[unisog] RE: Unknown/Unidentified trojan?

Pat Wilson paw at noh.ucsd.edu
Wed Nov 19 18:00:27 GMT 2003


One of our techs here has identified this as downloader.mscache.
http://securityresponse.symantec.com/avcenter/venc/data/downloader.mscahe.html


Pat Wilson
Network Security Manager
UCSD ACS/Network Operations
paw at ucsd.edu
6F3A AE75 F931 3A19 D207 19F3 DB9B 29DC 2C3F E015

Bill at royds.net writes:
>  The actual page that installs the adware is at
>  http://public.searchbarcash.com/prompt.php (do not click on this!!!!)
>  It runs a JavaScript that downloads a .cab file with the adware executable.
>   
>  
>  -----Original Message-----
>  From: Phillip G Deneault [mailto:deneault at WPI.EDU] 
>  Sent: November 18, 2003 6:33 PM
>  To: intrusions at incidents.org
>  Cc: unisog at sans.org
>  Subject: Unknown/Unidentified trojan? 
>  
>  I got this from a student today.  Anyone seen this before?
>  
>  A site that this links to...
>  http://www.realphx.com/disclaimer.htm
>  claims that its just adware.  Anyone want to take it apart to see if its 
>  anything else? :-)
>  
>  This is the fourth time in two weeks I've heard of or had to clean viruses 
>  off of people's machines because they clicked on some program from a AOL 
>  profile link.
>  
>  Thanks,
>  Phil
>  
>  ========================================================================
>  My parent's e-mailed me this morning to report that they have a virus on
>  their computer and they said my sister got it by clicking on a link in a
>  friend's profile in AOL Instant Messenger.  Apparently it created a ton of
>  porn links and other things on the desktop and installed some adware on 
>  the
>  system.  One of my roomate's got something similar a few days ago, but we
>  can't remember how we cleared it out, and I can't find the name of the 
>  virus
>  anywhere based on the information I have.
>  
>  I found the link that she used to get this, which points to this:
>  http://www.talkstocks.net  The site makes a continuous attempt to push a
>  program "b.exe" on to the user's system.  
>  ========================================================================
>  
>  -=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-
>  Phil Deneault     "We work in the dark, We do what we can,
>  deneault at wpi.edu   We give what we have. Our doubt is our passion,
>  WPI NetOps         and our passion is our task. The rest is the
>  InfoSec            madness of art." - Henry James
>  -=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-
>  
>  
>  
>  



More information about the unisog mailing list