RE: WARNING: Trojan Horse Disguised as Message from SecurityFocus and TrendMicro

[aleph1 () securityfocus com]

Folks,

  A final follow up on this issue. It appears the zip file extracted
by the FIX_NIMDA.exe trojan, FIX_NIMDA.zip, that when extracted creates
the folder FIX_NIMDA with four files (FIX_NIMDA.exe, readme.txt, SLIDE.DAT,
and slide.exe) is an older version of TrendMicro's tool and thus not
malicious. Interestingly, the extracted tool is version 1.22 but the
readme.txt file was from version 1.23.

  A few folks wrote to let us know they have found this zip file, as
opposed to the FIX_NIMDA.com executable distributed now by TrendMicro,
in a number of different web sites. These all appear to be earlier
version of TrendMicro's tool and not infected.

  All this being said do keep in mind that while the zip file that
gets extracted is not malicious the trojan does installed the BioNet
trojan, installed the KeyEye keystroke logger, and open up all your
drives via shares while its extracting the zip file.

-- 
Elias Levy
SecurityFocus
http://www.securityfocus.com/
Si vis pacem, para bellum

----------------------------------------------------------------------------
This list is provided by the SecurityFocus ARIS analyzer service.
For more information on this free incident handling, management 
and tracking system please see: http://aris.securityfocus.com