SYNOPSIS:
The RAW program has just been discovered in the last few days and we have so far been unable to get it to function as it depends on a number of obscure ActiveX controls distributed with Microsoft's Visual Basic Professional program which are not distributed with the trojan horse. It is also shipped without any documentation from which we can determine what it does. It would appear from the control labelling however that it does much the same as other trojan horse programs and does hook the Multimedia Controls, keyboard hooks, winsock and other pieces of the windows operating system as other trojans do.
In our early exploration, the client for the trojan horse will only ungray its operating controls when successfully connected to its server, which is installed on the victim's machine. The trojan horse server is named SERVER.EXE and the client used by the perpetrator is named RAW.EXE. The trojan horse server will not install on a victim's machine without all of the necessary Microsoft Visual Basic ActiveX controls (*.OCX files) already present on the victim's machine. We have not successfully activated the server at this time.
This preliminary report will be followed by a more detailed report as soon as we explore RAW's precise capabilities. Reverse engineering of the trojan horse server however has permitted us to provide the necessary data for our BOClean product to successfully detect and defeat this trojan until such time as we can better document it.
Privacy Software Corporation's BOClean 2.01
software, designed to detect and defeat trojan horse programs, is fully
effective in removing the RAW server regardless of the filename or manner
of delivery and, as is the case with other trojans, can also disable this
program instantly upon detection. BOClean will also remove the files and
registry hooks without the need to disconnect from the internet or reboot
the victim's machine. This precludes the risks of registry editing and
possible loss of data and permits the victim to remove the program and
continue their use of a TCP/IP connection without loss of work or time.
COPYRIGHTED MATERIAL:
Copyright (c) 1998 by Privacy Software Corporation.
Permission is granted for the retransmission of this advisory by electronic means. It is not to be edited in any way without the express consent of Privacy Software Corporation. Requests to reprint this information in whole or in part should be directed to technology@privsoft.com.
Disclaimer: The information within this advisory may change without notice and is provided by Privacy Software Corporation AS IS. No warrantees, express or implied, are provided with respect to this information nor should any be construed by the transmission of this information. Any use of this information or its recommendations is solely at the risk of the user.
Contact Privacy Software Corporation at http://www.privsoft.com, http://www.nsclean.com,
email to technology@privsoft.com. Copies of the RAW distribution as
captured by Privacy Software Corporation will only be provided to recognized
security interests and responsible, recognized members of the press with
the technical capability to conduct independent research on this trojan
horse program or in the alternative, we will provide the URL where the
programs can be obtained independently. Copies will NOT be provided by
us to any other parties. Privacy Software Corporation reserves the right
to refuse transmission without further explanation. Under the provisions
of Privacy Software Corporation's customer and website privacy policies,
we cannot divulge email from our customers regarding their experiences
with these trojan horse programs nor can we divulge their identities under
any circumstances.