dll32NT.hlp ( Trojan.IrcBounce ) 
Author Message
 dll32NT.hlp ( Trojan.IrcBounce )

/me thinks Trojan from IRC.FLOOD.U may have something to do with this.
Ran House Call and it caught 2 files that my uptodate Norton did not; IRC.FLOOD.U
and TROJ.FLOOD.U, which pointed to C:\WINNT\system32\dll32.hlp and
C:\WNNT\system32\task32.exe.

Has anyone had any experience with these at all?    Would appreciate any input.
Thank you in Advance.

don
============

Note: Changed the extensions of dll32.hlp to dll32.hlpold, and task32.exe to
task32.exeold, and ran any number of programs without any problem. Afterward,
removed these files to floppy and made note of the location. During all of this, I
noticed another file called dll23NT.hlp with a very recent date, so I did a search
(Google) and low and behold, I come up with a name for a Trojan called
"Trojan.IrcBounce". This leads to a whole list of files included in this punk's
attack.

The additional files are as follows: (But were "not" detected by Norton on this
box)

==============
(C & P)start
                                      (NOTE: Viewing all possible files windows
allows, including system, hidden)
 This Trojan consists of the following programs, all of which are detected as
Trojan.IrcBounce by Symantec antivirus products:
  a.. Dll32.hlp (ren DLL32.HLPold, copied to floppy and del)
  b.. Dll32nt.hlp (ren DLL32NT.HLPold, copied to floppy and del)
  c.. Xvpll.hlp (ren XVPLL.HLPold; not del)
  d.. Httpsearch.ini (not found in a windows search)(no DOS search)
  e.. Nt32.ini (ren NT32.INIold; not del)
  f.. Gg.bat (found changed to GG.BATold; not del)
  g.. Seced.bat (ren SEC.BATold)
  h.. Tftp8675 (ren TFTP8675.old; not del)
  i.. V.exe (no joy)
  j.. Mt.exe (no joy)

This Trojan also uses the following clean programs, which are not detected by
Symantec antivirus products:
  a.. Kill.exe (found, researching)(Had earlier copy from M$ ResKit98; different
file size)
  b.. Mdm.exe (no joy)
  c.. Mdm.scr (ren mdm.scrOLD; not del)
  d.. Ncp.exe (ren ncp.exeOLD;not del)
  e.. Psexec.exe (ren psexec.exeOLD;not del)
  f.. Taskmngr.exe (no joy)
(C & P)stop
===============
This is as far as I have gone; in fact there has been no adverse effects from the
changes, but of course, I haven't booted, and opened and tested aps running
either.
Any thoughts very much appreciated.

TIA,
don
===============



Mon, 04 Jul 2005 02:53:54 GMT  
 
 [ 1 post ] 

 Relevant Pages 

1. WIN32.HLP

2. More trouble with win32api.hlp

3. win32api.hlp

4. .HLP files

5. Column ToolTip CANNOT be disabled, pls hlp

6. Clarion 3.1 .hlp Files

7. .hlp file maker

8. Jpeg files in .hlp

9. writing .hlp files - VW2

10. HLP: SmallTalk real-time Embedded Systems

11. File C55Help.hlp in C55Pro Beta 1 or CR2 - Please help me

12. .Hlp File Size - Help Requested!

 

 
Powered by phpBB® Forum Software