Recently, Codon4 released a screensaver made to look like the Gibson Supercomputer hacking sequences from the great movie "Hackers." It appears however that this screen saver has an embedded trojan not yet detected by anti-virus scanners. (NAV and McAffee and MircroTrend HouseCall have been tested)
When the file is unzipped and run, it appears to install a file called "csrsc.exe" to your %windows%\system directory, and loads it to be run on startup in the registry. This file then contacts efnet.demon.co.uk and joins the channel #gibson, key gibson in IRC. It is not certain if the filename or Efnet server are hardcoded, or randomly selected, but it is certain that efnet is the server. Efnet sadly has a reputation for not having too innocent of users, but let this not reflect on all of them. ReEdit: See below for more file specs
The connection appears to idle waiting for instructions. Initial exmaination of the file appears to have it as a DDOS utility, but this is not certain. At the time that I and a few friends invaded the channel, the bots were auto-opping on entry. After Soul and I deopped them, and reopped them at some point, they were no longer auto-opping. We are not sure what reason behind this behavior is.
Although the payload may have already been delivered or expired, this connection is unexplained by the producers and undocumented. To do so without explanation is at best sketchy, and in the past has been a bad sign.
The file is available from http://download.com.com/3000-2390-10222112.html?tag=lst-5-4. The producers site is www.codon4.com. If you download the file, exercise standard caution with virus possible files.
Special thanks to Tarkus, Soul, StormBringer, sngx1275, neoblaze, poertner, and Didou (names as in the IRC chanel on starchat) for assisting with research into this matter. The details are sketchy I realize, but I would hope that Techspot could help come up with more.
CNet and McAfee have been contacted in regards to this matter, and have yet to respond. I will update when more information comes available. The #3dspotlight IRC channel appears to be the first to break this news, and certainly any input is welcome. The EfNet IRC channel gets enough traffic to indicate that there may be as many as 500 estimated "infections" right now, with 30 to 50 connecting at a time to the channel.
Edit: File specs- Soul Harvester has graciously provided the following details. 73,728 bytes in size, this file has three IRC functions- connect, join, and op. There are other dwords which appear to be triggers, but they're currently obfuscated beyond our comprehension. Responds to CTCP version requests as MIRC 6.12, which is obviously false. Soul promises to look further into the matter- thanks again!!
When the file is unzipped and run, it appears to install a file called "csrsc.exe" to your %windows%\system directory, and loads it to be run on startup in the registry. This file then contacts efnet.demon.co.uk and joins the channel #gibson, key gibson in IRC. It is not certain if the filename or Efnet server are hardcoded, or randomly selected, but it is certain that efnet is the server. Efnet sadly has a reputation for not having too innocent of users, but let this not reflect on all of them. ReEdit: See below for more file specs
The connection appears to idle waiting for instructions. Initial exmaination of the file appears to have it as a DDOS utility, but this is not certain. At the time that I and a few friends invaded the channel, the bots were auto-opping on entry. After Soul and I deopped them, and reopped them at some point, they were no longer auto-opping. We are not sure what reason behind this behavior is.
Although the payload may have already been delivered or expired, this connection is unexplained by the producers and undocumented. To do so without explanation is at best sketchy, and in the past has been a bad sign.
The file is available from http://download.com.com/3000-2390-10222112.html?tag=lst-5-4. The producers site is www.codon4.com. If you download the file, exercise standard caution with virus possible files.
Special thanks to Tarkus, Soul, StormBringer, sngx1275, neoblaze, poertner, and Didou (names as in the IRC chanel on starchat) for assisting with research into this matter. The details are sketchy I realize, but I would hope that Techspot could help come up with more.
CNet and McAfee have been contacted in regards to this matter, and have yet to respond. I will update when more information comes available. The #3dspotlight IRC channel appears to be the first to break this news, and certainly any input is welcome. The EfNet IRC channel gets enough traffic to indicate that there may be as many as 500 estimated "infections" right now, with 30 to 50 connecting at a time to the channel.
Edit: File specs- Soul Harvester has graciously provided the following details. 73,728 bytes in size, this file has three IRC functions- connect, join, and op. There are other dwords which appear to be triggers, but they're currently obfuscated beyond our comprehension. Responds to CTCP version requests as MIRC 6.12, which is obviously false. Soul promises to look further into the matter- thanks again!!