|
|
|
VIRUS NAME
: PWS-Ritter
Trojan
Characteristics
This is a password
stealing trojan designed to capture the login password of NetWare 3.11 users.
The file name "LOGIN.EXE" is used by the trojan, as a replacement
for the standard LOGIN binary when connecting to a Novell NetWare server.
The date and time stamp of this Trojan is October 19, 1994 9:27 PM, but this
can be easily altered.
Symptoms
Replacement of LOGIN.EXE in either SYS:\LOGIN or SYS:\PUBLIC directories on
a NetWare 3x server.
Method
Of Infection
The Trojan was distributed with a file "PROP.EXE". Usage for the Trojan
is to first run PROP.EXE from a Supervisor account to create a new property,
then replace the server copy of LOGIN.EXE. When a user logs into the network,
passwords are stored into the new property. PROP.EXE can retrieve passwords
stored in the property.
References in the Trojan indicate the property names would be TESTOBJ and TESTPROP.
|
|
|
