Author Topic: Xenon2 Game (Trojan/Spyware)  (Read 4094 times)

0 Members and 1 Guest are viewing this topic.

Offline GrizeBar

  • Jr. Member
  • **
  • Posts: 49
  • I'm a llama!
Xenon2 Game (Trojan/Spyware)
« on: August 08, 2004, 05:23:26 PM »
There is a file available for download currently being advertised in some Usenet newsgroups. It assumes to be the old DOS VGA game Xenon2 (Xenon2.zip), but is actually a spyware generator in disguise.
The game directory appears similar to the original game setup, but the Setup executable creates a file called MSCONFIGS.EXE in the \Windows\System directory, and adds the file to the RUN section of the system registry.
I indavertently ran this file and discovered that my firewall (Sygate) reported that MSCONFIGS.EXE was attempting to connect to the Internet. I did a little Googe search and came up with this:

---------------
On Sun, 08 Aug 2004 08:03:22 GMT, <email snipped> schrieb:
>Quite simpily the best shootemup ever!
<snip>
Creates a file called ''msconfigs.exe' in (typically) C:\Windows\System32\
Tries to connect to :
tc-operator2.telecom.cc.cmu.edu [128.2.120.114], port 9500
There's also a shed load of registry changes going on, according to
TCMonitor (The Cleaner).
Post reported to abuse dept. at ntlworld.com
NOD32 and The Cleaner Professional 4.1 didn't detect anything. What is this
thing ? Adaware didn't find anything.
I know I'll probably take some heat for netcopping and
uninformed-malware-analysis but I've just got to know if this is definitely
something to worry about, or it was, actually, a spammed game.
Cordially,
Kleeb.
----------------
I ran Avast scanner on the system and it did not detect the file or anything in memory. Is this a new issue that we should address?

grizebar@msn.com
bigdas1@verizon.net
grizebar@netzero.net

Offline Eddy

  • Avast Evangelist
  • Maybe Bot
  • ***
  • Posts: 31344
  • Watching (over?) you
    • Malware removal, Biljart and other things.
Re:Xenon2 Game (Trojan/Spyware)
« Reply #1 on: August 08, 2004, 05:28:51 PM »
Does Avast picks it up? If not please send the file and a link to this thread to virus@avast.com

Offline GrizeBar

  • Jr. Member
  • **
  • Posts: 49
  • I'm a llama!
Re:Xenon2 Game (Trojan/Spyware)
« Reply #2 on: August 08, 2004, 05:35:15 PM »
Does Avast picks it up? If not please send the file and a link to this thread to virus@avast.com

No, I did a full memory and file scan and came up blank.
I'll send the zip file and the web link now.

grizebar@msn.com
bigdas1@verizon.net
grizebar@netzero.net

Offline CharleyO

  • Avast Evangelist
  • Starting Graphoman
  • ***
  • Posts: 7085
  • Be alert for error code - ID 10T
Re:Xenon2 Game (Trojan/Spyware)
« Reply #3 on: August 08, 2004, 08:29:07 PM »
   
   
After 10 pages of Google search, I found nothing about this game being a spyware generator. That's is not to say that someone has not modified the game to do so.    ???  

Mostly, I found game sites with cheat codes for the game. Almost every game site I've ever heard of had cheat listings. It appears that Xenon 2 was originally written by BitMap Brothers for the Amiga OS.  

Perhaps the avast! team will let us know the results of the file GrizeBar sent to them.    :)  


Self-built desktop (8 years old) - AMD64 3200+_Gigabyte GA-K8NS Ultra-939_4 gb RAM_GeForceFX 5800w/256 ram_XP/SP3_Avast 7_MBAM_ZA Free __and__ Toshiba Satellite Laptop_W7-64bit_ 4 gb Ram_Avast 8_MBAM

Offline GrizeBar

  • Jr. Member
  • **
  • Posts: 49
  • I'm a llama!
Re:Xenon2 Game (Trojan/Spyware)
« Reply #4 on: August 09, 2004, 12:56:06 AM »
 
   
After 10 pages of Google search, I found nothing about this game being a spyware generator. That's is not to say that someone has not modified the game to do so.    ???  

Mostly, I found game sites with cheat codes for the game. Almost every game site I've ever heard of had cheat listings. It appears that Xenon 2 was originally written by BitMap Brothers for the Amiga OS.  

Perhaps the avast! team will let us know the results of the file GrizeBar sent to them.    :)  





Try searching Google Groups for the keyword MSCONFIG.EXE.

Yes, there is a legitimate game called Xenon2, but as you said,  the game file have been modified or replaced with the trojan generator.
The website that it is downloaded from appears to be one of the free web hosting sites, probably a temporary base for the file.

grizebar@msn.com
bigdas1@verizon.net
grizebar@netzero.net

Offline GrizeBar

  • Jr. Member
  • **
  • Posts: 49
  • I'm a llama!
Re:Xenon2 Game (Trojan/Spyware)
« Reply #5 on: August 09, 2004, 02:09:41 AM »
This file must have been posted quite recently. I checked back with Google Groups under the keyword MSCONFIGS.EXE. The topic has generated about 10 more replies from the original 3 that I found  from various newsgroups. It appears to have been spammed over every available Usenet newsgroup and people are picking it up.
Since it is a valid trojan, this could be as serious threat to many unsuspecting people that try to run it, particulaly those without virus and firewall protection.

grizebar@msn.com
bigdas1@verizon.net
grizebar@netzero.net

Offline CharleyO

  • Avast Evangelist
  • Starting Graphoman
  • ***
  • Posts: 7085
  • Be alert for error code - ID 10T
Re:Xenon2 Game (Trojan/Spyware)
« Reply #6 on: August 09, 2004, 04:40:14 AM »
   
   
Thanks for the update, GrizeBar!    :)  


Self-built desktop (8 years old) - AMD64 3200+_Gigabyte GA-K8NS Ultra-939_4 gb RAM_GeForceFX 5800w/256 ram_XP/SP3_Avast 7_MBAM_ZA Free __and__ Toshiba Satellite Laptop_W7-64bit_ 4 gb Ram_Avast 8_MBAM

Offline kareld

  • Avast team
  • Jr. Member
  • *
  • Posts: 32
    • ALWIL Software
Re:Xenon2 Game (Trojan/Spyware)
« Reply #7 on: August 09, 2004, 04:41:39 PM »
Hi Grizebar and others,
  yes, it's a trojan horse. It seems to be able to communicate through IRC, acting as remote access tool and proxy. Probably is possible to use it for DOS attack and network sniffing. Thank you for the sample.

Offline GrizeBar

  • Jr. Member
  • **
  • Posts: 49
  • I'm a llama!
Re:Xenon2 Game (Trojan/Spyware)
« Reply #8 on: August 11, 2004, 02:30:52 AM »
You're welcome. I also contated the makers of the original game about the fake.
grizebar@msn.com
bigdas1@verizon.net
grizebar@netzero.net