Small.GL.Trojan (a real high tech rat)

Hi all

Where do i start? ...
i can't manage to write everything i know about this trojan right now ... it's late and i am a beaten man.
But i would like to get some definitions created so at least 1 scanner can pick it up ... and i felt this may be the best place to come and get the word out on this trojan/virus.

NOD's name (small.gl.trojan) does not do this thing much justice, and the trojan is just a part of the package ... this is also some type of virus ... as it is a bigtime .exe and .com infector, and has some spyware thrown in just to round out the package.

Currently after 5 days and 3 re-installs ( which also arrived at 3 re-infections i might add ) i give up on trying to run Windows and am currently speaking at you from the world of Linux. One of the main infections in Windows it creates is in the I386.cab driver file system and the addition of an ADMIN account .... it also sets group policy hash rules to take ownership of all your components (floppy, hard drive ...etc.) as well as keep you from running certain software like AV's and backup or disk utility's... (and the usual rat server is also set up)

But the weirdest twist is it using the program exe2bin.exe to create an image file of which it then implants in your ramdisk at block 0 ... which allows it to re-infect Windows on every install and keeps you from installing other OS's.

Any anti-trojan/virus company's want to have a crack at this beauty? ... or maybe someone can tell me how to get this implanted image file out of there?

 

Hi,

By definition, a trojan named as "small" is a small sized trojan. Can you please send any infected files, droppers to submit@diamondcs.com.au

 

What type of files do you prefer getting?

 

I used Midnight Commander in a Linux terminal and found out most of what is going on with this thing ... i can see all the embedded modules but can't delete them without knowing the password. Here is the product used to put the trojan boot image (.65mb's) into my system boards memory and ramdisk (http://www.cenatek.com/product_ramdisk.cfm) ... Info: http://www.cenatek.com/User_manual/RAMDiskXP Users Manual.html

I hope that is what my system is seeing as the hidden partition ... but you never know until it's gone. It also has the virus aspect that affects at least the .exe, .com, and .vbs exstensions, and it also takes over your disk controller (unfortunantly mines built-in) and contains a keylogger.

Gavin i have tried to send the files twice and its a few more mb's than my e-mail will allow ... but i have all the files saved on a CD ... or i can send you one of the small Hard Drives (2GB) with XP Pro SP1 installed with the trojan ... but if it's memory resident will that do you any good?

I can't get into Windows anymore to make the file any smaller ... it killed my AV , Firewall and all my Roms and floppy ...

 

I am buying a new board, memory, and possibly a hard drive today or tomorrow and thus will be able to get you those files Gavin ... This thing beat me up so bad i actually hate to go anywhere near that file now

Is there a way to snail-mail you the disc?

 

I guess not on the mailing the disc? ... or on what filetypes you want? ... or on getting any feedback at all? ... it's as if i am talking to myself in this post.

Gavin you seem either entirely dis-interested in this... or very, very busy ... Either way I will just find another place to submit the files/send the disc to, and you can continue with whatever your doing.

Good Luck All.