Re: New Trojan????

[Nexus <nexus () PATROL I-WAY CO UK>]

A quick look at the exe gives a small clue as to what it does :
C:\CLI Tools>strings temp2.exe

Strings v2.03
Copyright (C) 1999-2000 Mark Russinovich
Systems Internals - http://www.sysinternals.com

s<@
WNDL
STATUS
WNDLISTDLG
HWICON
VS_VERSION_INFO
StringFileInfo
040904E4
CompanyName
Adrian Lopez
FileDescription
Hides/Reveals application windows
FileVersion
1.43
InternalName
HideWindow
LegalCopyright
Copyright
 1996 Adrian Lopez; All rights reserved.
OriginalFilename
hidewndw.exe
VarFileInfo
Translation

C:\CLI Tools>

Regards,
            JJ

----- Original Message -----
From: "Dave Woods" <dave () TECHWEAVERS NET>
To: <INCIDENTS () SECURITYFOCUS COM>
Sent: Tuesday, October 31, 2000 7:28 PM
Subject: New Trojan????


> One of our computers here recently became infected with something I have
> never seen before.
>
> When the computer starts up (winME) it opens up 2 copies of the
> FreeExtractor prog that exctracts the following files:
> mirc.ini
> mirc2.ini
> mirc3.ini
> pri.ini
> 20139.txt
> gates.txt
> temp.exe
> temp2.exe
> whvlxd.dat
> temp.scr
>
> gates.txt contains a lot of ip's / domains in it that look to be possibly
> infected hosts that this "program" is creating as some of them are isp
> accounts ie port200.hs.ip.com
> temp.scr does not run (says not a valid win32 app)
>
> I have attached the files in a zip with a password of pass101
>
> If anyone has seen or knows what this is or how to remove it let me know.
>
> Sincerely,
> David Woods
> Techweavers Inc.
> dave () techweavers net
> www.techweavers.net
> Phone: (780)-423-3952
> Fax: (780)-432-3220

____________________________________________
http://1cis.com
Free E-mail Servers with unlimited mailboxes
1st Class Internet Solutions