[prev in list] [next in list] [prev in thread] [next in thread] 

List:       incidents
Subject:    starwars.exe -- possible trojan?
From:       "Donald, Nichols" <dnichols () d-and-d ! com>
Date:       1999-07-23 4:56:45
[Download RAW message or body]

Well ... my wife just got a bogus e-mail (supposedly from her father,
who is long dead, and supposedly to her as a son, which she most
certainly is *not*.

	It included an attachment which was "starwars.exe".  Since I
don't normally run Microsoft OS's, I don't maintain a virus checker.
But I did use "strings" to look through that executable.  I find seven
different ".dll"s named in it -- and I don't know which of them it may
be creating.  I'll give the list here, in case someone else has
encountered some form of the program:


 ======================================================================
KERNEL32.dll
USER32.dll
GDI32.dll
comdlg32.dll
ADVAPI32.dll
SHELL32.dll
WINMM.dll
 ======================================================================

	I'm particularly concerned about the SHELL32.dll, and
USER32.dll, but KERNEL32.dll is also of potential concern.

	The following strings were also found within the program:


 ======================================================================
hockwaveFlash
ShockwaveFlash.ShockwaveFlash
ShockwaveFlash.ShockwaveFlash\DefaultIcon
ShockwaveFlash.ShockwaveFlash\shell\open\command
_flash
 ======================================================================

	My wife is active on the news.admin.net-abuse newsgroups, and
her name has made it into the "people not to spam" list, which could
have been used to target the active anti-spam people.

	The headers did show a few too many machines to make it likely
that it was not delivered by spaming software and techniques.

	Since we don't run Microsoft OS's, and don't have a way to run a
".exe" file anyway, it obviously does not present a threat to our
systems, but I would like to know whether anyone else has encountered
this, and can state whether it is a known trojan or harbours a known virus.

	Thanks all,
		DoN.

--
 NOTE:     spamblocking on against servers which harbor spammers.
 Email:   <dnichols@d-and-d.com> | Donald Nichols (DoN.)|Voice (703) 938-4564
 My Concertina web page:         | http://www.d-and-d.com/dnichols/DoN.html
	--- Black Holes are where God is dividing by zero ---

[prev in list] [next in list] [prev in thread] [next in thread]