psoTFX Development Team Leader
Joined: 03 Jul 2001 Posts: 9418
|
Posted: 29 Jan 2005 22:01 Post subject: phpBB Destroyer info |
|
|
We've had reports from people concerned about an application calling itself "phpBB Destroyer". The website on which this app can be found claims the author is "fed up" with phpBB's security problems and has released this "application" as a consequence. The website contains supposed screenshots of said application and lists its capabilities.
We have been examining this application and the following details have emerged.
- It is malware, it contains what appears to be a Netsky related worm.
- It contains no application which can be used to damage phpBB installations.
- When executed it will extract itself into a subfolder within system32. It will then attempt to patch XP SP2 (if appropriate) to overcome the limitation on simultaneous connections Microsoft put in place. It will also alter your registry and insert a new key which will run another file in that subfolder (csrss.exe) upon boot. Once rebooted (it will do this automatically if possible) the fake csrss.exe will be run. Now there is a legitimate csrss present in your system32 folder, do not confuse the two Your process list should typically show only one csrss.exe process, usually as the SYSTEM user. If you have two or more csrss.exe instances, particularly if they are running under your account you probably have been infected. This fake csrss will attempt to connect to what appears to be an IRC bot. Based on the behaviour of Netsky it likely then proceed to mail itself to any addresses it can find in files it has scanned on your system.
- At present no AV definitions detect this application. The application has been submitted to all the major AV vendors as a precaution.
I say again, this application has absolutely nothing to do with phpBB. It cannot be used to damage phpBB (to the best of our available knowledge). It appears to be a program designed to "attack" those who would download such an application to cause harm.
If you have been affected by this application ... well ... why were you running something that claimed to "attack" phpBB installations? To remove it you can try following the general removal directions for the AB variant of Netsky. You should be looking for any suspicious entries for csrss.exe in a subfolder of system32. Do not, I repeat, do not remove any references from the registry which refer to the system32/csrss.exe unless you have extremely good reason to believe it has been replaced! XP users should disable System Restore and all users should run in Safe Mode during the recovery period.
As with any worm, ensure your virus definitions are up to date (though as noted they may not detect this issue at the present time), you have an effective firewall (ingress and egress!) and you have installed all relevant updates for your OS (that includes Linux et al ... irrespective of this worm all OS's have suffered vulnerabilities in key applications).
We will not handle any support requests related to this application. It has absolutely nothing to do with us ... indeed as an application claimed to damage phpBB installations we are, quite obviously, not inclined to help anyone infected by it. _________________ phpBB Development Team Leader ...
... and former style guru to the stars, or maybe not.
phpBB NG | Security Tracker | Bug Tracker |
|