Spyware Warrior

[fcukdat]

Security heads up on a recently emerging trojan ntos.exe

Ok folks i have been seeing this file appear since the October 25/10/06 but judging by the research paper linked it has been with us for a little while now but is being seen with more frequency recently.A big thanks and debt of respect to Secure Science corps and Michael Ligh for their indebt analysis of this emerging trojan threat.
http://www.securescience.net/securescienceblog/malwarecasestudy.html


Because of the nature of this trojans operation i feel it needs to get some publicity since at the moment not many vendors are not up with it(as with the Gromozon trojan) & google search dose not reveal too much information.

I have seen the trojan imported as a stand alone infection and also as part of a massive CWS/infection in the past weeks.

FAO HJT log experts,one of the following 2 entries will signify the presents of this trojan.Its removal is not difficult,kill the principal executable(Ntos.exe) and the infection/effects are neutered.

O4 - HKLM\..\Run: [userinit] C:\WINDOWS\system32\ntos.exe
or
F2 - REG:system.ini: UserInit=D:\WINDOWS\system32\Userinit.exe,D:\WINDOWS\system32\ntos.exe

The bad news is as with Morphine z-lob this trojan is now being repacked as regular as clockwork(names,file size etc) to evade detections & cleaning routines but yet still retaining its thoroughly unpleasent operative capabilities listed in the PDF research paper.

1st ntos.exe sample uploaded to MIRT site
http://www.castlecops.com/t171215-barclay_ntos_exe.html
_________________
Malware hunter....Got Bot ?

MIRT Handler >>>
http://www.castlecops.com/c55-MIRT.html