Name: Troj/Ritter-A Type: Trojan Date: 14 August 2002 At the time of writing Sophos has received no reports from users affected by this Trojan. However, we have issued this advisory following enquiries to our support department from customers. Description Troj/Ritter-A is a password stealing Trojan for Novell networks. The Trojan can only be used against NetWare 3 servers (or servers with bindery emulation enabled) because it uses the bindery as a database to store the passwords it steals. The Trojan consists of two files. PROP.EXE must be run as SUPERVISOR to create the necessary storage area in the bindery. PROP.EXE is also used later to retrieve stolen passwords. LOGIN.EXE is a modified version of the NetWare 3 login program which an attacker must write over the genuine LOGIN.EXE in order to steal usernames and passwords as they are typed in. More information about Troj/Ritter-A can be found at http://www.sophos.com/virusinfo/analyses/trojrittera.html