Trojan horse threatens latest Windows XP

Discussion in 'malware problems & news' started by ronjor, Dec 29, 2004.

Thread Status:
Not open for further replies.
  1. ronjor

    ronjor Global Moderator

    Joined:
    Jul 21, 2003
    Posts:
    57,719
    Location:
    Texas
    ZDNet
     
  2. nadirah

    nadirah Registered Member

    Joined:
    Oct 14, 2003
    Posts:
    3,647
    Those who don't have a firewall are not gonna be safe against this trojan.
    Those using Internet Explorer should use another browser immediately.
     
  3. bigbuck

    bigbuck Registered Member

    Joined:
    Jul 7, 2004
    Posts:
    4,877
    Location:
    Qld, Aus
    Info here; http://securityresponse.symantec.com/avcenter/venc/data/trojan.phel.a.html
    Nav seems to have it in it's virus defs;
     

    Attached Files:

  4. Jimbob1989

    Jimbob1989 Registered Member

    Joined:
    Oct 18, 2004
    Posts:
    2,529
    So non IE users are OK for the time being?

    Jimbob
     
  5. bigbuck

    bigbuck Registered Member

    Joined:
    Jul 7, 2004
    Posts:
    4,877
    Location:
    Qld, Aus
    Here's an interesting quote from the article
     
  6. Jimbob1989

    Jimbob1989 Registered Member

    Joined:
    Oct 18, 2004
    Posts:
    2,529
    :D Propaganda.

    I'm guessing you need to be running IE to be effected and not just have it installed.

    Jimbob
     
  7. puff-m-d

    puff-m-d Registered Member

    Joined:
    Feb 13, 2002
    Posts:
    4,449
    Location:
    North Carolina, USA
    Hi Jimbob1989,

    Please, if you are going to declare a post as propaganda or make "guesses" as to security issues, have something to back up what you are saying. I would like to see you make reference to what facts you base your post on.....
     
  8. Jimbob1989

    Jimbob1989 Registered Member

    Joined:
    Oct 18, 2004
    Posts:
    2,529
    Sorry, you missunderstood what I meant, it may work like propaganda.

    Jimbob
     
  9. puff-m-d

    puff-m-d Registered Member

    Joined:
    Feb 13, 2002
    Posts:
    4,449
    Location:
    North Carolina, USA
    It is not an issue of me misunderstanding what you mean, the issue is for you to take the time to research the answers that you give. Instead of making "guesses", research the question at hand, do some google searches that you can reference in your answers. Try to make your answers based on facts as much as you can. Do not just reply back with whatever pops into your mind, THINK about your answers and try to make them as factual as possible...
     
  10. bigbuck

    bigbuck Registered Member

    Joined:
    Jul 7, 2004
    Posts:
    4,877
    Location:
    Qld, Aus
    For Jimbob,
    The trojan is PHEL.A http://securityresponse.symantec.com/avcenter/venc/data/trojan.phel.a.html
    Now Symantec (norton) have already released defs....see my post above.
    So.......It is likely that many/most AVs also have the defs. You could check with yours. It appears to affect IE but there is mention of help files in SP2. Now it might depend on how your progs are configured. eg. I use FF but my default browser is still IE (maybe that's silly on my part)....That means if I click on a link in email or use Help or search for clipart while in Word it will (I think)connect with IE. The article is there to read and there are other links to follow. Read.
    Buck.
     
  11. Jimbob1989

    Jimbob1989 Registered Member

    Joined:
    Oct 18, 2004
    Posts:
    2,529
    I'm running Live Update on Norton Antivirus Pro now.

    Jimbob
     
  12. dvk01

    dvk01 Global Moderator

    Joined:
    Oct 9, 2003
    Posts:
    3,131
    Location:
    Loughton, Essex. UK
    This exploit uses a variation of the exploit that CWS uses to install on a computer

    It is NOT an IE specific problem but a windows exploit that uses the IE integration in windows to run the exploit

    Just using firefox or Opera etc WIIL NOT protect you, you still are potentially vulnerable

    and it affects all versions of windows not just XP SP2 as suggested by symantec
     
  13. dvk01

    dvk01 Global Moderator

    Joined:
    Oct 9, 2003
    Posts:
    3,131
    Location:
    Loughton, Essex. UK
    one side effect you will notice of the antiviruses detecting this is that HJT logs showing the MHTML redirect code in them will spark off a warning so your antiviri=us will attempt to close your browser and prevent the page being viewed

    also if you are infected and attempt to make a hjt log to post, your antivirus will prevent the log being made
     
  14. Notok

    Notok Registered Member

    Joined:
    May 28, 2004
    Posts:
    2,969
    Location:
    Portland, OR (USA)
    Pivx' Qwik-Fix protects against this by configuring your system (hardening Windows) to not be vulnerable to this or other such exploits. :)

    (Note: You still shouldn't download things like help files from untrusted sources)

     
    Last edited: Dec 30, 2004
  15. TopperID

    TopperID Registered Member

    Joined:
    Oct 1, 2004
    Posts:
    1,527
    Location:
    London
    Thank you dvk01 for some most interesting info. Are you able to shed light on the following:-

    I run Merijn's Bug-Off 1.10, this protects against MHTML exploit for cross domain vulnerability in O.E. Will this protect against the Phel Trojan?

