[TheGuide Logo]

Search

Forum

Home

Feedback

Credits

About Raj

Forget Viruses-- Heard of Trojan Horse??? New menace on the NET!
by Kaushal Mehta

There have been a recent spate of trojans / exploits, where someone is able to control your computer over the internet. Even worse, they're able to read any files on your hard drive, get your internet password, or any other sensitive information, and even format your hard drive.

So what is a Trojan Horse?

A Trojan horse is defined by FOLDOC as a "malicious, security-breaking program that is disguised as something benign" such as a screen saver, game, hack, nuke, etc. Instead, running the file gives control of your computer over to somebody else, who can now takeover your IRC channels, steal account passwords, modify/erase files on your disk, use your computer to perform felonious denial of service attacks on others, or worse! Trojans are not the same as viruses, but once you're "infected", the effects are just as dangerous, and you can spread the trojan to others without even being aware of it!

Is your computer infected?

Trojans are typically files with suffices like "ini", "exe", or "com", such as "dmsetup.exe". These days nearly all trojans are spread in the guise of a free game or other software. You probably downloaded one from a WWW or FTP archive, ICQ file exchange, or through IRC's DCC file transfer (by manual /dcc get or, worst yet, an "auto DCC get" feature which allows anybody to send you anything, including not only trojans but also viruses, child porn, etc.). Typically the trojan needs to be run manually, and installs hacked files all over your disk silently.

You may say I never download files from people or sites, which I am not 100% sure about. But the most common way to get the trojan is from your friend and known people on icq or email, yes these are the people whom you can’t say no to a file transfer. Just for fun, or invading your privacy they send you a trojan file saying it is a nice joke or a game, you accept the file run it and along with that joke or the game the trojan gets installed. YES any picture file or exe file nowadays can be attached with a trojan with the help of softwares like joiner or silkrope etc. So along with file the trojan is merged.

Signs to watch out for?


While you are surfing the net your cd-rom opens and closes on its own, sound files start playing on your computer, your background on your desktop has changed on its own. Worse your computer restarts on its own (giving the hacker the opportunity to see your internet password). Your keyboard hangs etc. See the image below to see what all can be done by the attacker. This is a screen dump of netbus trojan.

 

Names of most common Trojans.

  1. Back Orifice
  2. This sophisticated backdoor program is not specific to IRC at all. Once downloaded and run, it allows attackers to remote control your computer almost as if they were sitting right in front of it. They can change or steal your passwords, run or delete files, reboot the computer, format your disk, etc. all without your knowledge or consent.

    Downloaded as a relatively large .exe or .zip file, typically 125 kB. creates " .exe" in c:\windows\system which will appear to be nameless. creates a Windows registry key under HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion
    \RunServices.

    To remove follow this link

    http://lrbcg.softseek.com/Utilities/Virus_Protection/Review_19487_index.html

  3. NetBus
  4. Like Back Orifice (BO) above, NetBus is a backdoor program that allows others access to your computer remotely. One thing that sets it apart from BO is the ability to open/close your CD-ROM door. In addition, like BO it allows others to change/steal your passwords, run or delete files, reboot your computer, format drives, and even make your computer unable to be started up.

    Your machine listens for TCP connections on port 12345 or 20034, although this can be changed with more recent versions. Telneting to those ports gives a string like "NetBus [version number]".

    creates a Windows registry key under HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run or for version 2 or later HKEY_CURRENT_USER/NetBus Server/

  5. SubSeven the latest and the deadliest.

Similar to back orifice but many advanced features including web cam support.



The sub seven screen

List of other trojans

Backdoor.BO (aka Backorifice) Backdoor.DeepThroat Backdoor.Executor Backdoor.Netbus Backdoor.Phase aka Phase Server Backdoor.TheThing Backdoor.Choleepa Crackers On4ever (Trojan) PKZIP300 Trojan Trojan.AOL.Buddy Trojan.BuggyHidp Trojan.Durell Trojan.FlashKiller Trojan.Macro.Excel.Taiwanes Trojan.Macro.Word.Format Trojan.Macro.Word.Nikita Macro.Word97.Trojan.Thief Trojan.NetPatch Trojan.PSW family Trojan.Stdout Trojan.Telefoon Trojan.Win.BadSector Trojan.Win.BuggyShell Trojan.Win.Heckler Trojan.Win32.AntiBTC Trojan.Win32.Antigen Trojan.Win32.Coke Trojan.Win32.DiskAdmin Trojan.Win32.LoveYou etc.

 

How do I get rid of trojans?

Always use a good anti-virus like avp, norton anti-virus etc. These and other anti-viruses can detect and warn you of any possible attacks by viruses as well as trojans. Always update your anti-virus once in 14 days. You never now when a latest trojan can attack you. You can download small and very good trojan removing softwares and run it on your computer like lockdown2000, cleaner etc.

For eg lockdown2000 and cleaner can detect more than 50 types of trojans including new ones.

Just download lockdown2000 or cleaner and run it on your computer and then sleep with peace of mind.

Related links and more info

http://etotal.unikorn.net/index_en.html
http://www.avp.ch/avpve/trojans.stm
http://members.aol.com/mjmvwa/rmv_main.htm
http://www.ozemail.com.au/~netsafe/trojan_index.html
http://www.dynamsol.com/moosoft/

 



Copyright 1999 Dr. Raj Mehta. All rights reserved.