Virus Alert: Linux/Kis Trojan May Disable Security Software June 17, 2003 By eSecurityPlanet Staff Antivirus software vendor McAfee on Tuesday issued an alert for a Trojan that includes a driver for Linux/Kis to cover for a malicious remote access/hacking package. The Trojan includes a GUI client and server part. The Linux/Kis (Kernel Intrusion System) Trojan source code is available at certain Web sites. A local recompilation of the .c source code is needed. During testing, the recompilation was not errorfree and the binaries didn't get build. As the binaries are to be locally rebuilt, the file size (and internal file content) might vary. The Linux/Kis server, an ELF binary file called kis, might replace a file with itself (/sbin/init) to ensure automatic loading at system boot. It puts itself in "/.secret_directory." The Linux/Kis client, an ELF binary file called kis_client, can use spoofing. An IP number can be entered of the host to be spoofed as. When using 0 for the IP it will spoof a random IP every time it sends a packet. When using 0 for the port KIS will spoof a different port every time. Note that this requires root access so will most likely not work on the majority of the systems. Linux/Kis may disable security modules that might be loaded. Read more at this McAfee page. Virus Alert: Worm Emails Itself Out With Attachment VBS/Suhd-A is an Internet worm that emails itself to every contact in the Microsoft Windows address book. The emails have the following characteristics: Subject line: FW: Daily Report!!! Message text: All: Daily Report.FYI DGPIT Attached file: Daily Report.Xls If opened, Daily Report.Xls creates a file called suhdlog.vbs in the Windows folder. Suhdlog.vbs is the mailing component of the worm. Both Daily Report.Xls and Suhdlog.vbs are detected as VBS/Suhd-A. Instructions for removing worms is at this Sophos page. http://www.sophos.com/support/disinfection/worms.html

Thanks from the choir, all the best!

your wellcome capt.