The Cleaner reports WinPCap contains WinRAT trojan

From: dumbwabbit (dumbwabbit@yahoo.com)
Date: 02/16/02


Date: Sat, 16 Feb 2002 06:05:50 -0800 (PST)
From: dumbwabbit <dumbwabbit@yahoo.com>
To: vuln-dev@securityfocus.com, focus-virus@securityfocus.com, security-basics@securityfocus.com

Forgive the cross-posting, but I think this *may*
merit it.

WinPCap is a packet capture driver/architecture for
Windows platform, allowing Windows users to do such
things as run NMapNT, the NT port of Nmap.

Upon scanning a file archive on one of my pen testing
laptops, using the latest updated version of The
Cleaner (a trojan AV product from MooSoft), The
Cleaner reports that versions 2.01, 2.1, 2.2, and 2.3
beta, along with the Developer Pack of WinPCap are all
infected with or contain the WinRAT (aka Windows
Remote Administration Toolkit) client/server trojan. I
"tested" this further by re-downloading the WinPCap
files from the original website, located at:
http://netgroup-serv.polito.it/winpcap/install/default.htm
All files downloaded from this location scanned by The
Cleaner are reported as containing WinRAT.

I have sent copies of these files to MooSoft asking if
they can verify this, and I have emailed the authors
of WinPCap as well. That was 3 days ago.

McAfee VirusScan 4.51 and 6, both with latest DATs
(4186) do not find anything.
I do not have access currently to Norton or Trend or
another AV product.
I also cannot find any helpful information about the
WinRAT trojan online (MooSoft's description contains
absolutely NO information regarding this trojan other
than listing it - see
http://www.moosoft.com/winrat.php).
I have not yet heard back from WinPCap authors, nor
MooSoft. Therefore, I would like to ask if anyone else
can verify or disprove this "finding".

__________________________________________________
Do You Yahoo!?
Yahoo! Sports - Coverage of the 2002 Olympic Games
http://sports.yahoo.com



Relevant Pages