Trojan droppers?

[absntmind]

O.K., this question is basicly a spinoff from my last one (see "cant get rid of trojan"). I still keep finding trojans popping in my computer, a new one almost every week. The latest one was win32 ataka. I did some looking around on the web and found a sight that talked about trojan droppers. It says most av programs dont detect them. Under win32. trojan gen and ataka i read to look for some files in the NetMeeting\ conf folder: calc32.exe,gamma.exe, ght.dll, hajr.drv, infsyst.reg, kasperlamm.cab , noewinnit.exe, and a couple more. I looked and found all of them in the folder. Gamma.exe is supposed to be the dropper. Has any1 heard of this? If its true, what else should i look 4?   (im using win98) Thanx ahead of time for any help!

[whocares]

Hi,
is your Avast uptodate ?

if you want a second opinion on the said files, scan them wit the onlinescanners from www.kaspersky.com and www.ravantivirus.com

if either of those find anything in them (even just an EXE-Packer would be suspicous), and avast doesn't
-> send them in to ALWIL


 

[raman]

Like i said in your other thread did you look if you are have open shares( https://grc.com/x/ne.dll?bh0bkyd2 )? And do you use an (m)irc client?  If so you should configure your irc client in a better way or use an other more safe client, like trillian.

[mantra]

whocares

do u use rav antivirus?
what kind of update module has it?
like avast?

[whocares]

Hi mantra,

scan them wit the onlinescanners

All clear ?

[absntmind]

I checked and im running in stealth mode, so my firewall is working. I checked the gamma.exe file in the online scan(kasperky i think its called). Gamma.exe came out clean like i read it would, then i scanned the kasperlamm.cab and it said "kasperlamm.cab Infected: Backdoor.IRC.Ataka.g". So avast missed that one, i even scanned it again and no detection(and yes, i made sure it was updated be4 i scanned it.) I havent scanned the rest on the list yet, but it is starting to look like what i read makes since. Gamma.exe and the others are not needed 4 any of my programs that i know of and since i removed them i havent had any new infections, plus my computer isnt acting as funny anymore. How do i go about sending these files in to avast so yall can check them out?

[absntmind]

two more that i found in the same batch with the others that avast missed "logon.exe Infected: Backdoor.Delf.gp" and "syn32.exe Infected: DoS.Win32.Ataka"

[whocares]

Hi,
for sending in viruses, you might try sending them in a password-protected ZIP-file to
 support@asw.cz
(Don't know if there's a special address for sending in infected files, you might try searching avasts support pages yourself)

be sure to include the password in the mailtext, as well as a short description of your problem & your system

[absntmind]

OK, here is the results. Kasperky online scan found 3 infected files in the bunch, and mcafee found 5 of them infected. Avast found none  . I tried to email the files to avast but it seems aol (my only email client) scans thier mail with mcafee be4 sending it. It will not let me send an infected file, which is a good thing i guess. I also found a logon.exe file to be infected that avast missed. It seems what i read is 100% correct ! So here is part it:


     Several Trojan horse viruses were reported making the rounds Tuesday by antivirus vendors.

Troj/Golon-A is a backdoor Trojan that copies itself to the Windows system folder as logon.exe and sets the following registry entry:

HKLM\Software\Microsoft\Windows\CurrentVersion\Run\logon.exe = \logon.exe

Troj/Golon-A also creates several registry entries under HKLM\Software\Microsoft\Kernel.

Troj/Ataka-E is a multicomponent IRC backdoor Trojan. The main installer component (sx.exe) is typically downloded from the internet by a downloader. The installer drops the following files: calc32.exe, gamma.exe, ght.dll, hajr.drv, infsyst.reg, kasperlamm.cab, msvcrtd.dll, nocx.ocx, NoeWinnt.exe, oje.txt and syn32.exe into the folder Program Files\NetMeeting\conf\.

Some of these files are clean and are not detected. Gamma.exe is a Trojan dropper and is detected as Troj/Prx-A. (gamma.exe was found infected by mcafee)  

[whocares]

Hi,
for sending in viruses, you might try sending them in a password-protected ZIP-file

Hi absntmind,
as said above, you need to password-protect/encrypt the malware-files in e.g. a ZIP-Archive, then AOL won't complain..

try www.winzip.com, if your archiving Program doesn't support this..