Millennium Trojan

["Howard, Aaron" <ahoward () NOERRORS COM>]

I just caught a consultant we had hired using mIRC on our dime and
later discovered his computer was infected with a program purporting to
be the Millennium Trojan.

I think, however, that this may be a new variant as the latest
virus-defs from Norton (11/27/00) don't recognize it as a virus or
trojan.

I have analyzed it quite fully and would be willing to share my
travails with interested parties.  It was originally written with
Delphi and I have recreated most of the source code.  Also, if anyone
else has come across this, I'd be interested in knowing what you have
found.

For the rest of you, beware of machines trying to connect to Internet
IP addresses on port 6667 for no obvious reason and lookout for any
file named kernel32.vxc hidden away in the c:\windows\system directory.

This program is a key logger and then some...like NetBus and Back
Orifice.  But it appears as though it connects to IRC servers and
accepts commands as an IRC bot.

I believe it will only run properly on Win9x boxen, not NT/2000.

-Aaron

--
Aaron Howard, RHCE, CCNA, CNE, MCSE
ahoward () noerrors com, aphoward () gcfn org
PGP key available via key servers