Informational Advisory - New Windows trojan program Last Updated 8/01/02 9:17 am

A new Windows trojan program that appears to be a new variant of the IRC/Flood family has been found at the NIH. A sample has been submitted to NAI and Symantec.

NAI has included detection for the new trojan in the latest Dat/SuperDat files. Symantec has included detection for the new trojan in the latest definition file available via LiveUpdate.

The new trojan is an mIRC type that attempts to create open shares and change the administrator password to a blank password on machines running the Windows OS. The program listens on port 300 and looks for the Sub7 trojan. If sub7 is found it will attempt to remove Sub7. Also if the program detects that it is being tampered with it will delete several of its files and unload some of its processes.

In the samples that were found the program file Fusion.exe was found in C:\WINNT\SYSTEM32\NAV1 or C:\WINNT\SYSTEM. This file dropped additional files in the same directory as Fusion.exe:

direcx.dll
w32sock.bat
segment.dll
secure.bat
Syst.bat
systemtray.exe
hider.exe
wmsgsrv1.dll
localsuser.dll

This site will be updated as more information becomes available.

This archive is not intended to be comprehensive. For a more complete virus library, please visit NAI's Virus Information Library at http://vil.nai.com.