McAfee > Theat Center > Virus Detail Page

Overview

This is a trojan detection. Unlike viruses, trojans do not self-replicate. They are spread manually, often under the premise that they are beneficial or wanted. The most common installation methods involve system or security exploitation, and unsuspecting users manually executing unknown programs. Distribution channels include email, malicious or hacked web pages, Internet Relay Chat (IRC), peer-to-peer networks, etc.

Characteristics

This trojan consists of multiple files. There are at least two versions of this trojan so the filenames could differ.

• TAR.EXE -Innocent archiving utility
• firedaemon.exe -Utility to start programs as services
• barm8.gif -Not really a gif file. Configuration file for ftp server.
• TFTP8675 -Text file with modified NT security settings.
• SUA.BAT -Sets up the trojan. Copies other components to winnt\system32\vmn32 directory and starts them.
• KILL.EXE -Innocent process killing utility from Microsoft
• PULIST.EXE -Innocent process enumerating utility from Microsoft
• CYGWIN1.DLL -Innocent library DLL
• ir.conf -Configuration file for iroffer
• SVHOST.EXE -Innocent IRC file server for IRC called iroffer
• INETSERV.EXE -Innocent NetCat utility
• 32DLLEMU.TXT -Welcome message for FTP site
• SERVICES.EXE -Innocent services management utility
• LSASS.ECE -Innocent FTP server

Symptoms

- Presence of the files mentioned above

Method of Infection

Unknown. It may be through an exploit.

Removal

All Users:
Use current engine and DAT files for detection. Delete any file which contains this detection.

Variants

Variants

N/A

All Information

Overview -

This is a trojan detection. Unlike viruses, trojans do not self-replicate. They are spread manually, often under the premise that they are beneficial or wanted. The most common installation methods involve system or security exploitation, and unsuspecting users manually executing unknown programs. Distribution channels include email, malicious or hacked web pages, Internet Relay Chat (IRC), peer-to-peer networks, etc.

Characteristics

Characteristics -

This trojan consists of multiple files. There are at least two versions of this trojan so the filenames could differ.

• TAR.EXE -Innocent archiving utility
• firedaemon.exe -Utility to start programs as services
• barm8.gif -Not really a gif file. Configuration file for ftp server.
• TFTP8675 -Text file with modified NT security settings.
• SUA.BAT -Sets up the trojan. Copies other components to winnt\system32\vmn32 directory and starts them.
• KILL.EXE -Innocent process killing utility from Microsoft
• PULIST.EXE -Innocent process enumerating utility from Microsoft
• CYGWIN1.DLL -Innocent library DLL
• ir.conf -Configuration file for iroffer
• SVHOST.EXE -Innocent IRC file server for IRC called iroffer
• INETSERV.EXE -Innocent NetCat utility
• 32DLLEMU.TXT -Welcome message for FTP site
• SERVICES.EXE -Innocent services management utility
• LSASS.ECE -Innocent FTP server

Symptoms

Symptoms -

- Presence of the files mentioned above

Method of Infection

Method of Infection -

Unknown. It may be through an exploit.

Removal -

Removal -

All Users:
Use current engine and DAT files for detection. Delete any file which contains this detection.

Variants

Variants -

N/A