Another possible OGR trojan?

[RC]

Look at the stats. What do you think?

postmaster@127.0.0.1's stats

 

[MWalkden]

Maybe someone rolled some emails together?

 

[Russ]

Interesting handle. I wonder how many people will try to send him eMail at the loopback address?

Russ, NCNE

 

[RC]

I've emailed abuse@distributed.net asking them if they have any information concerning this participant.

 

[Jani]

Hey I recognized that address. It's famous 3|33T w4r3z site http://127.0.0.1/ LOL

 

[Sloth]

In Bovine's latest update to his .plan he mentions the trojan problem they have had lately. That is one of the address listed as being in a trojan.


S.

 

[RC]

<< [Oct 2000] An EXE worm was discovered that replicates using the same techniques as above, except it deploys a file named WININIT.EXE into the WINDOWS\SYSTEM directory, which is approximately 220kb in size. It is unknown whether this worm also includes backdoor remote-control logic, however its payload size and use of network socket APIs may allow this possiblity. The DNETC.EXE and DNETC.INI are also deployed into the WINDOWS\SYSTEM directory, and the client is configured to run with the email addresses ogr@gala.net or mereel@gmx.de or mama@papa.net or gentleps@muohio.edu or postmaster@127.0.0.1 >>



Paragraph taken from d.net's trojan page

Thanks go to Sloth for pointing this out.

 

[MWalkden]

This stuff really sucks people.:| Are these trojans being submitted to AV companies? Do they only affect PCs not already running the client? How is it being transmitted? Can someone point me to more information?

I do this for a living and my customers have a right to know what risk is associated here. It may cost me some herd but that is a whole lot less important than my livelyhood!

 

[Ken g6]

I believe these are being transmitted through file sharing on Windows computers. The Shields Up! page has everything you need to know (I think) to stop these viruses from getting in the door.

 

[Moose]

Yes We are submitting these to the AV companies. They check for the work apps (wininit.exe etc..) not for dnetc (if they do we correct them asap)

moose

 

[mindless]

What happens if one of these trojans finds the key? Does it just get reissued at random, or does the contest end? If it ends who receives the prize money?

 

[MWalkden]

Thanks for the info Moose and Ken_g6. I'm quite familiar with grc.com. Is there a list kept by DNET on worms/Trojans specifically targeting the client or proxy tools?

I can research the culprits myself at various AV sites but I would need to know the list. I'm only concerned with the method of entry each one uses. This will tell me if any of my customers/friends are at risk from this client. It would also allow me to provide a safeguard if needed and available.

Guys, this is truly important to me here. I have to know the ins and outs concerning this risk or I have to remove my clients due to the lack of knowledge concerning the issue. I don't have a choice here. Please give me all the help you can, I don't want to quit RC5!

Be assured I will be investigating diligently myself!!!!

 

[sciencewhiz]

MW,

Here is Symantec's write up of the virus

There are several versions of this virus but they all come by window's file sharing. The clients are not modified, a new client is installed and set to run as a service.

dnet has a page about the trojans at
http://www.distributed.net/trojans.html