Security Incidents mailing list archives
Millennium Trojan
From: "Howard, Aaron" <ahoward () NOERRORS COM>
Date: Tue, 5 Dec 2000 20:19:18 -0500
I just caught a consultant we had hired using mIRC on our dime and later discovered his computer was infected with a program purporting to be the Millennium Trojan. I think, however, that this may be a new variant as the latest virus-defs from Norton (11/27/00) don't recognize it as a virus or trojan. I have analyzed it quite fully and would be willing to share my travails with interested parties. It was originally written with Delphi and I have recreated most of the source code. Also, if anyone else has come across this, I'd be interested in knowing what you have found. For the rest of you, beware of machines trying to connect to Internet IP addresses on port 6667 for no obvious reason and lookout for any file named kernel32.vxc hidden away in the c:\windows\system directory. This program is a key logger and then some...like NetBus and Back Orifice. But it appears as though it connects to IRC servers and accepts commands as an IRC bot. I believe it will only run properly on Win9x boxen, not NT/2000. -Aaron -- Aaron Howard, RHCE, CCNA, CNE, MCSE ahoward () noerrors com, aphoward () gcfn org PGP key available via key servers
Current thread:
- Millennium Trojan Howard, Aaron (Dec 09)
- <Possible follow-ups>
- Re: Millennium Trojan Howard, Aaron (Dec 11)