Re: New Trojan

sean_at_a2.com.au
Date: 10/26/03

  • Next message: Rob Shein: "RE: New Trojan" 
    Date: Sun, 26 Oct 2003 11:52:19 +1100
To: Jay Castaldo <fupayme2003@hotmail.com>

    On 25/10/2003 06:18:01 PM Jay Castaldo wrote:

    >I don't know if this is a new trojan or anything, but I have tried doing
    some
    >research on the Internet and couldn't find anything on it. Well it has two
    >registry entries in my Run, and RunOnce. Here is the name of both keys
    acbdhpd
    >and the values are pointing to a file1129 I can not seem to find rundll32
    >C:\WINNT\system32:acbdhpd.dll,Init 1. I tried killing my explorer.exe to
    see
    >if that is reason I can't find it because I am most likely using a
    trojanized
    >explorer.exe, but I could only find a copy in my temp, I delete through
    DOS and
    >delete the registry entries to no success, the registry keys appear
    within 30
    >seconds and the file pops right back up. Anybody seen this or can give
    me some
    >help to get this out without reloading? It has also opened up two TCP, 3799,
    >and 41225 and two UDP ports, 1129, 1241. Thanks

    Sounds like this
    <http://www.sophos.com/virusinfo/analyses/trojcoreflooc.html> might be your
    problem.
    If you're using NTFS it adds itself as an ADS to \system32 and explorer.exe
    which is why you can't find the files.

    You may be able to get rid of it by using a command like

             rundll32 c:\winnt\system32:acbdhpd.dll,Uninstall
    Cheers
    Sean

    "On two occasions, I have been asked [by members of Parliament], 'Pray, Mr.
    Babbage, if you put into
    the machine wrong figures, will the right answers come out?'
    I am not able to rightly apprehend the kind of confusion of ideas that
    could provoke such a question."
    -- Charles Babbage (1791-1871)

    ---------------------------------------------------------------------------
    Network with over 10,000 of the brightest minds in information security
    at the largest, most highly-anticipated industry event of the year.
    Don't miss RSA Conference 2004! Choose from over 200 class sessions and
    see demos from more than 250 industry vendors. If your job touches
    security, you need to be here. Learn more or register at
    http://www.securityfocus.com/sponsor/RSA_incidents_031023
    and use priority code SF4.
    ----------------------------------------------------------------------------

  • Next message: Rob Shein: "RE: New Trojan"

    Relevant Pages

    • RE: idsearch.com and GoogleMs.dll
      ... MediaPlayer.exe to trigger set registry entries. ... Network with over 10,000 of the brightest minds in information security at ... most highly-anticipated industry event of the year. ...
      (Incidents)
    • idgsearch.com and googleMS.dll
      ... the MediaPlayer.exe to trigger set registry entries. ... Network with over 10,000 of the brightest minds in information security ... most highly-anticipated industry event of the year. ...
      (Incidents)
    • idsearch.com and GoogleMs.dll
      ... the MediaPlayer.exe to trigger set registry entries. ... Network with over 10,000 of the brightest minds in information security ... most highly-anticipated industry event of the year. ...
      (Incidents)
    • Re: New Trojan
      ... > registry entries in my Run, ... system NTFS? ... Network with over 10,000 of the brightest minds in information security ... most highly-anticipated industry event of the year. ...
      (Incidents)