Virus.Org IT Security News and Information Portal. We offer the latest IT security news, updates, product reviews, books, and articles for all you IT security professionals out there. Enter and get the best IT security information on the Internet.

 
. Welcome to the Virus.Org Mailing List Archive  
.
.


[Date Prev] [Date Next] [Thread Prev] [Thread Next] [Date Index] [Thread Index]


Re: [Dshield] The Beast
.

  • To: General DShield Discussion List <[EMAIL PROTECTED]>
  • Subject: Re: [Dshield] The Beast
  • From: Daniel Otis-Vigil <[EMAIL PROTECTED]>
  • Date: Fri, 17 Oct 2003 11:48:22 -0600
  • In-reply-to: <[EMAIL PROTECTED]>
  • Old-x-envelope-to: [EMAIL PROTECTED]
  • References: <[EMAIL PROTECTED]>
  • Reply-to: General DShield Discussion List <[EMAIL PROTECTED]>
  • Sender: [EMAIL PROTECTED]
.
 
The Cleaner has detected every version of Beast. Beast doesn't do anything particularly novel or interesting beyond any other trojan. I would discard this as any other spam. 

Daniel Otis-Vigil
MooSoft Development LLC

At 04:56 AM 10/17/2003, you wrote:

Has anyone heard of Beast, a trojan with different variables?
Symantec lists them here http://search.symantec.com/custom/us/query.html.
I came across it while reading about it in the Support Alert
newsletter ( http://www.techsupportalert.com/ ).
An excerpt from the newsletter follows:

"I have seen The Beast and my heart has been smitten with fear.

No, folks, I haven't gone all religious. I'm talking about this year's
hot trojan horse called "The Beast."

The Beast is one of the new generations of "process-injecting"
trojans. To avoid detection these trojans attach themselves to a
process that forms a key part of the Windows operating system itself.

In the case of The Beast, the processes chosen for infection are
winlogon.exe and explorer.exe. These have been selected because they
are always present on any XP/2000/NT-based PC.

This stealthing approach makes The Beast particularly hard to detect.
Certainly a normal process scanner won't reveal its presence and
almost all common anti-virus scanners will miss it as well.

Killing the trojan is also difficult as it resides within a process
essential for the operation of Windows.  Killing the process will also
kill Windows.

And if you think that the .dll checksum feature in your firewall will
help you,  think again. The particular version of The Beast I tested
came with a module that pulled down 32 of the most popular firewalls
and anti-virus scanners and many anti-trojan monitors as well.

Watching a PC being infected by this kind of trojan is a scary
experience. Terrifying, actually.

I ran The Beast on a test PC set up with the same extensive protection
that I use on all my normal working PCs.

I just sat by and watched Norton Anti-Virus 2003 disappear, closely
followed by my Sygate Personal Firewall Pro and the BoClean anti-
trojan monitor.  Not only were these defenses pulled down, they were
permanently destroyed so they could not be restarted.

Once The Beast has infected your PC the attacker essentially has
complete control. He/she can view, upload or erase any of your files
and log all your keystrokes including your all your passwords. Worse
still, you may not even know your PC is infected..........."

Also, while doing a Google search I noticed this website
http://tataye.scripterz.org/Trojan.html

Scary stuff indeed!!



_______________________________________________
list mailing list
[EMAIL PROTECTED]
To change your subscription options (or unsubscribe), see: http://www.dshield.org/mailman/listinfo/list 

_______________________________________________
list mailing list
[EMAIL PROTECTED]
To change your subscription options (or unsubscribe), see: http://www.dshield.org/mailman/listinfo/list
 
.
.
 
Copyright (c) Virus.Org 1997-2006.
All Trademarks Acknowledged.
Please view our Terms and Conditions and our Privacy Policy.