Trojan.Seoul !

Discussion in 'malware problems & news' started by Technodrome, Nov 22, 2002.

Thread Status:
Not open for further replies.
  1. Technodrome

    Technodrome Security Expert

    Joined:
    Feb 13, 2002
    Posts:
    2,140
    Location:
    New York
    New threat from Korea: a dangerous Trojan.Seoul appears
    while AVAR forum is held in Seoul


    November 21 late in the evening DialogueScience, Inc. virus alert service registered the appearance of a dangerous Trojan detected by Dr.Web® anti-virus program as Trojan.Seoul. The virus source is likely to be in the Republic of Korea. It might be "dedicated" to the AVAR (Association of anti Virus Asia Researchers) forum that is taking place in Seoul these days.
    A relevant hot add-on to Dr.Web® anti-virus program version 4.29, detecting Trojan.Seoul was issued at 21:04, November 21. As the virus code is highly complicated, the specialists of Anti-virus Laboratory of Igor Daniloff and of DialogueScience, Inc. keep analysing the code and the destructive features of the Trojan.

    At present it is clear that the virus is a multi-component program, with some components being encrypted. When activated the virus searches for special system activity monitoring tools and debuggers. If found the virus kills them in memory and deletes all the files on the hard drive of the computer. If such processes are not found it creates the correspondent entry in the Windows system registry securing its automatic launching after the system restart. When run after the next reboot the virus displays a message box on the screen with the inscription "What foolish thing you've done" and after that starts deleting all the files on the hard drive.

    The virus is also capable of mass-mailing its copies, this feature is being tested now.


    source: http://www.dials.ru/english/inf/news.php?id=83


    Technodrome
     
  2. Primrose

    Primrose Registered Member

    Joined:
    Sep 21, 2002
    Posts:
    2,743
    They gave it a Name!

    Update....
    New threat from Korea: a dangerous Trojan/Worm Trojan.Seoul/Win32.HLLM.Seoul

    [Nov 21, 2002]
    November 21 late in the evening DialogueScience, Inc. virus alert service registered the appearance of a dangerous mass mailing worm detected by Dr.Web® anti-virus program as Win32HLLM.Seoul. The virus source is likely to be in the Republic of Korea. It might be "dedicated" to the AVAR (Association of anti Virus Asia Researchers) forum that is taking place in Seoul these days.
    A relevant hot add-on to Dr.Web® anti-virus program version 4.29, detecting this virus as Trojan.Seoul was issued at 21:04, November 21. A more detailed analysis of the virus left no doubts that it had a distinct mass mailing mechanism and for this reason a new entry detecting the virus as a mass-mailing worm Win32.HLLM.Seoul has been added to the next hot-addon.

    At present it is clear that the virus is a multi-component program, with some components being encrypted. When activated, the virus searches for special system activity monitoring tools and debuggers, firewalls and anti-virus programs. If such processes are found the virus kills them in memory, displays a message box on the screen that says "What foolish thing you've done" and starts consecutively deleting all the files on the hard drive preserving the folder structure of the logical disk and the files which cannot be deleted as they are being used by the system.

    If the above processes are not found, the virus creates its copy in the Windows system folder (by default, in Windows 95-Me - C:\Windows\System, in Windows NT-2000-XP - C:\WINNT\SYSTEM32). The copy name starts with WIN characters followed by several randomly chosen characters and the .exe extension. Then, the virus makes several entries in the Windows system registry, namely:

    HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
    HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\RunServices
    HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run
    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
    thus securing its automatic start after the system reboot. The virus then stays memory resident and controls the presence of the above entries in the system registry.
    The next stage of the virus activity is its mass mailing procedure via e-mail. It retrieves addresses for its propagation from cookie files – special text files transferred to the user’s machine from the visited web-sites in order to identify the user at the next visit. So, the worm does not send itself to the addresses of the Address Book of the mail client but to specific addresses, adding, for example, the value webmaster@ to the site’s domain name listed in cookie. The address to which the message is sent is also put into the "From" field. With the help of this the worm, using a trivial technique of message posting (often used by mail worms), makes it more probable the relaying of the message by the SMTP-server of the addressee's domain.

    The mail message spread by the worm has a fixed subject:
    Subject: Re: AVAR(Association of Anti-Virus Asia Reseachers)
    The message sent by the worm bears two attachments with HTM and CEO extensions:

    WIN2290.TXT (12.6 KB) MUSIC_1.HTM
    WIN2290.GIF (120 bytes) MUSIC_2.CEO
    It is notable, that these 2 attachments can be taken by an inattentive user as 4 - and 2 of them can be regarded as text files. Besides, the user might wish to open, at least, a text file thus launching an HTML-file with the built-in program written in JavaScript. The program actually performs a single operation – it registers in the system registry a class of files with CEO extension and registers it as an executable file. If the user wants to open the GIF-file, which is in fact an executable file with the viral code and extension CEO, the system will run it as an executable thanks to the newly created registry entry and, as a result, the system will get infected if not immediately destroyed.
    More to that, the worm makes use of the well-known vulnerability of the security system of Internet Explorer, incorrect MIME-Header handling (see our news on this flaw for more details ). This launches the virus without the user being aware of it in some versions of the Microsoft mail clients.

    If the virus does not find cookies on the hard drive and also if the computer is not connected to Internet the worm acts the same way when it finds anti-virus programs or network protection tools - it begins to delete all the files on the hard drives. In such case the message box with the string "What foolish thing you've done" is displayed many times by the worm making user spend its precious time on closing these numerous windows instead of shutting down the system immediately to save, at least, part of the data.

    As of November 23, 2002 only a few cases of infection by this worm have been registerd by DialogueScience, Inc.

    Updated on November 23, 2002

    http://www.dials.ru/english/inf/news.php?id=83
     
  3. claire

    claire Guest

    hi,
    Sorry for this newbie's question but adding .htm and .html
    extensions in a programme like Script Defender would it be
    sufficient to be protected from this nasty?
    Regards
     
Thread Status:
Not open for further replies.