Another Windows Trojan...

From: L S D (eLeSsDeeat_private)
Date: Sat Oct 03 1998 - 00:40:46 PDT

Next message: Samuel Cossette: "Re: Internet Wide DOS Attack using IRC"

Previous message: Derek Reynolds: "Re: Internet Wide DOS Attack using IRC (real deal)"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

The source code to the Windows trojan called 'Acid Shiver' that covered most
of Efnet last year has been released.  The source code is all Visual Basic 5.0
(SP3), and not much effort was put into organization.  It had been distributed
through 'WaReZ' DCC bots, and had over 7000 users within 2 months.  It was
diguised as a million different applications, the Setup.exe file in different
programs was replaced by the trojan, which would install itself into the
registry on first use.  As soon as the program is run, it registers its
process as a 'Windows Service', thus removing it from all task lists.  It
waits until an active internet conection is established (by attempting
connections to an array of SMTP servers), and then e-mails the creator with
the random TCP port number it listens on, the time, and a large amount of
sensitive information resident on the victims hard drive.  The creator then
connects via telnet to the specified port and is given a prompt that looks
like a DOS shell.  Any command can be executed, with the results shot back
across the tcp connection, network topology can be shown (net * comands),
files may be downloaded, the deployer may "bounce" through the victim to
another host, and system settings/registry entries can be changed.  The victim
can use a netstat to see the listening port/connections.  It loads
automatically through the HKLM/M$/Windows/Current Version/Run Services, Run,
Run Once, and Run Services Once entries. If it detects another copy running it
exits.  The file size for the exe changed depending upon the exe-packer used,
and any hex-editing done by the deployer.  Among the IRC operators infected
were _cls_ and saralee, along with some other high profiles on Efnet (among
the hacking/warez community).

For a .zip of the source code, e-mail elessdeeat_private with "Send AS Source"
as subject.

- elessdee

____________________________________________________________________
Get free e-mail and a permanent address at http://www.netaddress.com/?N=1

Next message: Samuel Cossette: "Re: Internet Wide DOS Attack using IRC"
Previous message: Derek Reynolds: "Re: Internet Wide DOS Attack using IRC (real deal)"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

This archive was generated by hypermail 2b30 : Fri Apr 13 2001 - 14:18:39 PDT