[Intrusions] New Trojan on the block [CIA Trojan]
Chris Norton
kicktd_list at hotmail.com
Sun Aug 29 23:42:12 GMT 2004
[this was edited from the origanl reply sent to Nick for obvious reasons]
Hello Nick,
I submitted a Trojan that was found on my machine which was nothing but a
downloader which we still don't know what the purpose of it was. The file I
found on my
machine is in fact caught by AV's. I was refering to the new CIA Trojan
maker. I could have
worded it better yes but it was about 3 AM in the morning lol. What I was
trying to say is I ran
the trojan [Win32/Small.ar] in vmware and monitored what site it was trying
to access which was
213.46.226.xx
192.168.80.129 213.46.226.xx HTTP GET
/zosman/cia/index.php HTTP/1.1
213.46.226.xx 192.168.80.129 HTTP HTTP/1.1 404 Not
Found (text/html)
So what I did was follow this and googled zosman/cia.
I downloaded the trojan maker and droped it into vmware to
see just what exactly it did. I noticed at first the file size was
way bigger than the one I had on my system:
CIA 1.23 size: 119kb made in: VB
Win32/Small.ar size: 15kb made in: Delphi by someone named exxecs
Why he was pointing this at the CIA website
I have no idea and I guess we will never find out. But thats what
made me stumble on to the new Trojan/Backdoor.
Did this clear it up any?
-------------------------------------------------------------
Chris Norton - UAT Student Software Engineering Network Defense
More information about the Intrusions
mailing list