It's not the first time that malwares are using detours techniques. In case your malware is "Trojan.Anserin" (http://securityresponse.symantec.com/avcenter/venc/data/trojan.anserin.html)
It tries to hooks several APIs of the common browsers for keylogging/password stealing purposes (IEXPLORE, FIREFOX, MOZILLA, OPERA). It tries to steal bank accounts and other confindential information. Some variants try also to patch NSPR4.DLL (Netscape lib) altering the following functions: PR_Connect(), PR_Read(), PR_Write(), PR_Close() EF ----- Original Message ----- From: Tiago Halm [mailto:[EMAIL PROTECTED] To: full-disclosure@lists.grok.org.uk Sent: Wed, 22 Feb 2006 22:47:40 +0100 Subject: [Full-disclosure] Detours and Trojans > Detours is being used on trojans. > Just got one *sighs* and detours was making sure the processes could not be > killed. > > the files were: > c:\Program Files\Common Files\Microsoft Shared\Web Folders\ibm00002.dll > (around 48k) > c:\Program Files\Common Files\Microsoft Shared\Web Folders\ibm00003.dll > (around 48k) > c:\Program Files\Common Files\Microsoft Shared\Web Folders\ibm00003.exe --> > this file was 2k > c:\Program Files\Common Files\Microsoft Shared\Web Folders\ibm00004.dll > (around 48k) > > current user "Run" was mapped to ibm00003.exe above. > > Unfortunatelly I deleted the files (in case anyone was interested), because > google did not show much info on this and I didn't know much more of what to > do. > did some strings on the files above and showed http posts (uploads) of some > local files. > sorry I don't have any more information. don't remember. > > anyone saw this already? > > Tiago Halm > _______________________________________________ > Full-Disclosure - We believe in it. > Charter: http://lists.grok.org.uk/full-disclosure-charter.html > Hosted and sponsored by Secunia - http://secunia.com/ > _______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
