Re: spexta trojan installs to protected folder

From: "shawn modersohn" <smmodersohn@xxxxxxxxxxx>

| Running XP SP2,
|
| I have just seen a curious virus identified by Symantec Corporate 10.1.
| The virus is called trojan.spexta and is a mass mailing worm. The
| computer is locked down. Users are only given limited accounts. I am
| the only user who logs in as Admin and I assure you I am careful in this
| account. The issue I am having and according to the logs, is that this
| particular virus somehow manages to write directly to c: and
| c:\windows\system32 with a file called eventmgr.exe. I have seen this
| process eat 100% of the system resources. I think that it might be
| getting in through a users web mail of choice. This system is fully
| patched so how is this possible? As far as I can fathom, this virus
| must be using some exploit that overrides folder security.

It is a spam Trojan and NOT a virus. It does NOT self replicate.
http://www.symantec.com/security_response/writeup.jsp?docid=2005-071013-3940-99&tabid=2

There are also anti virus News Groups for this kind of subject matter. In the Microsoft.*
hierarchy there is; news://msnews.microsoft.com/microsoft.public.security.virus

What most people fail to realize is that vulnerabilities may be exploited and there are so
amny of them. Many vulnerabilities exist in buffer overflow conditions where result is an
elevation of priveledges. It is this "elevation of priveledges" that people miss. That
means even on a limited account if an exploitation is successfully accomplished the
exploitation will be able to take advantage of the OS and install any kind of malware at its
pleasure.

Since this is a Trojan, not a virus, it requires assistance to get installed and
explotations are often used. It could be a simple Social Engineering methos or a complex
PHP or HTML web page. There are many software that can be exploted to install this spam
Trojan. Vulnerabilities in; Sun Java, IE, Apple Quicktime, Adobe/Macromedia Flash, etc.

What is *most* important is this is a spamming tool and the PC in question MUST be taken off
the Internet prior to it being cleaned.


--
Dave
http://www.claymania.com/removal-trojan-adware.html
http://www.ik-cs.com/got-a-virus.htm


.

Relevant Pages

  • Re: Win XP RPC Service Failure Reboot Rant Help - the story of a ruined weekend!
    ... "Virus Alert About the Blaster Worm and Its Variants" ... | of Windows ME to XP Home Edition and install Symantec Internet Security ... | mucked up Zone Alarm so uninstall it and switch on the XP firewall. ...
    (microsoft.public.windowsxp.general)
  • Answers to frequently asked questions - 17SEP03
    ... I have this mystery re trying to install Norton ... Internet Security 2003 on my XP Pro. ... > specific virus, please tell us what it's name is! ... > date with antivirus software and more importantly ...
    (microsoft.public.security.virus)
  • Re: Where is the MS Office Pro Shortcut Toolbar
    ... there is no shortcut bar. ... > the (insert latest virus name here) virus, all mail sent to my personal ... > | I do not see Do Not Install. ... > | under Office Tools. ...
    (microsoft.public.office.setup)
  • Re: Newbie -- how to make a broadband safe and secure???
    ... >any virus software before I went to do a Google search, ... Install and run Spybot. ... Install and run HijackThis. ...
    (alt.computer.security)
  • Re: Web Page Colors
    ... Now that you've done the repair, you must access windows updates and install ... Make sure you disable any AV when installing Updates. ... Parasites, spyware malware basics: ... Virus Cleaner - free virus & worm removal tool ...
    (microsoft.public.windows.inetexplorer.ie6.browser)