[Dshield] The Beast

Daniel Otis-Vigil dvigil at moosoft.com
Fri Oct 17 17:48:22 GMT 2003

The Cleaner has detected every version of Beast.   Beast doesn't do 
anything particularly novel or interesting beyond any other trojan.  I 
would discard this as any other spam.

Daniel Otis-Vigil
MooSoft Development LLC

At 04:56 AM 10/17/2003, you wrote:
>Has anyone heard of Beast, a trojan with different variables?
>Symantec lists them here http://search.symantec.com/custom/us/query.html.
>I came across it while reading about it in the Support Alert
>newsletter ( http://www.techsupportalert.com/ ).
>An excerpt from the newsletter follows:
>"I have seen The Beast and my heart has been smitten with fear.
>No, folks, I haven't gone all religious. I'm talking about this year's
>hot trojan horse called "The Beast."
>The Beast is one of the new generations of "process-injecting"
>trojans. To avoid detection these trojans attach themselves to a
>process that forms a key part of the Windows operating system itself.
>In the case of The Beast, the processes chosen for infection are
>winlogon.exe and explorer.exe. These have been selected because they
>are always present on any XP/2000/NT-based PC.
>This stealthing approach makes The Beast particularly hard to detect.
>Certainly a normal process scanner won't reveal its presence and
>almost all common anti-virus scanners will miss it as well.
>Killing the trojan is also difficult as it resides within a process
>essential for the operation of Windows.  Killing the process will also
>kill Windows.
>And if you think that the .dll checksum feature in your firewall will
>help you,  think again. The particular version of The Beast I tested
>came with a module that pulled down 32 of the most popular firewalls
>and anti-virus scanners and many anti-trojan monitors as well.
>Watching a PC being infected by this kind of trojan is a scary
>experience. Terrifying, actually.
>I ran The Beast on a test PC set up with the same extensive protection
>that I use on all my normal working PCs.
>I just sat by and watched Norton Anti-Virus 2003 disappear, closely
>followed by my Sygate Personal Firewall Pro and the BoClean anti-
>trojan monitor.  Not only were these defenses pulled down, they were
>permanently destroyed so they could not be restarted.
>Once The Beast has infected your PC the attacker essentially has
>complete control. He/she can view, upload or erase any of your files
>and log all your keystrokes including your all your passwords. Worse
>still, you may not even know your PC is infected..........."
>Also, while doing a Google search I noticed this website
>Scary stuff indeed!!
>list mailing list
>list at dshield.org
>To change your subscription options (or unsubscribe), see: 

More information about the list mailing list