HackfixNews: Sophos Anti-Virus IDE alert: Troj/Peido-A ~ Troj/Maz.C

  • From: "Mike" <mikebike@xxxxxxxxx>
  • To: virusinfo@xxxxxxxxxxxxx
  • Date: Thu, 21 Nov 2002 12:14:42 -0800



From; Sophos Alert System 

Name: Troj/Peido-A
Aliases: Downloader-BO.dr
Type: Trojan
Date: 21 November 2002

A virus identity file (IDE) which provides protection is
available now from our website and will be incorporated into the
January 2003 (3.65) release of Sophos Anti-Virus.

Sophos has received several reports of this Trojan from the
wild. 

Note: Sophos Anti-Virus has been detecting Troj/Peido-A since
18:36 GMT on 19 November but has issued this new IDE to improve
detection

More information about Troj/Peido-A can be found at
http://www.sophos.com/virusinfo/analyses/trojpeidoa.html

Download the IDE file from
http://www.sophos.com/downloads/ide/peido-a.ide

Download a ZIP file containing all the IDE files available for
the current version of Sophos Anti-Virus from
http://www.sophos.com/downloads/ide/ides.zip

Read about how to use IDE files at
http://www.sophos.com/downloads/ide/using.html

---------------------------------------------------------------------

From; MessageLabs' Virus Alert service

Trojan name: Troj/Maz.C
Aliases:  Downloader-BO.dr
Number of copies seen so far: 5
Time & Date first Captured: 19 Nov 2002, 14:37 GMT
Origin of first intercepted copy: USA
Number of countries seen active: 2
Most active countries: USA, UK
 

Technical Details

The new Troj/Maz.C variant has been e-mailed to a number of users. From the
copies that we have seen, the message appears as follows: 

     From: MAILER-DAEMON@(recipient domain)
     Subject: FAILED DELIVERY

     Body : 
      Unfortunately, it was not possible to deliver one or more of your
      messages. For more information, please, take a look in the 
      attachment. 

     Attachment: mail.hta 


Behaviour

In copies that we have intercepted the attachment displays an HTML advert,
but contains a Visual Basic script that drops a variant of the Downloader-BO
(a.k.a. Inor) component, which subsequently attempts to download and install
the Backdoor-AML (a.k.a. Jeem) component from a website, hosted at: 

     wind.prohosting.com/jimkre

The Backdoor-AML component opens three TCP ports that may be used to access
the compromised machine remotely, 6079, 5262 and 4668.  The 4668 port may
subsequently be used as SMTP relays to further distribute the e-mail
component to other recipients.  


Comment

It is recommended that customers should ensure that they have configured
their firewall software to block any incoming TCP traffic on these ports. 

Further details on the Troj/Maz.A and Troj/Maz.B trojan may be found on the
MessageLabs website at: 

     http://www.messagelabs.com/viewNewsPR.asp?id=109&cmd=PR

~~~~
Mike ~ It is a good day if I learned something new.
Editor MikesWhatsNews see ~ http://www.mwn.ca 
<mikeswhatsnews-request@xxxxxxxxxxxxx?Subject=subscribe>
See my Anti-Virus pages ~ http://virusinfo.hackfix.org
A Technical Support Alliance Charter Member 
http://groups.yahoo.com/group/techsupportalliance/



~*~*~*~*~
To unsubscribe from our list send an email 
to hackfixnews-request@xxxxxxxxxxxxx?Subject=unsubscribe.

For a complete list of email commands for our list send 
an email to ecartis@xxxxxxxxxxxxx with a subject line of 
"info hackfixnews" without the quotes.
~*~*~*~*~

Other related posts:

  • » HackfixNews: Sophos Anti-Virus IDE alert: Troj/Peido-A ~ Troj/Maz.C