New Denial of Service Trojan Discovered

According to preliminary information received today by EmergencyNet News, a new Trojan called "W32/Trinoo" that infects Windows 9X computers has been discovered "in the wild." The program is 23,145 bytes in length, and similar in nature to a Solaris or Unix program that was used in "Denial of Service" (DoS) attacks that disrupted major websites earlier this month. The Trojan reportedly installs a call to the executable in the Windows registry at: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\ Windows\CurrentVersion\Run=service.exe

If this program proliferates widely, it could make almost any unsuspecting Windows 95/98 computer into a "slave" agent to be used by crackers engaging in DoS attacks. EmergencyNet News is monitoring reports about this new development and will provide additional details as they become available...

http://www.emergency.com/ennday.htm

-- PA Engineer (PA Engineer@longtimelurker.com), February 23, 2000

Answers

Thanks.

-- Hokie (Hokie_@hotmail.com), February 23, 2000.

Any information on what ports and protocals it uses? -m-

-- Michael Erskine (Osiris@urbanna.net), February 23, 2000.

I heard (haven't verified) that the DOS hackers often look for brand new computers appearing on the net. They do this because Win98, by installed default, comes up the first time with the "share all" option set, leaving them wide open. Hit rates of up to 80% of new users have been reported.

So if you get a new computer with Win98 on it, please CHANGE this option before logging onto the net.

-- Flint (flintc@mindspring.com), February 23, 2000.

When I turn my computer on, one of the lines says secondary slave detected, the next line says no secondary slave. Would this be what you are talking about or something different?

-- Maggie (song bird@iwon.com), February 23, 2000.

I would be grateful if you would tell us where this "share all" option is located. I do a fair bit of tinkering with Windows (I HAVE to, since it's so unreliable), but have not encountered this one.

Thanks!

-- Bill (billclo@blazenet.net), February 24, 2000.

PA,

Thank you very much for this post.

-- Dee (T1Colt556@aol.com), February 24, 2000.

Hi Maggie, you still haven't figured out what is there and what isn't? Count physical devices! If there is a device that was detected, but you disabled it, then it will not work. Your secondary slave doesn't work. Ask the guy(?) who upgraded your PC.

-- W (me@home.now), February 24, 2000.

Maggie,

What you are seeing at boot up is the computer searching and verifying drives, primary and secondary, slave, and so forth.

What these folks are referring to here in this thread is hackers using your computer while you are on line, without your knowledge and consent.

Try this site, http://grc.com/default.htm

This site will test your system and give you a good idea of whether your computer can be used by hackers.

-- Postman (All@once.now), February 24, 2000.

Bill,

The site I referenced above has instructions for that 'share all' feature, and how to disable it.

-- Postman (All@once.now), February 24, 2000.

Thanks for the answers.

-- Maggie (song bird@iwon.com), February 24, 2000.