Many thanks for this useful information.
These new type of Trojans are known as Trojan.Riler.F, Win32.Fantador.E etc.
Names available have been updated to the PowerPoint FAQ,
http://blogs.securiteam.com/?p=508
The following description including information about proxy-like feature is worth of checking too:
http://www.trendmicro.com/vinfo/virusencyclo/default5.asp?VName=TROJ%5FR
ILER%2EB&VSect=T
- Juha-Matti
Mike Healan <mike (at) spywareinfo (dot) com [email concealed]> wrote:
>
> > Is this 'mechanism' very common and is it difficult to detect by AV?
>
> No, but you have to be damned careful removing something installed as an
> LSP. I've seen literally hundreds of PCs with their network stack
> buggered because the owner tried to remove NewDotNet. NewDotNet inserts
> itself as an LSP.
>
> Regards,
> Mike Healan
> www.spywareinfo.com
>
> Juha-Matti Laurio wrote:
> > It appears that there is a new type of PowerPoint 0-day Trojan spreading,
> > more details at this write-up:
> > http://www.symantec.com/enterprise/security_response/writeup.jsp?docid=2
> > 006-071812-3213-99
> >
> > What the technical details section says is:
> > "Installs the file SNootern.dll as a layered service provider (LSP)"
> >
> > Wikipedia has only stub type article
> > http://en.wikipedia.org/wiki/Layered_Service_Provider
> >
> > Is this 'mechanism' very common and is it difficult to detect by AV?
> >
> > This new Trojan entitled as Riler.F opens a back door and tries to
> > connect to 8800.org,
> > earlier Bifrose Trojan uses (or used) this domain too.
> >
> > There is a new C variant of Trojan.PPDropper as well, but no information
> > about the file name of PowerPoint attachment etc.
> > Symantec reports Infection Length as 220,160 bytes, same as used by
> > Trojan.PPDropper.B.
> > This size information is from Trojan description of another vendor,
> > however.
> >
> > This summary has been updated to related PowerPoint 0-day FAQ document.
> >
> > Regards,
> > Juha-Matti
> > http://blogs.securiteam.com/index.php/archives/author/juha-matti/
>
These new type of Trojans are known as Trojan.Riler.F, Win32.Fantador.E etc.
Names available have been updated to the PowerPoint FAQ,
http://blogs.securiteam.com/?p=508
The following description including information about proxy-like feature is worth of checking too:
http://www.trendmicro.com/vinfo/virusencyclo/default5.asp?VName=TROJ%5FR
ILER%2EB&VSect=T
- Juha-Matti
Mike Healan <mike (at) spywareinfo (dot) com [email concealed]> wrote:
>
> > Is this 'mechanism' very common and is it difficult to detect by AV?
>
> No, but you have to be damned careful removing something installed as an
> LSP. I've seen literally hundreds of PCs with their network stack
> buggered because the owner tried to remove NewDotNet. NewDotNet inserts
> itself as an LSP.
>
> Regards,
> Mike Healan
> www.spywareinfo.com
>
> Juha-Matti Laurio wrote:
> > It appears that there is a new type of PowerPoint 0-day Trojan spreading,
> > more details at this write-up:
> > http://www.symantec.com/enterprise/security_response/writeup.jsp?docid=2
> > 006-071812-3213-99
> >
> > What the technical details section says is:
> > "Installs the file SNootern.dll as a layered service provider (LSP)"
> >
> > Wikipedia has only stub type article
> > http://en.wikipedia.org/wiki/Layered_Service_Provider
> >
> > Is this 'mechanism' very common and is it difficult to detect by AV?
> >
> > This new Trojan entitled as Riler.F opens a back door and tries to
> > connect to 8800.org,
> > earlier Bifrose Trojan uses (or used) this domain too.
> >
> > There is a new C variant of Trojan.PPDropper as well, but no information
> > about the file name of PowerPoint attachment etc.
> > Symantec reports Infection Length as 220,160 bytes, same as used by
> > Trojan.PPDropper.B.
> > This size information is from Trojan description of another vendor,
> > however.
> >
> > This summary has been updated to related PowerPoint 0-day FAQ document.
> >
> > Regards,
> > Juha-Matti
> > http://blogs.securiteam.com/index.php/archives/author/juha-matti/
>
[ reply ]