Security Incidents mailing list archives
Re: New Trojan
From: sean () a2 com au
Date: Sun, 26 Oct 2003 11:52:19 +1100
On 25/10/2003 06:18:01 PM Jay Castaldo wrote:>I don't know if this is a new trojan or anything, but I have tried doing some
>research on the Internet and couldn't find anything on it. Well it has two>registry entries in my Run, and RunOnce. Here is the name of both keys acbdhpd
>and the values are pointing to a file1129 I can not seem to find rundll32>C:\WINNT\system32:acbdhpd.dll,Init 1. I tried killing my explorer.exe to see >if that is reason I can't find it because I am most likely using a trojanized >explorer.exe, but I could only find a copy in my temp, I delete through DOS and >delete the registry entries to no success, the registry keys appear within 30 >seconds and the file pops right back up. Anybody seen this or can give me some
>help to get this out without reloading? It has also opened up two TCP, 3799, >and 41225 and two UDP ports, 1129, 1241. ThanksSounds like this <http://www.sophos.com/virusinfo/analyses/trojcoreflooc.html> might be your problem. If you're using NTFS it adds itself as an ADS to \system32 and explorer.exe which is why you can't find the files.
You may be able to get rid of it by using a command like
rundll32 c:\winnt\system32:acbdhpd.dll,Uninstall
Cheers
Sean
"On two occasions, I have been asked [by members of Parliament], 'Pray, Mr.
Babbage, if you put into
the machine wrong figures, will the right answers come out?'I am not able to rightly apprehend the kind of confusion of ideas that could provoke such a question."
-- Charles Babbage (1791-1871) --------------------------------------------------------------------------- Network with over 10,000 of the brightest minds in information security at the largest, most highly-anticipated industry event of the year. Don't miss RSA Conference 2004! Choose from over 200 class sessions and see demos from more than 250 industry vendors. If your job touches security, you need to be here. Learn more or register at http://www.securityfocus.com/sponsor/RSA_incidents_031023 and use priority code SF4. ----------------------------------------------------------------------------
Current thread:
- RE: New Trojan, (continued)
- RE: New Trojan Rob Shein (Oct 28)
- Re: New Trojan Damian Gerow (Oct 28)
- Re: New Trojan Brian Eckman (Oct 28)
- Re: New Trojan Damian Gerow (Oct 28)
- Re: New Trojan Damian Gerow (Oct 28)
- Re: New Trojan Russell Fulton (Oct 28)
- RE: New Trojan Rob Shein (Oct 28)
- RE: New Trojan Jerry Heidtke (Oct 25)
- RE: New Trojan John Ives (Oct 26)
- Re: New Trojan Grzegorz (Oct 25)
- Re: New Trojan Harlan Carvey (Oct 27)
- Re: New Trojan sean (Oct 25)
- Re: New Trojan Jay Castaldo (Oct 27)
- Re: New Trojan Damian Gerow (Oct 27)
- RE: New Trojan Chris Fussell (Oct 27)
- RE: New Trojan Tran, John (Oct 27)
- Re: New Trojan Damian Gerow (Oct 27)
- RE: New Trojan Matt Vaughan (Oct 28)
- Re: New Trojan Jay Castaldo (Oct 28)
- RE: New Trojan Thompson, Jason (Oct 28)
- RE: New Trojan David LeBlanc (Oct 28)
- RE: New Trojan James C. Slora, Jr. (Oct 31)