Computer Cops - Trojans and two variants of Linux/Slapper.

"Hurry up slowly." Suetonius(75-150); Roman historian.

- Weekly virus report - Oxygen3 24h-365d, by Panda Software

Madrid, September 29, 2002 -- This week's virus report looks at three Trojans and two variants of Linux/Slapper.

The first Trojan we will refer to today is Bck/RBackdoor, which, by default, opens communication port 4820 and assigns the password "redkod" to communications. When Bck/RBackdoor reaches a computer, it goes memory resident and waits for a Telnet connection -or a connection carried out with a similar program- to be established. Furthermore, Bck/Rbackdoor inserts an entry in the affected computer's Windows Registry in order to ensure it is run every time Windows is started up, and saves a file that contains the Trojan's code to the system.

The second Trojan is Trj/Nidra, which modifies the system configuration in order to activate every time a file with an EXE or TXT extension is run.

When Trj/Nidra activates, it creates a process in memory which might cause affected computers to slow down. Finally, it saves two copies of itself - NOTEPAD.EXE and WINNDOW386.EXE- to the Windows system directory.

Trj/Nidra modifies several Windows Registry entries and creates others in order to ensure it is run every time the system is started up. Once Trj/Nidra has carried out its actions, it displays a message on screen.

The last Trojan we will deal with today is Inwi (Trj/Inwi), which, like the previous one, makes changes in the system to ensure that it is run every time a file with an .EXE or .TXT extension is opened. This Trojan also creates several files in the computer, including copies of itself, in order to steal data from the affected computer and send it to a certain e-mail address. Finally, the Trojan changes the Internet Explorer settings, including the default URL.

We will finish today's report with two variants (B and C) of Linux/Slapper, which appeared at the beginning of this week. Like their predecessor, these two new worms use a known buffer overflow vulnerability in the OpenSSL component of Apache Web servers installed on certain Linux distributions (some versions of Mandrake, SuSe, Slackware, RedHat, Debian and Gentoo). However, they differ from Linux/Slapper in the UDP port number they use to carry out attacks on affected computers (Linux/Slapper.B uses port UPD 1978 and Linux/Slapper.C port UPD 4156), and the Linux distributions subject to infection.

(http://www.pandasoftware.com)


	Home · Topics · Submit News · Top 10 This entire site, Cops Themes, and Computer Cops are © 2002 - 2004 Computer Cops, LLC. All rights reserved. You can syndicate our news using the file RSS 0.91, ultramode.txt, or RSS 1.0. Acceptable Use Policy. Use signifies your agreement. Engine Copyright © 2002 by PHP-Nuke, GNU/GPL Licensed. ICRA Member. Paul Laudanski, Member of Computer Cops, LLC Server Load: 855 pages served in previous 5 minutes. Page Rendered: 0.253 seconds.