[Dshield] strange trojan dropper--anyone seen this?

Rudy Wesson spongerudy at yahoo.com
Thu Jun 24 13:39:01 GMT 2004

This has popped up in a few places in our university network and I'm wondering if anyone's seen anyone similar...
What I'm seeing is a little piece of malware which goes out to apparently hardcoded IP addresses, giving the remote user a command shell.  It seems to have been put into place by a dropper of some kind, apparently a trojanized version of a legitimate win32 app.   Can't tell what triggers the malware to attempt to make the connection...I don't think it's any outside stimulus (so this is different from most backdoors where the attacker has to scan for the trojan listening on a certain port).
The dropper in this case was apparently a trojanized versino of lsass.exe and I have seen it infecting a box in at least one case by exploiting an MS Outlook activex vuln.
This thing doesn't seem to be propagating by itself so I wonder if we're being targeted for something deliberately...has anyone seen ANYTHING like this?

Do you Yahoo!?
Take Yahoo! Mail with you! Get it on your mobile phone.

More information about the list mailing list