Anyone else seen anything about this?
From:
http://www.symantec.com/security_response/writeup.jsp?docid=2007-041314-1900-99&tabid=2
"When the Trojan is executed, it checks for the presence of the following two applications and will shut down the compromised computer if either of those programs are present:
VMWare
VirtualPC"[/i]
Interesting. For something that is meant to drop in rootkits and send spam, I wonder why it would shutdown a "valuable" host - unless the malware writer either,
a) semi-sympathizes with virtualization, therefore is shutting the machine down instead of infecting it, or,
b) has something further against virtualization, trying to tarnish virtualization by specifically targeting its availability?
Why not instead detect that the system is actually a virtual machine and then mask its rootkits blue pill style?
J
My guess is that the trojan really checks if he's inside a VM and Symantec simplified their writings.
I had thought that, but there's a HUGE difference...
Are you sure Symantec / the editor knows this difference?
Very good point!
Maybe I'll quiz them...
Had this doesy on my home PC. I used Symantec Enterprise (I think it was 😎 with system restore turned off in XP and it got rid of it. I had VMware Workstation installed and it rebooted my actual PC a bunch of times.
No, actually the reason is very straightforward. Most of today's antivirus/trojan/whatever-computer-badness research is done in VM's these days. So the trojan author just is trying to hide its trojan for researchers. This is common practice these days.
Detection methods for checking if you are running an application within a virtualized host are shared and published on the internet. There are web sites targeting virus authors that have more details on this including programs and other tips. I can jot those url's down here, but don't really want to give pointers to the script kiddies.