Troj/Ritter-A

Discussion in 'malware problems & news' started by FanJ, Aug 14, 2002.

Thread Status:
Not open for further replies.
  1. FanJ

    FanJ Guest

    Name: Troj/Ritter-A
    Type: Trojan
    Date: 14 August 2002



    At the time of writing Sophos has received no reports from users
    affected by this Trojan. However, we have issued this advisory
    following enquiries to our support department from customers.

    Description
    Troj/Ritter-A is a password stealing Trojan for Novell networks. The Trojan can only be used against NetWare 3 servers (or servers with bindery emulation enabled) because it uses the bindery as a database to store the passwords it steals.

    The Trojan consists of two files. PROP.EXE must be run as SUPERVISOR to create the necessary storage area in the bindery. PROP.EXE is also used later to retrieve stolen passwords. LOGIN.EXE is a modified version of the NetWare 3 login program which an attacker must write over the genuine LOGIN.EXE in order to steal usernames and passwords as they are typed in.



    More information about Troj/Ritter-A can be found at
    http://www.sophos.com/virusinfo/analyses/trojrittera.html
     
Thread Status:
Not open for further replies.