Re: The Cleaner reports WinPCap contains WinRAT trojan

From: Ryan Verner (xfesty@computeraddictions.com.au)
Date: 02/16/02


From: "Ryan Verner" <xfesty@computeraddictions.com.au>
To: "dumbwabbit" <dumbwabbit@yahoo.com>, <vuln-dev@securityfocus.com>, <focus-virus@securityfocus.com>, <security-basics@securityfocus.com>
Date: Sun, 17 Feb 2002 03:49:52 +1030

My guess is that the trojan may use code from WinPCap, rather then the other
way around.

- xfesty

--=--

:: Ryan Verner :: xfesty/irc.whackpack.com ::
:: ICQ :: 76626240 ::
:: <festy@2xstreams.com> ::
:: <xfesty@whackpack.com> ::

:: "I'm stuck in this dream; its changing me. I am becoming." ::

----- Original Message -----
From: "dumbwabbit" <dumbwabbit@yahoo.com>
To: <vuln-dev@securityfocus.com>; <focus-virus@securityfocus.com>;
<security-basics@securityfocus.com>
Sent: Sunday, February 17, 2002 12:35 AM
Subject: The Cleaner reports WinPCap contains WinRAT trojan

| Forgive the cross-posting, but I think this *may*
| merit it.
|
| WinPCap is a packet capture driver/architecture for
| Windows platform, allowing Windows users to do such
| things as run NMapNT, the NT port of Nmap.
|
| Upon scanning a file archive on one of my pen testing
| laptops, using the latest updated version of The
| Cleaner (a trojan AV product from MooSoft), The
| Cleaner reports that versions 2.01, 2.1, 2.2, and 2.3
| beta, along with the Developer Pack of WinPCap are all
| infected with or contain the WinRAT (aka Windows
| Remote Administration Toolkit) client/server trojan. I
| "tested" this further by re-downloading the WinPCap
| files from the original website, located at:
| http://netgroup-serv.polito.it/winpcap/install/default.htm
| All files downloaded from this location scanned by The
| Cleaner are reported as containing WinRAT.
|
| I have sent copies of these files to MooSoft asking if
| they can verify this, and I have emailed the authors
| of WinPCap as well. That was 3 days ago.
|
| McAfee VirusScan 4.51 and 6, both with latest DATs
| (4186) do not find anything.
| I do not have access currently to Norton or Trend or
| another AV product.
| I also cannot find any helpful information about the
| WinRAT trojan online (MooSoft's description contains
| absolutely NO information regarding this trojan other
| than listing it - see
| http://www.moosoft.com/winrat.php).
| I have not yet heard back from WinPCap authors, nor
| MooSoft. Therefore, I would like to ask if anyone else
| can verify or disprove this "finding".
|
| __________________________________________________
| Do You Yahoo!?
| Yahoo! Sports - Coverage of the 2002 Olympic Games
| http://sports.yahoo.com
|



Relevant Pages