| files from the original website, located at:
| http://netgroup-serv.polito.it/winpcap/install/default.htm
| All files downloaded from this location scanned by The
| Cleaner are reported as containing WinRAT.
|
| I have sent copies of these files to MooSoft asking if
| they can verify this, and I have emailed the authors
| of WinPCap as well. That was 3 days ago.
|
| McAfee VirusScan 4.51 and 6, both with latest DATs
| (4186) do not find anything.
| I do not have access currently to Norton or Trend or
| another AV product.
| I also cannot find any helpful information about the
| WinRAT trojan online (MooSoft's description contains
| absolutely NO information regarding this trojan other
| than listing it - see
| http://www.moosoft.com/winrat.php).
| I have not yet heard back from WinPCap authors, nor
| MooSoft. Therefore, I would like to ask if anyone else
| can verify or disprove this "finding".
|
| __________________________________________________
| Do You Yahoo!?
| Yahoo! Sports - Coverage of the 2002 Olympic Games
| http://sports.yahoo.com
|

Next message: dumbwabbit: "Update: The Cleaner reports WinPCap contains WinRAT trojan"
Previous message: Larry W. Cashdollar: "Re: slocate bug."
In reply to: dumbwabbit: "The Cleaner reports WinPCap contains WinRAT trojan"
Next in thread: dumbwabbit: "Update: The Cleaner reports WinPCap contains WinRAT trojan"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

This archive was generated by hypermail 2b30 : Sat Feb 16 2002 - 11:29:34 PST