-----BEGIN PGP SIGNED MESSAGE----- 5 June 2000 Hi All.... Today we recived information from Zbigniew `Zeeball` Trzcionkowski the programmer of "SAFE", that there is some new TCP trojan on the loose. Please read the text that Zbigniew wrote: ;--------------------------------------------------------------------- TCP:4097 remote shell and LIBS:rexxfifo.library size: 1136 If You have such then please: - delete this fake library - repalce fake LoadWB with the original one - reboot The fake LoadWB don`t have $VER string, but to confuse user it have size and parts of file from the original LoadWB v38.9. The trojan is fake LoadWB that decrypts and executes rexxfifo.library which hides original LoadWB also remote shell is opened - TCP:4097. Installer: (faked YAM?) Please wait to xvs.library will be updated to remove this in easy way. ;--------------------------------------------------------------------- ;--------------------------------------------------------------------- TCP:2421 remote shell ...and maybe several infected files. Yes. There is another link-virus. The memory patch is detected as STD Vaginitis #1 and removed correctly by xvs.library. The infected files aren`t. The virus is changed only little bit and is almost same as Fungus or Vaginitis. Even static crypt key ($DEAD) is same. Installer: jizzer size: 15368 attacks C:mount as first (adds 700 bytes with virus) Wait for xvs.library to be updated. To see infected files look into Safe/VaginitisClone dir of this Safe release! I wasn`t able to spread this virus to testfiles, so maybe this is only used to infect c:mount, so after analyzes of disassembly i`ll be able to say why. ;--------------------------------------------------------------------- ;--------------------------------------------------------------------- TCP: 2001 remote shell and fake process called `SetPatch` and LIBSi:rexxfunc.library size: 1136 and L:wb.handler size: 4716 If You have such then please: - delete those fake library and fake handler, - replace LoadWB with the original one - reboot The fake LoadWB looks like original one, but it is fake. Installer: `miamispoof` size: 8468 (The file is StoneCracked and then modified to prevent decrunching) ;--------------------------------------------------------------------- So to be sure please check Your system for: LIBS:rexxfunc.library size: 1136 LIBS:rexxfifo.library size: 1136 L:wb.handler size: 4716 C:mount (is bigger) ...and wait for new xvs.library from Alex van Niel. This text is public domain :-) ;--------------------------------------------------------------------- Thanx to Paul for sending the files and to Zbigniew for the text. Regards.... __ Jan Andersen E-Mail..: vht-dk@post4.tele.dk __ /// ------------ FidoNet.: 2:237/38.100 \\\/// Virus Help Denmark AmyNet..: 39:140/127.100 \XX/ www.vht-dk.dk VirNet..: 9:451/247.0 ... Did you know, that the newest version of Safe is v13.2 !! - ------------------------------------------------------- Archive has been checked and a .sig file has been added so you can verify there was no tampering with the file after placed on the server. MD5SUMS and Readme PGP signed by: Charlene e-mail: ml-clm@mailandnews.com md5sum: ftp.vapor.com/pub/3rdparty/ [Start md5sum checksum file]----------------------- 18af3d764f8a63b2e0346eb6d196f892 *file_id.diz bbce085079cc449ecad49ffbe0183f91 *VHT-DK.txt a860f09783e598e312ab37e184a63e99 *vht-dk89.txt [End md5sum checksum file]----------------------- -----BEGIN PGP SIGNATURE----- Version: 2.6.3 Charset: noconv Comment: Signed by Charlene, using PGPAmiga iQCVAwUBOUmhP/rh//oWbqdVAQGH3wP/a3tpQReCIyQZqybMAAZX+8QcPQ9aFHp2 CJcsXpghYkO+sUpGdjj26nIPHOzWSroS/HHQBtXZXD5a2HCc1zd+beq1NxuoHweF qyDvxV57nIpmPc2qXI01nqTYTo6xCLwrjCNHgoEHUsuIckgvxsxfO//XL6I+Zm9A AiFLzdiQpS8= =rIOw -----END PGP SIGNATURE-----