Vulnerability Development mailing list archives
RE: The Cleaner reports WinPCap contains WinRAT trojan
From: "Brenna Primrose" <absolut_contagion () yahoo com>
Date: Sat, 16 Feb 2002 12:27:17 -0600
My first guess would be that one or more strings of code in WinPCap contain similar strings as those in a RAT. I have seen this happen before with both Panda Anti-Virus and Pest Patrol (anti-trojan software). In fact, Pest Patrol even reports that Cygwin (a Windows UNIX bash shell emulator) contains several RATs. As WinPCap is a legitimate product, I would imagine that this is what is happening with it. Brenna http://profiles.yahoo.com/absolut_contagion http://gsa.creighton.edu AIM - absolut x psycho ICQ - 1363187 Yahoo! - absolut_contagion ********************************************************************* Use your computer and a screen saver to help in cancer and anthrax research @ http://members.ud.com/services/teams/team.htm?id=CB4726CD-49B8-4FD8-9D81 -41F448198647 -- Join the Creighton University Gay/Straight Alliance team! ********************************************************************* -----Original Message----- From: dumbwabbit [mailto:dumbwabbit () yahoo com] Sent: Saturday, February 16, 2002 8:06 AM To: vuln-dev () securityfocus com; focus-virus () securityfocus com; security-basics () securityfocus com Subject: The Cleaner reports WinPCap contains WinRAT trojan Forgive the cross-posting, but I think this *may* merit it. WinPCap is a packet capture driver/architecture for Windows platform, allowing Windows users to do such things as run NMapNT, the NT port of Nmap. Upon scanning a file archive on one of my pen testing laptops, using the latest updated version of The Cleaner (a trojan AV product from MooSoft), The Cleaner reports that versions 2.01, 2.1, 2.2, and 2.3 beta, along with the Developer Pack of WinPCap are all infected with or contain the WinRAT (aka Windows Remote Administration Toolkit) client/server trojan. I "tested" this further by re-downloading the WinPCap files from the original website, located at: http://netgroup-serv.polito.it/winpcap/install/default.htm All files downloaded from this location scanned by The Cleaner are reported as containing WinRAT. I have sent copies of these files to MooSoft asking if they can verify this, and I have emailed the authors of WinPCap as well. That was 3 days ago. McAfee VirusScan 4.51 and 6, both with latest DATs (4186) do not find anything. I do not have access currently to Norton or Trend or another AV product. I also cannot find any helpful information about the WinRAT trojan online (MooSoft's description contains absolutely NO information regarding this trojan other than listing it - see http://www.moosoft.com/winrat.php). I have not yet heard back from WinPCap authors, nor MooSoft. Therefore, I would like to ask if anyone else can verify or disprove this "finding". __________________________________________________ Do You Yahoo!? Yahoo! Sports - Coverage of the 2002 Olympic Games http://sports.yahoo.com _________________________________________________________ Do You Yahoo!? Get your free @yahoo.com address at http://mail.yahoo.com
Current thread:
- The Cleaner reports WinPCap contains WinRAT trojan dumbwabbit (Feb 16)
- RE: The Cleaner reports WinPCap contains WinRAT trojan Brenna Primrose (Feb 16)
- Re: The Cleaner reports WinPCap contains WinRAT trojan Gideon Lenkey (Feb 16)
- Re: The Cleaner reports WinPCap contains WinRAT trojan Ryan Verner (Feb 16)
- Update: The Cleaner reports WinPCap contains WinRAT trojan dumbwabbit (Feb 16)
- <Possible follow-ups>
- Fwd: Re: The Cleaner reports WinPCap contains WinRAT trojan dumbwabbit (Feb 16)