Trojan Gives Creator Complete Computer Access September 24, 2003 Backdoor.Smother is a Trojan that gives its creator complete access to a computer, according to Symantec, which issued a low-level alert Wednesday. By default, the Trojan connects on port 3264 to a server whose address is hard coded in the Trojan. Technical details are at this Symantec page. http://securityresponse.symantec.com/avcenter/venc/data/backdoor.smother.html#technicaldetails Worm Targets Network Shares With Weak Passwords W32.HLLW.Gaobot.AF is a minor variant of W32.HLLW.Gaobot.AE. It attempts to spread to network shares that have weak passwords and allows attackers to access an infected computer through an IRC channel. The worm uses multiple vulnerabilities, including: The DCOM RPC vulnerability (described in Microsoft Security Bulletin MS03-026) using TCP port 135. Using this exploit, the worm specifically targets Windows XP computers. The RPC locator vulnerability (described in Microsoft Security Bulletin MS03-001) using TCP port 445. W32.HLLW.Gaobot.AF is compressed with UPX. Technical details are at this Symantec page. http://securityresponse.symantec.com/avcenter/venc/data/w32.hllw.gaobot.ag.html#technicaldetails Mass-Mailing Worm Sends Email About Phony Game W32.Israz.B@mm is a mass-mailing worm that uses its own SMTP engine to send itself to all the contacts in the Windows Address Book and Outlook Address Book. The email has the following characteristics: Subject: Your file is attached to message. Message: Hi!, it's me !!! I sent you a new game for our great friendship, open it, and enjoy. Attachment: game.exe or: From: windows@microsoft.com Subject: Something new for you Message: Did you know... This is one tip of many tips that can help you use your computer easily and simply. Open the file attached, and enjoy. Attachment: tips.exe The worm also attempts to spread itself through some file-sharing networks, such as KaZaA, Morpheus, eMule, eDonkey2000, BearShare, and iMesh. This threat is written in the Microsoft Visual Basic programming language. Technical details are at this Symantec page. http://securityresponse.symantec.com/avcenter/venc/data/w32.israz.b@mm.html#technicaldetails Trojan Contains Bug and Malfunctions This threat is detected as JS/Nezew. This short, encrypted JavaScript Trojan does not function due to a bug in its code. It may arrive via e-mail spam messages. More information is at this McAfee page. http://us.mcafee.com/virusInfo/default.asp?id=description&virus_k=100682

Thanks for information, but you just need to use a very good trojan remover to rid off it easily !!! I am sure you know already Trojan Remover, the program dedicated especialy to trojan's betrayals..... :)))) http://www.simplysup.com/tremover/details.html

Today's roundup of virus alerts: W32/Dumaru-B - Another worm that spreads via an e-mail that claims to be a Microsoft patch. The infected message comes from " <mailto:security@microsoft.com> " with a subject line of "Use this patch immediately !" and an attachment called "patch.exe". The virus drops a keystroke logger and attempts to disable security-related software running on the infected machine. (Sophos) W32/Lovgate-R - A worm that drops backdoor functionality on the infected machine, allowing an attacker to gain access to and control the system. The virus spreads via network shares and e-mail. (Sophos) **********

Worm Spreads Through KaZaA File-Sharing Network September 25, 2003 VBS.Taber is a worm that attempts to spread through the KaZaA file-sharing network as "Britney_and_Madonna_f---ing.mov.vbs," according to Symantec, which issed a low-level alert Thursday. The worm attempts to delete C:\Windows\Explorer.exe and make some configuration changes to Internet Explorer by editing the registry keys. The worm will only execute on Windows 95/98/Me systems. Technical details are at this Symantec page. Trojan Gives Its Author Complete System Control Backdoor.Translat is a Backdoor Trojan Horse that gives a remote attacker complete control over a compromised system. Find out more at this Symantec page. Trojan Changes Several IE Settings StartPage-Q is a detection for a Trojan that changes several settings of the Internet Explorer like startpage and searchpage. After execution, it drops one file to %windir% called: default.css (1260bytes) The same file gets also droped into %windir%\web\ called: oslogo.bmp (1260bytes) These both files are detected as 'application Adware-CWS'. Several keys are created/modified within the Windows registry. View them and other information at this McAfee page. Linux/Califax Targes MS-DOS Drives Califax is a source-code infector that creates the stdio.h file in /usr/local/include directory. Because in some circumstances gcc searches first /usr/local/include/ for the stdio.h file before its default location in /ust/include/, every binary compiled on a compromized system will include code from the infected stdio.h. The malicious stdio.h includes the original stdio.h and overwrites the close() function with a custom function witch propagates the virus. Califax serches for MS-Dos drives mounted on the local filesystem and if a dos version of the gcc is present on them, it infects the dos partition as well using the same tecnique. Its code is designed to successfully compile and run on both operating systems. Califax was originally written as a proof of concept for platform independent viruses. In most linux distributions, only root has write access to the /usr/local/include/ folder so that the infected binary must be executed as root to successfully infect the system.