TRLog
[Top] [All Lists]

[TRLog] Last update

Subject: [TRLog] Last update
From: n0ss@earthlink.net (Tom Hammond NØSS)
Date: Sun, 03 Dec 2000 12:14:18 -0600
Folks:

Tree wrote:
> >I sent out 6.56 about 36 hours ago - and some people have reported
> >it had a  v i r u s.
> >Tree

Then W6CT asked:

 >Was this a separate file that got attached to the message
 >in addition to the zip file, or is it actually embedded
 >in the zip file?

IN the ZIP file... see below.

Since I may have been to source of the virus (actually a TROJAN virus, 
TROJ_HYBRIS.B), I'll tell you what I've found so far...

I've found NUMEROUS instances of this virus on my machine...! See below.

To see IF you are CURRENTLY infected, do a whole-drive search for ANY files 
with a .EX$ file extension. If you DO find any instances of this file 
extension. LOOK IN THE SAME FOLDER to see if you find a similarly-named 
file, BUT with a .EXE file extension. If you do, the file with the .EXE 
file extension IS the trojan!!!  DO NOT EXECUTE IT!!!!!

DELETE the .EXE file and RENAME the .EX$ file to the same filename but with 
a .EXE extension. This will fix THAT problem, but ONLY in THAT folder. 
There may be more...!

ADDITIONALLY... if you find our than one instance of a file with a .EX$ 
extension, this probably indicates that your PC has been INFECTED, rather 
than just merely having received a single infected file.

Note that the trojan file will normally be 23,040 bytes in length, although 
I found one instance where it was clearly present and NOT of this length.

In the case of the TRLOG v6.56 file, it contained a file named TR.EX$ _and_ 
a file (23,040 bytes in length) named TR.EXE.

If you attempt to RUN the TR.EXE (trojan) file, you will have 'installed' 
the virus onto your PC.

Once run, the trojan sends itself to others, using the addresses you use 
when you send out your e-mails. It does NOT accesses your address book, 
rather it looks at the addresses actually in the messages being sent and 
uses them. The address of the 'sending' party will usually show as having 
come from "Hahaha" <Hahaha@sexyfun.net> and will contain an attachment 
named midgets.SCR or midgets.EXE, either of which, ONCE THEY ARE RUN, will 
infect the recipient's PC.

Once infected, not only will the trojan effect your normal .EXE files, but 
it will also infect .EXE files WITHIN ZIP FILES as well. Usually only one 
.EXE file in each ZIP file, but EACH and EVERY ZIP file will have to be 
checked to confirm the presence of a file with the .EX$ extension. Fixing 
these files is not all that difficult, but it time-consuming.

Another possible way you may detect presence of this virus is to monitor 
significant MODEM activity during times when you are connected, but not 
expecting to have any... for instance, while you're reading your mail, all 
of a sudden there's a flurry of modem activity and your not supposed to be 
SENDIND _or_ RECEIVING data. THis may be a clue that somethine else is 
going on that you're not aware of. Although this is NOT necessarily an 
indication of infection, it may be worth checking out anyway.

Finally, IF you have been infected, you WILL have to REMOVE and REPLACE 
your (infected) WSOCK32.DLL with a new one. ALL of the WSOCK32.DLL files 
I've found around here were about 40kB to 45kB in size, and my infected 
WSOCK32.DLL file was about 65kB in size, however at least one correspondent 
tells me that HIS WSOCK32.DLL file seems to NOT be infected, but IS around 
65kB in size. Although I'm still a bit skeptical of this report, you should 
be aware of the possibility of the possible difference in sizes 
of  UNinfected files.

For more info about this virus, I direct your attention to:

     http://www.datafellows.fi/v-descs/hybris.htm

and for other viruses, try:  htp://www.datafellows.fi/v-descs/

There are other very good sources as well, I just happen to like the info 
this group provides.

73 - Tom Hammond   N0SS


--
FAQ on WWW:               http://www.contesting.com/FAQ/trlog
Submissions:              trlog@contesting.com
Administrative requests:  trlog-REQUEST@contesting.com
Problems:                 owner-trlog@contesting.com
Feature Wishlist:         http://web.jzap.com/n6tr/trwish.html


<Prev in Thread] Current Thread [Next in Thread>