[Full-disclosure] Re: New PowerPoint Trojan installs itself as LSP

Juha-Matti Laurio juha-matti.laurio at netti.fi
Fri Jul 21 06:12:09 BST 2006 

Many thanks for this useful information.
These new type of Trojans are known as Trojan.Riler.F, Win32.Fantador.E etc.

Names available have been updated to the PowerPoint FAQ,
http://blogs.securiteam.com/?p=508

The following description including information about proxy-like feature is worth of checking too:
http://www.trendmicro.com/vinfo/virusencyclo/default5.asp?VName=TROJ%5FRILER%2EB&VSect=T


- Juha-Matti

Mike Healan <mike at spywareinfo.com> wrote: 
> 
> > Is this 'mechanism' very common and is it difficult to detect by AV? 
> 
> No, but you have to be damned careful removing something installed as an
> LSP. I've seen literally hundreds of PCs with their network stack
> buggered because the owner tried to remove NewDotNet. NewDotNet inserts
> itself as an LSP.
> 
> Regards,
> Mike Healan
> www.spywareinfo.com
> 
> Juha-Matti Laurio wrote:
> > It appears that there is a new type of PowerPoint 0-day Trojan spreading,
> > more details at this write-up:
> > http://www.symantec.com/enterprise/security_response/writeup.jsp?docid=2
> > 006-071812-3213-99
> > 
> > What the technical details section says is:
> > "Installs the file SNootern.dll as a layered service provider (LSP)"
> > 
> > Wikipedia has only stub type article
> > http://en.wikipedia.org/wiki/Layered_Service_Provider
> > 
> > Is this 'mechanism' very common and is it difficult to detect by AV?
> > 
> > This new Trojan entitled as Riler.F opens a back door and tries to
> > connect to 8800.org,
> > earlier Bifrose Trojan uses (or used) this domain too.
> > 
> > There is a new C variant of Trojan.PPDropper as well, but no information
> > about the file name of PowerPoint attachment etc.
> > Symantec reports Infection Length as 220,160 bytes, same as used by
> > Trojan.PPDropper.B.
> > This size information is from Trojan description of another vendor,
> > however.
> > 
> > This summary has been updated to related PowerPoint 0-day FAQ document.
> > 
> > Regards,
> > Juha-Matti
> > http://blogs.securiteam.com/index.php/archives/author/juha-matti/
>

Full-Disclosure is hosted and sponsored by Secunia.