    How does CWS (and this Trojan) install on a computer? Am I correct in assuming that a properly configured I.E. will prevent this installation?

    Is it true that Qwik-Fix (which I tried and did not like - partly because I did not understand what it was doing!) will make adjustments which are intended to compensate for poor configuration of your system (in this case at least) - or is it offering some additional protection?
     
  16. Notok

    Notok Registered Member

    Joined:
    May 28, 2004
    Posts:
    2,969
    Location:
    Portland, OR (USA)
    TopperID: Qwik-Fix is a hardening tool like Merjin's BufOff, but it has some options that no others have, and it auto-updates. Pivx (the company that makes it) is a security research firm that finds vulnerabilities in products and releases alerts and workarounds. Qwik-Fix user's systems are automatically patched as soon as a vulnerability is found and a workaround made.. it is as much a service as an application.
     
  17. TopperID

    TopperID Registered Member

    Joined:
    Oct 1, 2004
    Posts:
    1,527
    Location:
    London
    Notok - The PivX people told me in an email that Qwik-Fix is a 'hardening tool', but I didn't understand what they meant by that and I still don't!

    What I noticed was that Qwik-Fix LOWERED the protection levels I had set in I.E. and removed all the entries Spybot S&D and SpywareBlaster had inserted in my Restricted Zone. PivX stated that these were merely hidden as they were unnecessary due to Qwik-Fix's 'hardening' effect (which they declined to explain).

    Qwik-Fix has always sounded too good to be true to me, and until I understand more about it I do not have confidence in its use. If it was so good why isn't everyone recommending it?
     
  18. bigc73542

    bigc73542 Retired Moderator

    Joined:
    Sep 21, 2003
    Posts:
    23,873
    Location:
    SW. Oklahoma
    mcafee also detects the phel trojan.
     
  19. TopperID

    TopperID Registered Member

    Joined:
    Oct 1, 2004
    Posts:
    1,527
    Location:
    London
    Spanner - Thanx for that article. I wondered why I couldn't find the 'My Computer' zone; I never figured on having to do Reg editing to get there, but now I know!
     
  20. Notok

    Notok Registered Member

    Joined:
    May 28, 2004
    Posts:
    2,969
    Location:
    Portland, OR (USA)
    Topper: Think of a program like BufOff or (more appropriately) SafeXP that auto updates, and has a whole team searching out new vulnerabilities. They deploy "quick fixes" to Qwik-Fix which gets applied to your system immediatly, effectively patching your system against the vulnerability until MS can put out a proper patch. I don't think you'll get a lot of technical details about all that it protects against because they deploy fixes before the vulnerability is ever announced. There are some things that BugOff, SafeXP, etc, cover, but Qwik-Fix also covers some things that other patches do not. I've read around the web that they are also planning to implement some other stuff into the program like buffer overflow protection, but haven't seen or heard any updates on that. I believe they will also be covering more 3rd party products in the future (they already cover one AIM vulnerability.)

    I couldn't say why more people don't know about the product other than that a) people don't generally get all that excited about hardening Windows, and b) they haven't done a lot of marketing that I can see. Popularity doesn't always equate to quality, however. But if you want to protect against IE attacks, this is the only tool I've seen that promotes that it resolves all cross-zone scripting vulnerabilities.
     
  21. TopperID

    TopperID Registered Member

    Joined:
    Oct 1, 2004
    Posts:
    1,527
    Location:
    London
    The fundamental difference between BugOff and Qwik-Fix is that the latter messes about with my I.E. settings while the former does not! I like to have I.E. tightly configured when I go to possibly 'risky' sites, I cannot live with any application that LOWERS those settings unless I understand what it is doing.

    BugOff does at least inform you what it is doing and what the side effects will be; Qwik-Fix does not. As for cross-zone scripting vulnerabilities, I have more confidence in 'hardening' all my Zones (including the procedure referred to by Spanner above) than having Qwik-Fix apparently reduce the level of protection because, they say, it is not necessary with their product.

    I know that Merijn recommends Qwik-Fix, but he knows what he is doing; it is a question of what I feel most comfortable with. I still use I.E. because I have not been infected despite going to sites where infection is said to be 'guaranteed' (with default settings at least). Why should I put that at risk by trying something that is an unknown quantity?

    Besides, I have a natural aversion to 'quick' fixes - I don't believe they exist!
     
Loading...
Thread Status:
Not open for further replies.