Re: spexta trojan installs to protected folder

David H. Lipman wrote:
From: "shawn modersohn" <smmodersohn@xxxxxxxxxxx>

| Running XP SP2,
|
| I have just seen a curious virus identified by Symantec Corporate 10.1.
| The virus is called trojan.spexta and is a mass mailing worm. The
| computer is locked down. Users are only given limited accounts. I am
| the only user who logs in as Admin and I assure you I am careful in this
| account. The issue I am having and according to the logs, is that this
| particular virus somehow manages to write directly to c: and
| c:\windows\system32 with a file called eventmgr.exe. I have seen this
| process eat 100% of the system resources. I think that it might be
| getting in through a users web mail of choice. This system is fully
| patched so how is this possible? As far as I can fathom, this virus
| must be using some exploit that overrides folder security.

It is a spam Trojan and NOT a virus. It does NOT self replicate.
http://www.symantec.com/security_response/writeup.jsp?docid=2005-071013-3940-99&tabid=2

There are also anti virus News Groups for this kind of subject matter. In the Microsoft.*
hierarchy there is; news://msnews.microsoft.com/microsoft.public.security.virus

What most people fail to realize is that vulnerabilities may be exploited and there are so
amny of them. Many vulnerabilities exist in buffer overflow conditions where result is an
elevation of priveledges. It is this "elevation of priveledges" that people miss. That
means even on a limited account if an exploitation is successfully accomplished the
exploitation will be able to take advantage of the OS and install any kind of malware at its
pleasure.

Since this is a Trojan, not a virus, it requires assistance to get installed and
explotations are often used. It could be a simple Social Engineering methos or a complex
PHP or HTML web page. There are many software that can be exploted to install this spam
Trojan. Vulnerabilities in; Sun Java, IE, Apple Quicktime, Adobe/Macromedia Flash, etc.

What is *most* important is this is a spamming tool and the PC in question MUST be taken off
the Internet prior to it being cleaned.



Thanks for your input and echoing my suspicions. Also a good point that the exploit might not be solely Window's fault. As you mentioned in your examples, this exploit could be manipulated through any number of software packages. Adobe Reader, Flash, Quick Time, etc. At least on the desktop level, I still maintain that it is the operating system's responsibility to protect system files and folders from writing despite any flaw in any said software. Doesn't this mean there is a patch that windowsupdate.com owes us?
.