Small.GL.Trojan (a real high tech rat)

Discussion in 'malware problems & news' started by TBD, Jun 3, 2004.

Thread Status:
Not open for further replies.
  1. TBD

    TBD Registered Member

    Joined:
    Jun 2, 2004
    Posts:
    9
    Hi all :D

    Where do i start? ...
    i can't manage to write everything i know about this trojan right now ... it's late and i am a beaten man.
    But i would like to get some definitions created so at least 1 scanner can pick it up ... and i felt this may be the best place to come and get the word out on this trojan/virus.

    NOD's name (small.gl.trojan) does not do this thing much justice, and the trojan is just a part of the package ... this is also some type of virus ... as it is a bigtime .exe and .com infector, and has some spyware thrown in just to round out the package.

    Currently after 5 days and 3 re-installs ( which also arrived at 3 re-infections i might add ) i give up on trying to run Windows and am currently speaking at you from the world of Linux. One of the main infections in Windows it creates is in the I386.cab driver file system and the addition of an ADMIN account .... it also sets group policy hash rules to take ownership of all your components (floppy, hard drive ...etc.) as well as keep you from running certain software like AV's and backup or disk utility's... (and the usual rat server is also set up)

    But the weirdest twist is it using the program exe2bin.exe to create an image file of which it then implants in your ramdisk at block 0 ... which allows it to re-infect Windows on every install and keeps you from installing other OS's.

    Any anti-trojan/virus company's want to have a crack at this beauty? ... or maybe someone can tell me how to get this implanted image file out of there?
     
    Last edited: Jun 3, 2004
  2. Gavin - DiamondCS

    Gavin - DiamondCS Former DCS Moderator

    Joined:
    Feb 10, 2002
    Posts:
    2,080
    Location:
    Perth, Western Australia
    Hi,

    By definition, a trojan named as "small" is a small sized trojan. Can you please send any infected files, droppers to submit@diamondcs.com.au
     
  3. TBD

    TBD Registered Member

    Joined:
    Jun 2, 2004
    Posts:
    9
    What type of files do you prefer getting?
     
    Last edited: Jun 13, 2004
  4. TBD

    TBD Registered Member

    Joined:
    Jun 2, 2004
    Posts:
    9
    I used Midnight Commander in a Linux terminal and found out most of what is going on with this thing ... i can see all the embedded modules but can't delete them without knowing the password. Here is the product used to put the trojan boot image (.65mb's) into my system boards memory and ramdisk (http://www.cenatek.com/product_ramdisk.cfm) ... Info: http://www.cenatek.com/User_manual/RAMDiskXP Users Manual.html

    I hope that is what my system is seeing as the hidden partition ... but you never know until it's gone. It also has the virus aspect that affects at least the .exe, .com, and .vbs exstensions, and it also takes over your disk controller (unfortunantly mines built-in) and contains a keylogger.

    Gavin i have tried to send the files twice and its a few more mb's than my e-mail will allow ... but i have all the files saved on a CD ... or i can send you one of the small Hard Drives (2GB) with XP Pro SP1 installed with the trojan ... but if it's memory resident will that do you any good?

    I can't get into Windows anymore to make the file any smaller ... it killed my AV , Firewall and all my Roms and floppy ...
     
    Last edited: Jun 9, 2004
  5. TBD

    TBD Registered Member

    Joined:
    Jun 2, 2004
    Posts:
    9
    I am buying a new board, memory, and possibly a hard drive today or tomorrow and thus will be able to get you those files Gavin ... This thing beat me up so bad i actually hate to go anywhere near that file now :eek:

    Is there a way to snail-mail you the disc?
     
  6. TBD

    TBD Registered Member

    Joined:
    Jun 2, 2004
    Posts:
    9
    I guess not on the mailing the disc? ... or on what filetypes you want? ... or on getting any feedback at all? ... it's as if i am talking to myself in this post.

    Gavin you seem either entirely dis-interested in this... or very, very busy ... Either way I will just find another place to submit the files/send the disc to, and you can continue with whatever your doing.

    Good Luck All.
     
Loading...
Thread Status:
Not open for further replies.