G'day Guys, Recently a client was infected by this trojan. We initially detected it manually and sent the offending file to a few AV companies, Eset included. The response was quite prompt from Eset, which we are grateful. However the response was only to update the definitions to detect it as Alcobot.A. The issue we have is that this trojan did infect a client site. Whilst we removed the executables etc, and also ran the trojan in a virtual enviroment to see if it had any unforseen effects, we are not specifically Antivirus specialists. The best we can tell is it modified the registry to lauch at boot, dropped a copy in the Windows directory and replaced the wmplayer.exe file. Then launched a SYN Dos attack at another IP. It didn't seem to try and self replicate at all. Has anyone else seen this trojan, and or know if it has an alias? Regards, Ben.
Hi Ben, Unfortunately, I don't have any specs for you. All I can say is this one has been added to the KAV/AVP database on January 15th 2004 as "backdoor.Alcobot" - no description available either as far as I know. regards. paul
G'day Paul, Thanks for the reply, it seems that no-one else has any answers either.... Oh well, I hope for my clients sake that it was benign... Cheers Ben.
