-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
Hi Thomas,
On 25 December 2000 at 00:02:05 +0800 (which was 16:02 where I
live) Thomas Fernandez wrote and made these points:
TF> OK, here we go: I got infected by the JS_SEEKER.A trojan
Infected? I don't think so...
TF> (File Name: RUNME.HTA - what does an .HTA extension normallly
TF> do?). I got suspicious two days ago when I suddenly had unusual
TF> activity on port 8431, and closed that port for further
TF> investigation after Christmas.
This is unrelated to the Trojan you mention.
TF> This morning, I updated PC-Cillin, and a few minutes ago, I
TF> suddenly had a virus warning pop up: the above trojan was active
TF> from a file in my backup directory to The Bat!\Mail\Mailing
TF> Lists\Attach. An immediate virus scan detected this trojan also in
TF> the current database. (The virus was not sent through this Mailing
TF> List, but others to which I subscribe do allow attachments.)
Okay - so the trojan had *arrived* on your machine as an attachment
and reported as *present* by PC-Cillin. This does *not* yet constitute
an "infection". A virus can be spotted in a file on your hard drive
without ever having been run or activated. This is what I believe has
happened to you here. TB has, in fact, "saved your bottom".
TF> So this is some malware that becomes active through some trigger
TF> other than double-clicking on it, and thus TB cannot prevent it.
It doesn't need to. You don't get *infected* by a virus until it is
executed. This is a fact.
TF> I repeat: TB does not substitute a regularly updated anti-virus
TF> program.
I disagree. I haven't been caught by a virus since using TB. I use my
own intelligence to know what attachments may be infected and virus
scan them independently if dubious.
TB will not allow an infection to spread without action on my part.
TF> Oh, and I recommend updating "now" to everybody, as this thing is
TF> new and had not been detected by the pattern updated on 19
TF> December.
This Trojan was first reported in October, so it's not that new. It is
known as the "seeker" trojan and is relatively harmless.
Here is the vulnerability report relating to this Trojan:
> This trojan uses the same vulnerability that JS/Kak and
> VBS/BubbleBoy to drop itself to the Windows Startup directory.
>
> This trojan consists of three different parts: one HTML web page,
> and two hta files.
>
> The web page is available in an adult site, and it affects Internet
> Explorer users. Once a user visits that page it immediately drops a
> file "runme.hta" in the Windows Startup directory and "removeit.hta"
> in the root of the "C:" drive. Next time when the system is rebooted
> it executes and changes the Internet Explorer and Netscape Navigator
> startup page to www.sureseeker.com. It also modifies the Internet
> Explorer default search pages to that location. These changes are
> made to the registry, however, the trojan makes backup of these
> registry settings to two files, "backup1.reg" and "backup2.reg" in
> the Windows directory.
>
> After that the trojan executes "removeit.hta", that simply deletes
> "runme.hta" from the Windows Startup directory. On that way the user
> cannot see the previosly dropped "runme.hta" file.
>
> To protect yourself against the vulnerability that this trojan uses,
> you can download and install the patch provided by Microsoft:
>
> http://www.microsoft.com/technet/security/bulletin/ms99-032.asp
As you can see, it is a javaScript virus - ergo it must be executed by
a Java VM to cause an infection.
- --
Cheers,
.\\arck
________________________________________________________________
[ Marck D. Pearlstone | Moderator TBUDL / TBBETA ]
[ PGP Key ID: 0x929DCDA0 | www: http://www.silverstones.com ]
[ PGP Key: http://www.silverstones.com/MarckPGP.asc ]
[ Any opinions are my own and not those of RIT labs ]
________________________________________________________________
TB! v1.48f S/N 14F4B4B2 on Windows NT 5.0 Build 2195 Service Pack 1
-----BEGIN PGP SIGNATURE-----
Version: PGP 6.5.8 Secured
Comment: PGP Sealed for freshness
iQA/AwUBOkd9/TnkJKuSnc2gEQI7dgCgkmPjuXas4OAz1qhj6Xx/g8q5Ti8AoMnk
qogYa5uzkcQCv8cLHdDlbN8c
=1fSR
-----END PGP SIGNATURE-----
--
--------------------------------------------------------------
View the TBUDL archive at http://tbudl.thebat.dutaint.com
To send a message to the list moderation team double click here:
<mailto:[EMAIL PROTECTED]>
To Unsubscribe from TBUDL, double click here and send the message:
<mailto:[EMAIL PROTECTED]>
--------------------------------------------------------------
You are subscribed as : archive@jab.org
