Xenon2 Game (Trojan/Spyware)

There is a file available for download currently being advertised in some Usenet newsgroups. It assumes to be the old DOS VGA game Xenon2 (Xenon2.zip), but is actually a spyware generator in disguise.
The game directory appears similar to the original game setup, but the Setup executable creates a file called MSCONFIGS.EXE in the \Windows\System directory, and adds the file to the RUN section of the system registry.
I indavertently ran this file and discovered that my firewall (Sygate) reported that MSCONFIGS.EXE was attempting to connect to the Internet. I did a little Googe search and came up with this:

On Sun, 08 Aug 2004 08:03:22 GMT, schrieb:

Quite simpily the best shootemup ever!

Creates a file called '‘msconfigs.exe’ in (typically) C:\Windows\System32
Tries to connect to :
tc-operator2.telecom.cc.cmu.edu [], port 9500
There’s also a shed load of registry changes going on, according to
TCMonitor (The Cleaner).
Post reported to abuse dept. at ntlworld.com
NOD32 and The Cleaner Professional 4.1 didn’t detect anything. What is this
thing ? Adaware didn’t find anything.
I know I’ll probably take some heat for netcopping and
uninformed-malware-analysis but I’ve just got to know if this is definitely
something to worry about, or it was, actually, a spammed game.

I ran Avast scanner on the system and it did not detect the file or anything in memory. Is this a new issue that we should address?

Does Avast picks it up? If not please send the file and a link to this thread to virus@avast.com

No, I did a full memory and file scan and came up blank.
I’ll send the zip file and the web link now.

After 10 pages of Google search, I found nothing about this game being a spyware generator. That’s is not to say that someone has not modified the game to do so. ???

Mostly, I found game sites with cheat codes for the game. Almost every game site I’ve ever heard of had cheat listings. It appears that Xenon 2 was originally written by BitMap Brothers for the Amiga OS.

Perhaps the avast! team will let us know the results of the file GrizeBar sent to them. :slight_smile:

Try searching Google Groups for the keyword MSCONFIG.EXE.

Yes, there is a legitimate game called Xenon2, but as you said, the game file have been modified or replaced with the trojan generator.
The website that it is downloaded from appears to be one of the free web hosting sites, probably a temporary base for the file.

This file must have been posted quite recently. I checked back with Google Groups under the keyword MSCONFIGS.EXE. The topic has generated about 10 more replies from the original 3 that I found from various newsgroups. It appears to have been spammed over every available Usenet newsgroup and people are picking it up.
Since it is a valid trojan, this could be as serious threat to many unsuspecting people that try to run it, particulaly those without virus and firewall protection.

Thanks for the update, GrizeBar! :slight_smile:

Hi Grizebar and others,
yes, it’s a trojan horse. It seems to be able to communicate through IRC, acting as remote access tool and proxy. Probably is possible to use it for DOS attack and network sniffing. Thank you for the sample.

You’re welcome. I also contated the makers of the original game about the fake.