The Wayback Machine - https://web.archive.org/all/20050309015625/http://www.phpbb.com:80/phpBB/viewtopic.php?f=14&t=260546
PHP Bulletin Board Home
News About Home
Features of phpBB Test drive phpBB Downloads Support for phpBB The phpBB Community Styles for customising phpBB 3rd party modifications to phpBB


phpBB Destroyer info

 
Post new topic   Reply to topic    phpBB.com Forum Index -> Announcements
View previous topic :: View next topic  
Author Message
psoTFX
Development Team Leader
Development Team Leader


Joined: 03 Jul 2001
Posts: 9418

PostPosted: 29 Jan 2005 22:01    Post subject: phpBB Destroyer info Reply with quote

We've had reports from people concerned about an application calling itself "phpBB Destroyer". The website on which this app can be found claims the author is "fed up" with phpBB's security problems and has released this "application" as a consequence. The website contains supposed screenshots of said application and lists its capabilities.

We have been examining this application and the following details have emerged.

  • It is malware, it contains what appears to be a Netsky related worm.
  • It contains no application which can be used to damage phpBB installations.
  • When executed it will extract itself into a subfolder within system32. It will then attempt to patch XP SP2 (if appropriate) to overcome the limitation on simultaneous connections Microsoft put in place. It will also alter your registry and insert a new key which will run another file in that subfolder (csrss.exe) upon boot. Once rebooted (it will do this automatically if possible) the fake csrss.exe will be run. Now there is a legitimate csrss present in your system32 folder, do not confuse the two Smile Your process list should typically show only one csrss.exe process, usually as the SYSTEM user. If you have two or more csrss.exe instances, particularly if they are running under your account you probably have been infected. This fake csrss will attempt to connect to what appears to be an IRC bot. Based on the behaviour of Netsky it likely then proceed to mail itself to any addresses it can find in files it has scanned on your system.
  • At present no AV definitions detect this application. The application has been submitted to all the major AV vendors as a precaution.

I say again, this application has absolutely nothing to do with phpBB. It cannot be used to damage phpBB (to the best of our available knowledge). It appears to be a program designed to "attack" those who would download such an application to cause harm.

If you have been affected by this application ... well ... why were you running something that claimed to "attack" phpBB installations? Wink To remove it you can try following the general removal directions for the AB variant of Netsky. You should be looking for any suspicious entries for csrss.exe in a subfolder of system32. Do not, I repeat, do not remove any references from the registry which refer to the system32/csrss.exe unless you have extremely good reason to believe it has been replaced! XP users should disable System Restore and all users should run in Safe Mode during the recovery period.

As with any worm, ensure your virus definitions are up to date (though as noted they may not detect this issue at the present time), you have an effective firewall (ingress and egress!) and you have installed all relevant updates for your OS (that includes Linux et al ... irrespective of this worm all OS's have suffered vulnerabilities in key applications).

We will not handle any support requests related to this application. It has absolutely nothing to do with us ... indeed as an application claimed to damage phpBB installations we are, quite obviously, not inclined to help anyone infected by it.
_________________
phpBB Development Team Leader ...
... and former style guru to the stars, or maybe not.
phpBB NG | Security Tracker | Bug Tracker
Back to top
View user's profile Send private message
Display posts from previous:   
Post new topic   Reply to topic    phpBB.com Forum Index -> Announcements All times are GMT
Page 1 of 1
Watch this topic for replies
 
Jump to:  
You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum


News | Features | Demo | Downloads | Support | Community | Styles | Mods | Merchandise | About | Home
phpBB Web hosting & Business Opportunity | Host Department Web Hosting | phpBB Hosting at $7.95 | Sports Betting

Powered by phpBB © 2001, 2003 phpBB Group :: Hosting donated by Doreo Hosting

SourceForge Logo