Arnold Schwarzenegger Commits SuicideLink to file infected with Backdoor-azv trojan [Archive]

Dirk Gently

07-24-2004, 08:17 PM

In article <41028921.3A985BD2@bigfootDOT.com>,
sporkedUNDERLINEagainMUNGE@bigfootDOT.com says... Dirk Gently wrote: In article <hypMc.25529$qa2.12172@fe2.texas.rr.com>, david.robertson@harvard.edu says... Complaint filed with each ISP. Which ISP? The site isn't even registered. He's spoofing the ISP names as well as the OP name. In case there's the slightest doubt in anyone's mind, this is another trojan/worm/virus.
First thing you should do if you have not done it already is to show
full headers in your newsreader.

According to the full header information in each posting the following
IP addresses were used to post these links.

NNTP-Posting-Host: 24.95.69.108
X-Complaints-To: abuse@rr.com

NNTP-Posting-Host: 24.46.142.159
X-Complaints-To: abuse@cv.net

NNTP-Posting-Host: 24.211.124.95
X-Complaints-To: abuse@rr.com

NNTP-Posting-Host: 24.164.209.188
X-Complaints-To: abuse@rr.com

I copied the full header information for each post and submitted it to
the ISP it came from.

The file, ArnoldSchwarzenegger.zip, contains the Backdoor-azv trojan.
It is detected by McAFee anti-virus but is not currently detected by
Norton Antivirus as a threat. I submitted this file to Symantect so
there could create updated virus definition file to detect this trojan.
Unzipping this file gives you a file called Arnold Schwarzenegger.SCR.
Installing this file puts a file called ZoneLockup.exe in your C:
\Windows\System directory and adds a registery entry to run this file on
system startup. The file then connects to the internet and awaits
orders.

This file was hosted at www.theparadise.x-y.net. This host for this
site is ELIMNET, INC. They are located in Korea. The abuse address is
abuse@elim.net.

Please let me know if you have any further questions.