Which trojan?

So, exactly which trojan(s) found their way onto the compromised webmail server? From perusing the multitude of posts here, it looks like it was possibly JS/downloader-AUD, although some other names have been mentioned.

As far as I can tell, at present PlusNet have not specifically named the trojan

Hi,

This is the list:
# Generic3.VXL
# TROJ_ALPIOK.A
# TSPY_BZUB.A
# EXPL_ANICMOO.GEN

Hope that helps.

Why they haven't put that in a service status posting I can't imagine as they have posted it freely on the portal forums!

There is not even a sticky in their own forum.. I appreciate they may be busy but how much time does that take!

There is not even a sticky/product announcement in their own forum.. I appreciate they may be busy but how much time does that take!

This information should have been in the service status last week when they first identified (or were informed) the problem.

Yikes, you can see the *possible* picture forming....

.ANI exploit on web mail server... plus unpatched windows machines:

EXPL_ANICMOO.GEN:

"This is the Trend Micro detection for the specially crafted cursor, animated cursor (.ANI), and icon formats that exploit a vulnerability in the way Windows handles these files. Successfully exploiting the said vulnerability can allow remote users to issue commands on the affected system."

TROJ_ALPIOK.A:

"This Trojan may be downloaded from remote site(s) by other malware. Once connected, it uses its integrated SMTP engine to act as a proxy server and send spam email messages from the mentioned servers."

TSPY_BZUB.A:

"As a BHO, it is able to monitor and collect the user names and passwords that an affected user keys in while browsing through the Internet. It then saves its gathered information, presumably for future retrieval by a remote malicious user. The said user can use the stolen information to access the affected user's account/s."

I hope your wrong about the trojans used