FiringSquad: Home of the Hardcore Gamer - Games, Hardware, Reviews and NewsSubmit your own or view users' CPU overclocking results!

  
 Home   News   THE MATRIX   Deals   Hardware   Games   Features   Media   Products   Forums   FS China 
AddThis Social Bookmark Button

Home : Features : Articles : Tech war stories
» Join the Greatest Gaming Community NOW! (It's free)

Already a member? Login
 



Random Gallery >> 
Click to view high-res Image!
Sleeping Dogs (formerly True Crime: Hong Kong) Screenshots [14] (0)

[FX] 3-Screen Effect - Guide (part-3) (0) by nGAGE
Crankin' it up today... and tomorrow! (8) by Slipdisk
My First Video (3) by Stryker
My crank that S#!T up entry (9) by iamcj
Blow That S#!t Up! (8) by Synchronous Failure
The Nvidia "Crank That S#!T Up" Quiz Show! (21) by mohawkade
HOW I CRANK THAT S#!T UP!! (4) by nvidia4life
Superlative Computer (6) by arvernis
CRANG That S#!T Up! (15) by ElwinRansom
Crank that s#!t up to 11!!! (14) by jarrodthome

More Blogs >>
Tech war stories
June 30, 2000   Chris Buck Buccola > [View My Other Articles]
Product Info | User Reviews | Article Images | Image Gallery | Comments | Forum Thread
The dreadful trojan horse

Horse in the Machine

Mrs. Smith brought in a generic mini-tower system, complaining that the computer locked up as soon as she signed onto AOL and that the computer would not shut down. She said that it would not hang, but just "bounce back" to the desktop, as if it was ignoring the shutdown command. From prior experience, I immediately suspected a Trojan horse virus, but was unfamiliar with the exact symptoms.

Since I was familiar with the workings of a Trojan, I at least knew where to begin looking for the bug. The majority of virus scanners cannot detect a Trojan horse because it's not a virus in the traditional sense, so a manual cleaning operation would be required. Trojan Horses are programs that pretend to be anything besides what it actually is, and it's normally an executable file. A Trojan horse cannot infect the system if it isn't executed, so usually the virus author will make the program look as harmless as possible by giving it a funny icon and name to trick unsuspecting users into running the virus.

The first thing I needed to do was to recreate the problem, so I logged onto AOL using a dummy account that we kept for just such purposes. Sure enough, the system locked up as soon as it completed the connection. I also found that the system was failing to shut down Windows as well - it would just pop right back to the desktop if you tried to close it. Normally, a Trojan horse needs to load itself from the run or load statement in the win.ini file, so I went to check there first. When I tried opening the system editor (Sysedit.exe) the program closed itself immediately. This was just not right at all. The same behavior occurred when I tried to open the msconfig.exe program, and when I attempted to open the Win.ini file directly. Something was obviously hiding in there and didn't want me to see it.

I rebooted the computer to safe mode, in order to bypass the loading of the Win.ini file so I could actually open it and see what was in there. Once booted to safe mode, I was able to open the Win.ini file. After perusing through it, I couldn't find anything abnormal at all. Normally I would expect to see that the Trojan would have added itself as a "Load" or "Run" statement, or possibly as a screensaver file, but there weren't any abnormal entries anywhere. After looking over the file for a while, I finally noticed something odd. Normally, a scroll bar will only appear on a window when there is more text that is outside of the visible area. I noted the horizontal scroll bar, and there I found the hidden Trojan, which was hiding itself off of the screen in the run statement.

Run={very large space} C:\Windows\Uninstallms.exe

I deleted this line then attempted to save the file. The system stated the file was marked as "Read-Only" and could not be modified. Needless to say, the Win.ini file is not supposed to be a read-only file. When I tried to change the file's properties, the Read-Only attribute would reset itself. The Uninstallms.exe file would reappear back in the Windows directory as well after a reboot if deleted. Most likely this was the Trojan itself counteracting my efforts. There was also a host file located somewhere else that was recreating the "UninstallMS.exe" file after being deleted as well.

Back! Page 1     What did you do? Next!
Blog + Share: Digg Del.icio.us Reddit SU furl • More: AddThis Social Bookmark Button
Send This Article to a Friend!  
Table of Contents
  Print Entire Article  

MATRIX CONTENT » RANDOM MEDIA BLOG More Blogs >>
No ratings yet
» Please rate this		Read this Media-Blog entry!» My First Video (3)
by Stryker (3) Talk with this user on their Shout Box (My other blogs) Posted 18 months ago


 Latest Headlines
Syndicate launch trailer gets down to business (0)
New Far Cry 3 cinematic trailer sets a release date (0)
PC Game Sales for Tuesday, February 14th (0)
Ravaged dev diaries show the indie shooter's vehicles (0)
New Mass Effect 3 teaser trailer, "Take Earth Back" (0)
Today's News >>
Today's Siteseeing >>


 Table of Contents


 Quick Fact
I am of Italian, German and Irish decent.


FiringSquad is powered by... Back to Top Site MapContact UsAdvertise With Us Privacy StatementAbout Us  
News RSSSiteseeing RSSArticle RSS   © 1998-2012 FS Media, Inc. All Rights Reserved