[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [Full-disclosure] Detours and Trojans

To: Tiago Halm <thalm@xxxxxxxxxxx>, full-disclosure@xxxxxxxxxxxxxxxxx
Subject: Re: [Full-disclosure] Detours and Trojans
From: eflorio <eflorio@xxxxxxxxxxx>
Date: Thu, 23 Feb 2006 10:11:48 +0100

It's not the first time that malwares are using detours techniques. 
In case your malware is "Trojan.Anserin"
(http://securityresponse.symantec.com/avcenter/venc/data/trojan.anserin.html)

It tries to hooks several APIs of the common browsers for keylogging/password 
stealing purposes (IEXPLORE, FIREFOX, MOZILLA, OPERA).
It tries to steal bank accounts and other confindential information.

Some variants try also to patch NSPR4.DLL (Netscape lib) altering
the following functions: PR_Connect(), PR_Read(), PR_Write(), PR_Close()

EF


----- Original Message -----
From: Tiago Halm
[mailto:thalm@xxxxxxxxxxx]
To: full-disclosure@xxxxxxxxxxxxxxxxx
Sent: Wed,
22 Feb 2006 22:47:40 +0100
Subject: [Full-disclosure] Detours and Trojans


> Detours is being used on trojans.
> Just got one *sighs* and detours was making sure the processes could not be
> killed.
> 
> the files were:
> c:\Program Files\Common Files\Microsoft Shared\Web Folders\ibm00002.dll
> (around 48k)
> c:\Program Files\Common Files\Microsoft Shared\Web Folders\ibm00003.dll
> (around 48k)
> c:\Program Files\Common Files\Microsoft Shared\Web Folders\ibm00003.exe -->
> this file was 2k
> c:\Program Files\Common Files\Microsoft Shared\Web Folders\ibm00004.dll
> (around 48k)
> 
> current user "Run" was mapped to ibm00003.exe above.
> 
> Unfortunatelly I deleted the files (in case anyone was interested), because
> google did not show much info on this and I didn't know much more of what to
> do.
> did some strings on the files above and showed http posts (uploads) of some
> local files.
> sorry I don't have any more information. don't remember.
> 
> anyone saw this already?
> 
> Tiago Halm
> _______________________________________________
> Full-Disclosure - We believe in it.
> Charter: http://lists.grok.org.uk/full-disclosure-charter.html
> Hosted and sponsored by Secunia - http://secunia.com/
> 
_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

Prev by Date: Re: [Full-Disclosure] Insecurity in Finnish parlament (computers)
Next by Date: Re: [Full-disclosure] fun w/phishers?
Previous by thread: [Full-disclosure] Detours and Trojans
Next by thread: [Full-disclosure] ISC(2) Any news?
Index(es):
- Date
- Thread