How do i find out "a trojan´s specific purpose"?

Discussion in 'malware problems & news' started by Aeronautic1024, Jul 17, 2008.

Thread Status:
Not open for further replies.
  1. Aeronautic1024

    Aeronautic1024 Registered Member

    Joined:
    Jul 17, 2008
    Posts:
    3
    I "recieved" the trojan "SWF/Exploit.CVE-2007-0071 trojan" by a service provider for a specific service (outsourced) by my employer. The trojan was discovered by NOD32. The reason why i want to find out what the "purpose is of the actual trojan", is that there is some "legal issues/disputes" between Me and my employer. I have good reason to assume it was planted there on purpose by my employer....... Can anyone help me to find out what the actual trojan is doing?

    I appreciate all answers, it is really annoying not knowing.

    I might add that i have no previous experience of trojans.
     
    Last edited: Jul 17, 2008
  2. HURST

    HURST Registered Member

    Joined:
    Jul 20, 2007
    Posts:
    1,419
    Hi and welcome to wilders.
    Just by looking at that name I can´t tell. If you have a sample (e.g. the actual trojan), you could upload it to virustotal (different AV vendors give different names to malware, and maybe you could get a more descriptive name).
    Or you can upload it to online sanboxes to see what it does.
    I'll look into it anyways.
     
  3. HURST

    HURST Registered Member

    Joined:
    Jul 20, 2007
    Posts:
    1,419
    I don´t think it was "planted" by your employer. It seems that it's just an exploit for a flash vulnerability.

    ~VirusTotal link removed per Policy. - Ron~
     
    Last edited by a moderator: Jul 17, 2008
  4. HURST

    HURST Registered Member

    Joined:
    Jul 20, 2007
    Posts:
    1,419
    Quoted and translated from http://www.enciclopediavirus.com/virus/vervirus.php?id=4276 (in spanish)

     
  5. Aeronautic1024

    Aeronautic1024 Registered Member

    Joined:
    Jul 17, 2008
    Posts:
    3
    First of all, I´m new to this..... How do i upload the file?

    Secondly, I was informed by my employer (after i had notified them), that they had recieved the response from the serviceprovider, that it was a "one time" issue........ But with no clarification whatsoever. The service provider is "Very big".... It only showed on my home laptop, but not on my work-PC. It did neither show up after the "first time". Is it likelly that such trojan shows up once, and never again? (from such big company that should have extreme security precautions).

    The trojan was discovered when i was opening some material (file stored by me) on the database, from my home laptop, the "file" opens up in a "internet explorer window" (not by the "original program"). The "coincidense" is, that a couple of day´s earlier, there was a "conflict" between me and my employer (and the very large corporation above it), where the corporation security was involved. The issue is/was of huge proportions.
     
  6. HURST

    HURST Registered Member

    Joined:
    Jul 20, 2007
    Posts:
    1,419
    I don't think that it was planted. You say it appeared on you home computer. Maybe you accidentally downloaded it and this is just a coincidence.
    If it was a keylogger or something like that, it would be more likely to be planted by your employer, but a downloader, I don't think so.

    I just tested a sample on my home computer, and I'm no expert, but it doesn't seem like this is going to steal data or log keystrokes. It just creates some files on system32 folders.
    Most likely it then downloads another trojan or virus or whatever. It seems to try to connect, but I don't allow it to do such things :D

    trojan.JPG
     
  7. Aeronautic1024

    Aeronautic1024 Registered Member

    Joined:
    Jul 17, 2008
    Posts:
    3
    Do you mean that the Trojan could have come from somewhere else? Nod32 stated that it was the "exact file" that i had opened from that specific database..... Actually it stated the filename, that originated from a file i have earlier generated on my "jobcomputer", and later had opened in the database (for checking some details of the immaterial property).The actual filename was very unique. I have made the original file, perhaps they have modified it to be able to open in a internet explorer window (I´m not an expert as you might have figured out ;-) ). I might also say that i have opened the file earlier, but without any "trojan warnings".... When i say the file, i mean ofcorse the file with the same filename... If it has been changed inbetween remains abit... blurry
    The file was opened on purpose, as i should do when using the database.

    I might also add that the database is on a safe server (https)
     
    Last edited: Jul 17, 2008
  8. Hermescomputers

    Hermescomputers Registered Member

    Joined:
    Jan 9, 2006
    Posts:
    1,069
    Location:
    Toronto, Ontario, Canada, eh?
    Hi,

    You could try and use the trial version of PE... (to reverse Engineer the trojan).
    http://www.heaventools.com/overview.htm

    I have more information in the "The Best Defense is a Powerful Offense!"
    section of my Advanced Cyber Self Defense page.

    I hope this helps...
     
Loading...
Thread Status:
Not open for further replies.