Security Incidents mailing list archives
Trojan Program Thread
From: Mike Peterson <slidefx () yahoo com>
Date: Fri, 19 Oct 2001 12:03:26 -0700 (PDT)
It looks like the mystery Trojan is Mini Oblivion by the Rat Pack. I have passed the iexplore.exe to Symantec. General Description was that iexplore.exe was placed in c:\winnt\system32 Five registry keys were found HKEY_LOCAL_MACHINE....Windows\CurrentVersion\Run\Default Web browser "C:\winnt\system32\iexplore.exe" HKEY_LOCAL_MACHINE....Windows\CurrentVersion\RunServices\Default web browser "C:\winnt\system32\iexplore.exe" HKEY_LOCAL_MACHINE....WindowsNT\CurrentVersion\Winlogon\Shell "explorer.exe iexplore.exe" HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows\Run "iexpIore.exe" HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows\Load "iexpIore.exe" Thanks for everyone who responded. Web Page for Mini Oblivion http://www.sinred.com/trojans/minioblivion.shtml (Not written by me)
Does anyone have information on a IRC Trojan with the following characteristics. Opens IRC channels on 6667 and connects to some IRC channel on 6668. It sets a registry key
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Default
web browser = "c:\winnt\system32\iexplore.exe" And changes the shell
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WindowsNT\CurrentVersion\Winlogon\Shel
l changes it from "Explorer.exe" to "Explorer.exe iexplore.exe" I found a 9 KB file named iexplore.exe in c:\winnt\system32 and also found the iexplore.exe process running.
__________________________________________________ Do You Yahoo!? Make a great connection at Yahoo! Personals. http://personals.yahoo.com ---------------------------------------------------------------------------- This list is provided by the SecurityFocus ARIS analyzer service. For more information on this free incident handling, management and tracking system please see: http://aris.securityfocus.com
Current thread:
- Trojan Program Thread Mike Peterson (Oct 19)