Bugtraq mailing list archives
E-mailed Trojan
From: duck () AQUASCAPE COM (Mark E. Duck)
Date: Thu, 28 Jan 1999 20:12:39 -0500
There is a trojan horse circulating the Internet as an attachment in email with a spoofed email address of Microsoft Corporation. It contains an announcement and an attachment that is supposedly targeted at registered users of MS Internet Explorer. A copy of the email was not available for examination, but the attachment was. The attachment is called ie0199.exe and is represented as a HOTFIX for IE. When executed it deletes sndvol32.exe from the %SystemRoot%\System32 directory, installs %SystemRoot%\System\sndvol.exe, creates a registry key value HKLM\Software\Microsoft\Windows\CurrentVersion\Run\Default with a value of %SystemRoot%\System\sndvol.exe. This key causes execution of sndvol.exe after logging into the system. This is malicious code that continually half opens TCP connections on various ports to www1.infotel.bg. You must delete %SystemRoot%\System\sndvol.exe, terminate the running sndvol.exe process, remove the key (see above), and restore %SYSTEMROOT%\System32\sndvol32.exe with a known good copy (if required) to remove the trojan. Thanks go out to ET, Ranger Rick, Homer, and Raz for their assistance on tracking this down and helping me kill it. Public attribution of the authors of this report is acceptable and expected. Mark E. Duck, Owner AquaScape, Internet Services http://www.aquascape.com "Those who desire to give up Freedom, to gain Security, will not, and do not deserve, either." -- Thomas Jefferson
Current thread:
- Digital Unix 4.0 exploitable buffer overflows Lamont Granquist (Jan 25)
- Re: Digital Unix 4.0 exploitable buffer overflows Seth Michael McGann (Jan 26)
- <Possible follow-ups>
- Re: Digital Unix 4.0 exploitable buffer overflows Larry W. Cashdollar (Jan 26)
- Re: Digital Unix 4.0 exploitable buffer overflows GANG WANG (Jan 27)
- UNIX shell modem access vulnerabilities Marc SCHAEFER (Jan 27)
- Re: Digital Unix 4.0 exploitable buffer overflows Lamont Granquist (Jan 28)
- Re: Digital Unix 4.0 exploitable buffer overflows FrontLine Assembly (Jan 28)
- E-mailed Trojan Mark E. Duck (Jan 28)