Trojan horse threatens latest Windows XP

Those who don't have a firewall are not gonna be safe against this trojan.
Those using Internet Explorer should use another browser immediately.

 

Info here; http://securityresponse.symantec.com/avcenter/venc/data/trojan.phel.a.html
Nav seems to have it in it's virus defs;

 

So non IE users are OK for the time being?

Jimbob

 

Here's an interesting quote from the article

 

Propaganda.

I'm guessing you need to be running IE to be effected and not just have it installed.

Jimbob

 

Hi Jimbob1989,

Please, if you are going to declare a post as propaganda or make "guesses" as to security issues, have something to back up what you are saying. I would like to see you make reference to what facts you base your post on.....

 

Sorry, you missunderstood what I meant, it may work like propaganda.

Jimbob

 

It is not an issue of me misunderstanding what you mean, the issue is for you to take the time to research the answers that you give. Instead of making "guesses", research the question at hand, do some google searches that you can reference in your answers. Try to make your answers based on facts as much as you can. Do not just reply back with whatever pops into your mind, THINK about your answers and try to make them as factual as possible...

 

For Jimbob,
The trojan is PHEL.A http://securityresponse.symantec.com/avcenter/venc/data/trojan.phel.a.html
Now Symantec (norton) have already released defs....see my post above.
So.......It is likely that many/most AVs also have the defs. You could check with yours. It appears to affect IE but there is mention of help files in SP2. Now it might depend on how your progs are configured. eg. I use FF but my default browser is still IE (maybe that's silly on my part)....That means if I click on a link in email or use Help or search for clipart while in Word it will (I think)connect with IE. The article is there to read and there are other links to follow. Read.
Buck.

 

I'm running Live Update on Norton Antivirus Pro now.

Jimbob

 

Pivx' Qwik-Fix protects against this by configuring your system (hardening Windows) to not be vulnerable to this or other such exploits.

(Note: You still shouldn't download things like help files from untrusted sources)

 

Thank you dvk01 for some most interesting info. Are you able to shed light on the following:-

I run Merijn's Bug-Off 1.10, this protects against MHTML exploit for cross domain vulnerability in O.E. Will this protect against the Phel Trojan?

How does CWS (and this Trojan) install on a computer? Am I correct in assuming that a properly configured I.E. will prevent this installation?

Is it true that Qwik-Fix (which I tried and did not like - partly because I did not understand what it was doing!) will make adjustments which are intended to compensate for poor configuration of your system (in this case at least) - or is it offering some additional protection?

 

TopperID: Qwik-Fix is a hardening tool like Merjin's BufOff, but it has some options that no others have, and it auto-updates. Pivx (the company that makes it) is a security research firm that finds vulnerabilities in products and releases alerts and workarounds. Qwik-Fix user's systems are automatically patched as soon as a vulnerability is found and a workaround made.. it is as much a service as an application.

 

Notok - The PivX people told me in an email that Qwik-Fix is a 'hardening tool', but I didn't understand what they meant by that and I still don't!

What I noticed was that Qwik-Fix LOWERED the protection levels I had set in I.E. and removed all the entries Spybot S&D and SpywareBlaster had inserted in my Restricted Zone. PivX stated that these were merely hidden as they were unnecessary due to Qwik-Fix's 'hardening' effect (which they declined to explain).

Qwik-Fix has always sounded too good to be true to me, and until I understand more about it I do not have confidence in its use. If it was so good why isn't everyone recommending it?

 

mcafee also detects the phel trojan.

 

Spanner - Thanx for that article. I wondered why I couldn't find the 'My Computer' zone; I never figured on having to do Reg editing to get there, but now I know!

 

Topper: Think of a program like BufOff or (more appropriately) SafeXP that auto updates, and has a whole team searching out new vulnerabilities. They deploy "quick fixes" to Qwik-Fix which gets applied to your system immediatly, effectively patching your system against the vulnerability until MS can put out a proper patch. I don't think you'll get a lot of technical details about all that it protects against because they deploy fixes before the vulnerability is ever announced. There are some things that BugOff, SafeXP, etc, cover, but Qwik-Fix also covers some things that other patches do not. I've read around the web that they are also planning to implement some other stuff into the program like buffer overflow protection, but haven't seen or heard any updates on that. I believe they will also be covering more 3rd party products in the future (they already cover one AIM vulnerability.)

I couldn't say why more people don't know about the product other than that a) people don't generally get all that excited about hardening Windows, and b) they haven't done a lot of marketing that I can see. Popularity doesn't always equate to quality, however. But if you want to protect against IE attacks, this is the only tool I've seen that promotes that it resolves all cross-zone scripting vulnerabilities.

 

The fundamental difference between BugOff and Qwik-Fix is that the latter messes about with my I.E. settings while the former does not! I like to have I.E. tightly configured when I go to possibly 'risky' sites, I cannot live with any application that LOWERS those settings unless I understand what it is doing.

BugOff does at least inform you what it is doing and what the side effects will be; Qwik-Fix does not. As for cross-zone scripting vulnerabilities, I have more confidence in 'hardening' all my Zones (including the procedure referred to by Spanner above) than having Qwik-Fix apparently reduce the level of protection because, they say, it is not necessary with their product.

I know that Merijn recommends Qwik-Fix, but he knows what he is doing; it is a question of what I feel most comfortable with. I still use I.E. because I have not been infected despite going to sites where infection is said to be 'guaranteed' (with default settings at least). Why should I put that at risk by trying something that is an unknown quantity?

Besides, I have a natural aversion to 'quick' fixes - I don't believe they exist!