Showing results for 
Search instead for 
Did you mean: 

New Trojen Variant Info


New Trojen Variant Info

I am forwarding information sent to me from Message Labs concerning a new varient of a trojen (designed to fool users in relation to w32.blaster.worm) See bleow for the relevant details:-

On 15th August 2003, MessageLabs the email security company stopped copies of a new variant of a trojan in emails purporting to be a fix for the recent Blaster worm. All of the initial copies intercepted originated from China.

Name: Troj/Backdoor-ARR
Aliases: Troj/GrayBird.A
Time & Date first Captured: 15th Aug 2003, 17:35GMT
Origin of first intercepted copy: China

The new variant Backdoor-ARR trojan arrives as an attachment in an email that appears to have been spammed to a number of email addresses. This trojan enables an infected computer to be access and controlled remotely via the internet, and allows the attacker to steal passwords, send emails, and record keystrokes.

The email may also comprise the following characteristics:

From: (NB: The sender address has been spoofed)
Subject: updated
[…] Microsoft began investigating a worm reported by Microsoft
Product Support Services (PSS). A new worm commonly known as
W32.Blaster.Worm has been identified that exploits the vulnerability
that was addressed by Microsoft Security Bulletin MS03-026.

Download the attached update program. […]

Attachment: 03-26updated.exe (319,670 bytes)

MessageLabs detected this email threat proactively, using its unique and patented Skeptic™ predictive heuristics technology. For further information, please visit the MessageLabs website at:

Advice on the Blaster worm (aka LovSan)
The Blaster worm, also dubbed MSBlast (aka. LovSan) does not spread via email and as a result, MessageLabs will not see it in the wild since it does not propagate using SMTP.

However, this worm spreads by exploiting a recently announced Windows RPC vulnerability (MS03-026) and by randomly scanning IP addresses looking for vulnerable machines on TCP port 135 (RPC). It will then attempt to create a remote shell on TCP port 4444, instructing the target to download the code through TFTP (UDP port 69).

A firewall properly configured to block access through these ports will prevent this worm from spreading, even if the machine has not been patched. It is still recommended that the latest Windows patches are installed on any computer connected directly to the Internet. To remove any cause for doubt, it is finally worth performing thorough anti-virus scans on any potentially vulnerable machines, using the latest anti-virus signatures available from your vendor.

It is increasingly important to ensure that a machine connected to the Internet is secured through a firewall that does not permit connections on any ports that are unused.