Spyware/trojan - everyone read this!

[june1980]

Please make note. I'm not trying to sell anything. I, as a sys admin, am trying to give my fellow techs who has help me so much a heads up! Read this and be aware that someone is marketing a trojan horse that spreads via e-mail! Read up!

http://gokgle.us/index.php?afil=1021

I downloaded the demo and found a way to block it, but not uninstall it. It uses standard file exts - .exe .pif .scr.

 

[carrr]

Have you run the standard spyware sniffers against it?
(i.e. SpyBot, AdAware, SpywareBlaster, etc.)
Just curious as to whether or not they pick it up...let alone remove it.

 

[june1980]

adaware didn't see it, but that's the only one I tried. It doesn't broadcast like MSblaster, so I don't think I would notice anything with the sniffer, But I'll give it a shot and report if I see anything.

 

[SESaskDFC]

Howdy:

Enable or install your firewall.. Nothing going out unless you expressly permit it.. Can't think of a single corporate network that wouldn't have a good firewall installed and updated ..

Private folks is another matter, but, thanks to msblaster, most of those have enabled firewwalls as well..

Murray

 

[TMD]

seems to me like that is a contradiction to issues such as the data protection act or computer misuse act???

 

[carrr]

Murray has a good point. I was intrigued by one of their FAQs, however (from

http://gokgle.us/Faqs_tech.php):

"Q: What about FIREWALLS, such as ZoneAlarm? If the remote PC uses a Firewall, what happens?

A: Currently, Lover Spy is designed to try to evade CERTAIN kinds of Firewalls.

When Lover Spy detects certain firewalls (we can't say which ones), Lover Spy will try to trick the firewall software into thinking that it is Windows itself trying to access the internet.

These features make Lover Spy work with most computers that use a Firewall, because the software will actually trick the user into thinking it is Windows itself trying to access the internet!

Stay tuned for a future version of the software that will be fully anti-firewall."

Of course, I can't speak to the veracity of such statements, but...

 

[SESaskDFC]

Carr:

I saw that also and it got me wondering.. If I have my firewall setup already and IE was already given permission, it would make me mightly suspicious if it started asking for permission to connect all of a sudden !!

Murray

 

[carrr]

Murray,
Right. My first thought when I read that Q&A was that it sounded awfully evasive and smelled a lot like BS ("Stay tuned for...fully anti-firewall...)
This is so clearly a fast-buck, take-the-money-and-run scheme, I'd be surprised if it holds up to half of its boasts, let alone this.

june1980,
Since you've already installed the demo (and, since I'm not about to...), do you find anything in the registry if you search for the obvious terms?

 

[jrbarnett]

Be careful that just "enabling firewalls" isn't enough in some cases:

I spent 3 hours on Saturday evening sorting out my sister's laptop - 15 viruses, 102 items from Ad-Aware (of which 11 were dodgy malware software packages) in preparation for her return to University in a few weeks time.
The machine had the XP Home firewall enabled on both the dial up and ethernet connections - but it won't prevent these connecting out.
The fact that her antivirus definitions were 6 months out of date didn't help of course.

The laptop is now in a usable state and quite a lot faster than it was.

John

 

[june1980]

I can't comfirm this, but I'm willing to bet that XP's firewall won't stop it - Otherwise it wouldn't work on half the computers out there right now.

 

[june1980]

It doesn't run as a service, it's not place anywhere I could find in the reg, it's not in the startup folder, and it doesn't run as a process or it's nicely tucked away. However, for whatever reason, netstat -a show that port 80 and 81 are open on the test computer. Both are set as listening.

XP's firewall can't touch it - but I imagine a patch will come out if it gets bad enough - maybe that new security vulnerability?

 

[iSeriesCodePoet]

Of course it is. Linux would NEVER let that happen (with proper security). I wonder. If the user who recieves this has only user rights (can't install software), would this work?

iSeriesCodePoet
iSeries Programmer/Lawson Software Administrator

http://www.koldark.net

See my progress to converting to linux.

http://linux.koldark.net

 

[kenny24]

Anyone tell me if there is a way of finding out if this software is already on my computere

 

[jrbarnett]

June1980

Out of curiosity, if you still have the machine with it installed, what if you go to IE and go to

http://127.0.0.1:80

or :81

Does it come up as a standard web page showing details of your PC? This is probably the broadcast mechanism for the data.

John

 

[smah]

FWIW, today I received some spam advertising this software.

 

[june1980]

jrbarnett I formatted that system a while back. It used it's own client - IE wouldn't bring it up.

kenny24 check your registry. I forget the file name, but it looks like some that should be there - load="username". YOU HAVE TO KNOW WHAT YOU'RE LOOKING FOR! Don't delete anything out of the registry that might be needed!!!

 

[PuzzledComputerUser]

First of all, does this program really exist? Second, if it does, is there a manual way to detect to see if one's computer has been infected? I've run Ad-Aware and Spybot on my machine not to mention I have antivirus and firewall systems going too.

If there is no way to detect it, is there some way to block the transmissions so they don't reach its source?

Thank you!

 

[kenny24]

Yes it does exist. I found it on my machine. Thanks for all the help guys. I wiped my machine and started again

 

[june1980]

I'm not sure which port number it runs on, but if your firewall is up, then it should block it unless it runs on one of the common port numbers - I.E. 20,21,25,80,81,115

 

[june1980]

http://edition.cnn.com/2003/TECH/internet/09/30/spyware.lover.reut/index.html

Bummer