Trojan Program Thread

[Mike Peterson <slidefx () yahoo com>]

It looks like the mystery Trojan is Mini Oblivion by
the Rat Pack.  I have passed the iexplore.exe to
Symantec.

General Description was that
iexplore.exe was placed in c:\winnt\system32
Five registry keys were found
HKEY_LOCAL_MACHINE....Windows\CurrentVersion\Run\Default
Web browser "C:\winnt\system32\iexplore.exe" 
HKEY_LOCAL_MACHINE....Windows\CurrentVersion\RunServices\Default
web browser "C:\winnt\system32\iexplore.exe" 
HKEY_LOCAL_MACHINE....WindowsNT\CurrentVersion\Winlogon\Shell
"explorer.exe iexplore.exe"
HKEY_CURRENT_USER\Software\Microsoft\Windows
NT\CurrentVersion\Windows\Run "iexpIore.exe"
HKEY_CURRENT_USER\Software\Microsoft\Windows
NT\CurrentVersion\Windows\Load "iexpIore.exe"

Thanks for everyone who responded.

Web Page for Mini Oblivion
http://www.sinred.com/trojans/minioblivion.shtml
(Not written by me)

> Does anyone have information on a IRC Trojan with
> the
> following characteristics.
>
> Opens IRC channels on 6667 and connects to some IRC
> channel on 6668.
>
> It sets a registry key
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Default
> web browser  =  "c:\winnt\system32\iexplore.exe"
>
> And changes the shell
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WindowsNT\CurrentVersion\Winlogon\Shel
> l
> changes it from "Explorer.exe" to "Explorer.exe
> iexplore.exe"
>
> I found a 9 KB file named iexplore.exe in
> c:\winnt\system32 and also found the iexplore.exe
> process running.


__________________________________________________
Do You Yahoo!?
Make a great connection at Yahoo! Personals.
http://personals.yahoo.com

----------------------------------------------------------------------------
This list is provided by the SecurityFocus ARIS analyzer service.
For more information on this free incident handling, management 
and tracking system please see: http://aris.securityfocus.com