Incidents
New PowerPoint Trojan installs itself as LSP Jul 18 2006 11:30PM
Juha-Matti Laurio (juha-matti laurio netti fi) (1 replies)
Re: New PowerPoint Trojan installs itself as LSP Jul 19 2006 06:48PM
killy (killfactory gmail com)
Do we what port this backdoor is trying to connect through?

On 7/18/06, Juha-Matti Laurio <juha-matti.laurio (at) netti (dot) fi [email concealed]> wrote:
> It appears that there is a new type of PowerPoint 0-day Trojan spreading,
> more details at this write-up:
> http://www.symantec.com/enterprise/security_response/writeup.jsp?docid=2

> 006-071812-3213-99
>
> What the technical details section says is:
> "Installs the file SNootern.dll as a layered service provider (LSP)"
>
> Wikipedia has only stub type article
> http://en.wikipedia.org/wiki/Layered_Service_Provider
>
> Is this 'mechanism' very common and is it difficult to detect by AV?
>
> This new Trojan entitled as Riler.F opens a back door and tries to connect to 8800.org,
> earlier Bifrose Trojan uses (or used) this domain too.
>
> There is a new C variant of Trojan.PPDropper as well, but no information about the file name of PowerPoint attachment etc.
> Symantec reports Infection Length as 220,160 bytes, same as used by Trojan.PPDropper.B.
> This size information is from Trojan description of another vendor, however.
>
> This summary has been updated to related PowerPoint 0-day FAQ document.
>
> Regards,
> Juha-Matti
> http://blogs.securiteam.com/index.php/archives/author/juha-matti/
>
>
> ------------------------------------------------------------------------
------
> This List Sponsored by: Black Hat
>
> Attend the Black Hat Briefings & Training USA, July 29-August 3 in Las Vegas.
> World renowned security experts reveal tomorrow's threats today. Free of
> vendor pitches, the Briefings are designed to be pragmatic regardless of your
> security environment. Featuring 36 hands-on training courses and 10 conference
> tracks, networking opportunities with over 2,500 delegates from 40+ nations.
>
> http://www.blackhat.com
> ------------------------------------------------------------------------
------
>
>

------------------------------------------------------------------------
------
This List Sponsored by: Black Hat

Attend the Black Hat Briefings & Training USA, July 29-August 3 in Las Vegas.
World renowned security experts reveal tomorrow's threats today. Free of
vendor pitches, the Briefings are designed to be pragmatic regardless of your
security environment. Featuring 36 hands-on training courses and 10 conference
tracks, networking opportunities with over 2,500 delegates from 40+ nations.

http://www.blackhat.com
------------------------------------------------------------------------
------

[ reply ]


 

Privacy Statement
Copyright 2010, SecurityFocus