Re: New Trojan????

[David Knaack <dknaack () RDTECH COM>]

The exe is a utility to hide or show windows on the desktop.
It has been compressed with the UPX EXE compressor.

It attempts to read and write to the registry, to store
prefrence values,
HKCU\Software\Adrian Lopez\HideWindow\Preferences.

Filesystem and registry monitoring shows nothing
out of the ordinary attempted when run.

Nothing sinister there.

The other files are all straight text, some of which
are mIRC scripts, some are text data files of some sort.

DK
--
99 little bugs in the code, 99 bugs in the code,
fix one bug, compile it again, 101 little bugs in the code.

----- Original Message -----
From: "Dave Woods" <dave () TECHWEAVERS NET>
To: <INCIDENTS () SECURITYFOCUS COM>
Sent: Tuesday, October 31, 2000 1:28 PM
Subject: New Trojan????


> One of our computers here recently became infected with something I have
> never seen before.
>
> When the computer starts up (winME) it opens up 2 copies of the
> FreeExtractor prog that exctracts the following files:
> mirc.ini
> mirc2.ini
> mirc3.ini
> pri.ini
> 20139.txt
> gates.txt
> temp.exe
> temp2.exe
> whvlxd.dat
> temp.scr
>
> gates.txt contains a lot of ip's / domains in it that look to be possibly
> infected hosts that this "program" is creating as some of them are isp
> accounts ie port200.hs.ip.com
> temp.scr does not run (says not a valid win32 app)
>
> I have attached the files in a zip with a password of pass101
>
> If anyone has seen or knows what this is or how to remove it let me know.
>
> Sincerely,
> David Woods
> Techweavers Inc.
> dave () techweavers net
> www.techweavers.net
> Phone: (780)-423-3952
> Fax: (780)-432-3220