Tech Talk Discuss PC Hardware, Software, Internet and Other Technology

Watch out for this insidious Trojan

Old 08-20-04, 01:23 AM
  #1  
DVD Talk Legend
Thread Starter
 
Join Date: Oct 1999
Location: in Bush territory!
Posts: 11,613
Watch out for this insidious Trojan

http://news.yahoo.com/news?tmpl=stor...9/tc_zd/133763

Attack Pierces Fully Patched XP Machines

Thu Aug 19, 1:42 PM ET Add Technology - Ziff Davis to My Yahoo!

Dennis Fisher - eWEEK

Security researchers have identified a new version of the Download.Ject attack that is now being used on the Internet and can compromise fully patched Windows XP (news - web sites) machines.

The new version of the attack just appeared Thursday afternoon, and while details are still sketchy, experts say its main purpose is to install a back door on compromised PCs. Users victimized by the attack receive an e-mail or an instant message containing a link directing them to a malicious Web page.

The page is being hosted by a number of different sites, all of which share common "whois" information and appear to be deliberately serving the page, according to Thor Larholm, senior security researcher at PivX Solutions LLC, based in Newport Beach, Calif. The Trojan also will change the start page of the infected PC.

Once a user clicks on the link, the Web server attempts to download the back door. Larholm said a PC running a fully patched copy of Windows XP and Internet Explorer 6 will be compromised by the new version of Download.Ject, as will machines running older version of Windows and IE.

But machines running SP2 (Service Pack 2) for XP are not vulnerable to the new attack. Larholm added that the vulnerabilities exploited in this attack have been known for some time.

"It doesn't use any unknown flaws," he said. "But it's not at automated as it could be. I think it's still evolving. But this clearly has a financial motivation behind it."

The original version of the attack surfaced in late June, and experts said the servers being used to compromise client machines had themselves been compromised and pressed into service.

This time around, the attackers have been able to place their code on a variety of servers, apparently with the owners' knowledge. Some of the sites serving the malicious code are porn sites, and others are advertising servers, Larholm said.

The earlier version of Download.Ject was used to monitor outgoing Web traffic to capture passwords and user IDs for online banking sites and other sensitive data.
wabio is offline  
Old 08-20-04, 05:03 AM
  #2  
DVD Talk Godfather
 
Giantrobo's Avatar
 
Join Date: Apr 1999
Location: South Bay
Posts: 56,460
Shit!, Norton caught this bitch on my machine the other day. I was looking at one of those "Daily Porn" pages and the "Virus detected" and "Virus deleted" alerts popped up when I hit one of the links. My Norton log says "Download.ject" was "Automatically Deleted". I hope that's accurate info.

I guess this bitch isn't just getting out by e-mail.

Last edited by Giantrobo; 08-20-04 at 05:05 AM.
Giantrobo is offline  
Old 08-20-04, 06:14 AM
  #3  
DVD Talk Gold Edition
 
Join Date: Jun 2004
Location: Houston, Tx.
Posts: 2,713
Re: Watch out for this insidious Trojan

Originally posted by wabio
http://news.yahoo.com/news?tmpl=stor...9/tc_zd/133763

Attack Pierces Fully Patched XP Machines

But machines running SP2 (Service Pack 2) for XP are not vulnerable to the new attack. Larholm added that the vulnerabilities exploited in this attack have been known for some time.

When it said "Fully patched", I was assuming it meant even with SP2 installed. But if you have SP2 Installed then you are "protected".

Here is a MS link to check for infection"
http://www.microsoft.com/security/in...load_ject.mspx
You must be using IE to use the link!. It will not work in FireFox. Hold down the CTRL key when you hit the OK to "agree" to the EULA to by-pass the popup blocker.

Here is Symantec's view of the trojan:
http://tinyurl.com/26czh

Symantec's Removal Instructions:
"At this time, there is no removal required for the Trojan itself because it runs from a Web site. The detection indicates that it has been detected on the Web site and stopped. However, if the Trojan was successful in downloadingAdware.VirtuMonde,it should be removed.

Another reason to use anything other that IE...
68ShelbyGT500KR is offline  
Old 08-21-04, 01:04 AM
  #4  
DVD Talk Hero
 
D.Pham4GLTE (>60GB)'s Avatar
 
Join Date: Jul 2001
Location: Stick out your tongue!
Posts: 39,116
well, glad i use mozilla...
D.Pham4GLTE (>60GB) is offline  

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is On
HTML code is On
Trackbacks are Off
Pingbacks are Off
Refbacks are Off


Thread Tools
Search this Thread

Archive Advertising Cookie Policy Privacy Statement Terms of Service

Copyright 2018 MH Sub I, LLC dba Internet Brands. All rights reserved. Use of this site indicates your consent to the Terms of Use.