|
Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email hr@neohapsis.com |
Re: [Full-disclosure] Re: New PowerPoint Trojan installs itself as LSP
From: Juha-Matti Laurio (juha-matti.laurio
netti.fi)
Date: Fri Jul 21 2006 - 00:12:09 CDT
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]
Many thanks for this useful information.
These new type of Trojans are known as Trojan.Riler.F, Win32.Fantador.E etc.
Names available have been updated to the PowerPoint FAQ,
http://blogs.securiteam.com/?p=508
The following description including information about proxy-like feature is worth of checking too:
http://www.trendmicro.com/vinfo/virusencyclo/default5.asp?VName=TROJ%5FRILER%2EB&VSect=T
- Juha-Matti
Mike Healan <mikespywareinfo.com> wrote:
>
> > Is this 'mechanism' very common and is it difficult to detect by AV?
>
> No, but you have to be damned careful removing something installed as an
> LSP. I've seen literally hundreds of PCs with their network stack
> buggered because the owner tried to remove NewDotNet. NewDotNet inserts
> itself as an LSP.
>
> Regards,
> Mike Healan
> www.spywareinfo.com
>
> Juha-Matti Laurio wrote:
> > It appears that there is a new type of PowerPoint 0-day Trojan spreading,
> > more details at this write-up:
> > http://www.symantec.com/enterprise/security_response/writeup.jsp?docid=2
> > 006-071812-3213-99
> >
> > What the technical details section says is:
> > "Installs the file SNootern.dll as a layered service provider (LSP)"
> >
> > Wikipedia has only stub type article
> > http://en.wikipedia.org/wiki/Layered_Service_Provider
> >
> > Is this 'mechanism' very common and is it difficult to detect by AV?
> >
> > This new Trojan entitled as Riler.F opens a back door and tries to
> > connect to 8800.org,
> > earlier Bifrose Trojan uses (or used) this domain too.
> >
> > There is a new C variant of Trojan.PPDropper as well, but no information
> > about the file name of PowerPoint attachment etc.
> > Symantec reports Infection Length as 220,160 bytes, same as used by
> > Trojan.PPDropper.B.
> > This size information is from Trojan description of another vendor,
> > however.
> >
> > This summary has been updated to related PowerPoint 0-day FAQ document.
> >
> > Regards,
> > Juha-Matti
> > http://blogs.securiteam.com/index.php/archives/author/juha-matti/
>
_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]