-Caveat Lector-
http://www.simplysup.com/tremover/details.html
Target Platforms
Trojan Remover has been written for Windows 95/98/NT/Millennium/XP. It has been
successfully used by Windows 2000 users, although this platform has not been officially
tested.
Description
Trojan Remover was written to aid in the removal of Trojan Horses when standard anti-
virus software has either failed to detect the Trojan Horse or is unable to effectively
eliminate it.
The majority of Virus and Trojan Scanners are well able to detect malicious Trojan
Horses
but are not always very efficient in removing them once they have been triggered.
Trojan Remover was written specifically to carry out such a removal without the user
having to manually edit system files, including the Registry. The program also removes
the
additional system modifications some Trojans carry out which are ignored by other Virus
and Trojan Scanners.
>>>More @ the site<<<
------- Start of forwarded message -------
From: [EMAIL PROTECTED]
To: "VirusEye Subscriber" <[EMAIL PROTECTED]>
Subject: Fwd: WARNING: Computer hackers mass-mailing trojans
Date: 11/12/02 3:44:08 PM
12 Nov 2002
*Computer hackers mass-mailing trojans*
MessageLabs is currently intercepting hackers who are mass-mailing trojans to
unsuspecting users. The spread of this new threat suggests that infected machines
could
potentially be used in some kind of large-scale coordinated Internet hacking activity
The details of the trojan are as follows:
Trojan name: Maz
Aliases: W32/Maz.A, Downloader-BO
Number of copies seen so far: 280
Time & Date first Captured: 10 Nov 2002, 14:58 GMT
Origin of first intercepted copy: UK
Number of countries seen active: 32
Top five most active countries:
United States 60.7%
Canada 9.3%
Korea (South) 5.0%
Great Britain 3.2%
Mexico 2.1%
*Technical Details*
The Maz trojan connects to a URL, which has since been closed down, to register the
location of the machine which has been compromised. It then proceeds to download a
further component. Currently, this additional component is a backdoor Trojan
(Backdoor-
AML), but this may readily change if the website is updated or changed.
Amongst other things, Backdoor-AML allows the remote hacker to use the compromised
machine as an SMTP relay using TCP port 4668, from which further attacks may be
launched.
By analysing the pattern of IP addresses from which MessageLabs have intercepted this
Trojan to date, it is likely that the hacker is compromising PCs and then using these
machines to send more copies of the Trojan. It is possible that the hacker may also be
using open-relay mail servers.
It appears that the hacker, or group of hackers, is trying to amass a virtual army of
trojans
to perform some kind of coordinated hacking activity in the future.
*Behaviour*
In the copies of e-mails that we have stopped, the mail created seems to have been
generated from a poorly configured Ratware mailer. It seems as though the replaceable
parameters have not been replaced. For example:
Subject: mail (space) (space)
Text:
(space) Hello! (space) check (space) out (space) (space),
the best (space) FREE (space) site!
(space)
Message ID: (variable number) (space) MessageNumber: (variable number) (space)
Attachment: masteraz.exe
The e-mail utilises the well-documented Microsoft MS01-020 vulnerability to
automatically
execute the attachment on un-patched systems.
In copies that we have intercepted, it appears to have a website download component,
and
contains several encoded URLs XORed with 0x4D, for example:
(link to website removed)/country/get.pl
(link to website removed)/counter.c
NB: counter.c is actually a backdoor program, which it downloads.
*Comment*
Skeptic� detected this trojan heuristically. No MessageLabs customers were affected.
This email was sent to you because you subscribe to MessageLabs' Virus Alert service.
You
can cancel your subscription on the MessageLabs website at
http://www.messagelabs.com/AlertUnsubscribe
MessageLabs is a leading provider of Internet-level managed email security services.
Through its SkyScan portfolio of services, MessageLabs customers are protected from
email-borne threats such as viruses, unsolicited mail and pornographic material, before
such content comes anywhere near their network boundaries.
________________________________________________________________________
This email has been scanned for all viruses by the MessageLabs SkyScan
service. For more information on a proactive anti-virus service working
around the clock, around the globe, visit http://www.messagelabs.com
________________________________________________________________________
-------- End of forwarded message --------
From
~~~~~~~~~~~~~~~
A<>E<>R
+ + + + + + + + + + + + + + + + + + + + + + + + + + + + + +
Forwarded as information only; I don't believe everything I read or send
(but that doesn't stop me from considering it; obviously SOMEBODY thinks it's
important)
+ + + + + + + + + + + + + + + + + + + + + + + + + + + + + +
In accordance with Title 17 U.S.C. section 107, this material is distributed without
charge or
profit to those who have expressed a prior interest in receiving this type of
information for
non-profit research and educational purposes only.
+ + + + + + + + + + + + + + + + + + + + + + + + + + + + + +
+ + + + + + + + + + + + + + + + + + + + + + + + + + + +
"Always do sober what you said you'd do drunk. That will teach you to keep your mouth
shut."
--- Ernest Hemingway
<A HREF="http://www.ctrl.org/";>www.ctrl.org</A>
DECLARATION & DISCLAIMER
==========
CTRL is a discussion & informational exchange list. Proselytizing propagandic
screeds are unwelcomed. Substance�not soap-boxing�please! These are
sordid matters and 'conspiracy theory'�with its many half-truths, mis-
directions and outright frauds�is used politically by different groups with
major and minor effects spread throughout the spectrum of time and thought.
That being said, CTRLgives no endorsement to the validity of posts, and
always suggests to readers; be wary of what you read. CTRL gives no
credence to Holocaust denial and nazi's need not apply.
Let us please be civil and as always, Caveat Lector.
========================================================================
Archives Available at:
http://peach.ease.lsoft.com/archives/ctrl.html
<A HREF="http://peach.ease.lsoft.com/archives/ctrl.html";>Archives of
[EMAIL PROTECTED]</A>
http://archive.jab.org/ctrl@;listserv.aol.com/
<A HREF="http://archive.jab.org/ctrl@;listserv.aol.com/">ctrl</A>
========================================================================
To subscribe to Conspiracy Theory Research List[CTRL] send email:
SUBSCRIBE CTRL [to:] [EMAIL PROTECTED]
To UNsubscribe to Conspiracy Theory Research List[CTRL] send email:
SIGNOFF CTRL [to:] [EMAIL PROTECTED]
Om
