View Single Post
  #1 (permalink)  
Old August 2nd, 2005
erikinlongbeach erikinlongbeach is offline
Novicius
 
Join Date: August 2nd, 2005
Posts: 3
erikinlongbeach is flying high
Exclamation Gnutella W32.Alcra.B Virus/Trojan Migration

Beware of the 851.7KB Trojan Horses!

OS: Windows
Client: Any
Internet Connection: Any
Error Message: None (yet)

I often have seen files ( <1MB) when I search for software. Often, I
search the P2P networks if I'm looking for a particular file. This
is much easier than searching the web for patches, updates, service
packs, and other files. I became suspicious when files of the same
size often appear for different searches. I noticed this even about
6 months ago.
Upon viewing the files on a particular host, the file
name is different from what it appears in the search. This is
obviously related to how Limewire tracks the same file with
differing file names. Once in a while, this method fails and you
download a file completely different from what you thought you were
downloading.
Recently, I have seen a lot of search results containing a 851.7 KB
file. Most of the time, this file appears in the search results
first and multiply. I suspect that malicious users take advantage of
the open source network to modify the programming solely for the
distribution of malicious code (malware), which includes viruses,
trojan horses, and spyware. I wish Limewire would add a feature to
further limit the search by file size or range.
Curious about these files, I downloaded a few of them. I opened the
file with WinZip. This file had a ZIP file extension, but can be
another extension, or executable (.EXE,. COM, etc.) . In the file,
there was only one file, 'setup.exe', and it was about 2.6 MB
uncompressed. I have seen this before, except the file was about 5
MB. In the previous case, I just deleted it. I suspected maybe
malicious program like spyware. I checked it out with Norton
Anti-Virus. WinZip facilitates running a virus scanner from a menu
or the keyboard, provided that it's setup properly. Norton
Anti-Virus produced a dialog box that said a virus was detected and
immediately removed. The location was from the temporary directory.
The virus was detected as "W32.Alcra.B" . The same virus appeared
for the second file downloaded. Both ZIP files were deleted
afterward. The CRC32 for 'setup.exe' was 0x8C304414 for two ZIP
files examined. The CRC32 could be different since the majority of
the file is probably filler data to fool the end user.

These should be common sense, but just in case, here are some
suggestions to avoid infection:

1. Always check files with a virus scanner program, such as Norton
Anti-Virus, McAfee or similar. Keep virus definitions updated
regularly.

2. Use other known and trusted virus scanners in addition to the
more popular anti-viral programs. The reason for this is hackers are
more familiar with how to undermine and defeat the protection of the
more common anti-viral programs and might be less successful with
less common programs.

3. Use anti-Spyware programs such as Ad-Aware, Microsoft
Anti-Spyware, and other commercial programs. The same applies to
spyware definitions.

4. If a file has the wrong or unreasonable file size, don't download
it, or delete it if you have.

5. Never execute (run), unknown, unscanned files.

6. Turn on firewall features. A hardware based firewall is better.
Most routers/gateways have firewalls built into the firmware. Block
all unnecessary ports. Don't use the Demilitarized Zone (DMZ Hosts)
feature unless you really know what you're doing.

I hope readers in this forum find this post helpful. Feel free to
post any other helpful suggestions.

Erik
Reply With Quote