Telecom and Logistics Associates 

new6.gif (1031 bytes) TLAalert    Security Service 
Translate this page from:  publication: Christian ALT 
  Save Time and Money

TLAnews: Security NEWs Service

 13.7.2000 Security: : New trojan TROJ_KRASS and VBS_PICA a new virus emerged those days.
Trend Micro informs that a new trojan and a new virus   are starting. But no panic, the risk level is low, just be aware and watch what happens.

En français: Nouveaux cheval de Troie TROJ_KRASS virus VBS_PICA apparaissent 
TrendMicro nous informe qu'il existe un nouveau cheval de Troie ainsi qu'un nouveau virus. Mais pas de panique, le niveau de risque est faible, il s'agit d'être attentif et de surveiller ce qu'il se passe.

Home
Consulting
Tech Doc
FW-1 FAQ
Training
Products
TLAnews
Archive
Advertising
 

TLAnews.com
Information for security concerned people

 
Register to TLAnews letter
 
English version

The current state is defined as quite with a low risk. Translated it means be aware that it exists but we are not informaed of any infection.

The Trojan called TROJ_KRASS  consists of two parts, the client program and the server program. The server program allows a remote user to control the infected PC, while the client program, once executed can log-in to the server program and remotely control the PC.

Watch your firewalls for activity on port 456, this might be TROJ_KRASS in full activity.

VBS_PICA is a new virus using Outlook  and the address book to propagate... Sounds to familiar?
Résumé en français
Il n'y a pas de quoi paniquer, il s'agit juste d'un nouveau "trojan" permettant de prendre le contrôle à distance d'une machine. Il est constitué d'un composant serveur qui doit se trouver su le poste à infecté et d'un composant client qui permet de contrôler le poste à distance.

 

Surveillez vos firewall pour de l'activité sur les ports 456, il se pourrait que TROJ_KRASS fasse son entrée.

VBS_PICA est un nouveau virus qui utilise Outlook ainsi que le répertoire d'adresses pour se propager...  Cela vous parraît trop familier?


TROJ_KRASS

The server program creates a socket and binds it to port 456. It listens to this port to establish a connection with the client program and uses the name "Explorer" to avoid detection. Once the server establishes a connection with the client, the client can now have access to the infected PC remotely.

The client program enables a remote user who is running it, to establish a link to the infected PC. The remote user can now perform any of the following on the infected PC:

  • Enable Disk Access (R/W)
  • Delete Files/Folder
  • Run an application
  • Download File
  • View the victims running processes
  • Get RAS passwords
    •

    The client program also contains some useful functions, so that it can be used as a standalone program. It has an option to change any window’s title, properties and buttons, and view a window’s registered class name.

    The server program has one hidden switch, when enabled prevents the client program from doing any disk access. With this, the server program becomes useless. The only thing the client program can then do is "view" the running processes of the victims PC. To enable this feature, the switch /SECRET should be added in the command line. The program displays a window with four options:

    1. Disable RAS Password
    2. Disable Disk Access
    3. Disable File Deleting
    4. Disable Button Clicking

    Both programs do not modify any files and can easily be closed. The server program can be closed by just hitting the (x) close button or by pressing Ctrl-Alt-Del. While the client program can be closed by choosing "exit".

    Aliases under which this trojan is also known: KRASS, BackDoor.Krass, BackDoor-AH.svr, BackDoor-AH.cli

     

    An other virus named VBS_PICA.A emerged those days

    This VBScript uses "CScript.exe/WScript.exe" to execute its script file. Once executed, it drops a file "SillyWorm.vbs" in the Windows folder and adds the name "SysBoot" at the following registry:

    HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\
    CurrentVersion\Run

    Then it sends out an email with itself as an attachment to all contacts in the infected user's address book. The virus adds a key in the registry after it sends out the emails, to signify that the emails have already been sent. The name "mailed", with a value of "1" is added to the following registry entry:

    HKEY_CURRENT_USER\Software\SillyWorm



    more security information with TLAnews ...

    Author information.
    Copyright © [Telecom and Logistics Associates Sàrl]. All rights reserved.
    Revised: juillet 12, 2000 .

    All information provided is of a general nature and is not intended to address the circumstances of any particular individual or entity. Although we endeavor to provide accurate and timely information, there can be no guarantee that such information is accurate as of the date it is received or that it will continue to be accurate in the future. No one should act upon such information without appropriate professional advice after a thorough examination of the facts of the particular situation.