Re: WARNING: Trojan Horse Disguised as Message from SecurityFocus and TrendMicro

From: aleph1at_private
Date: Mon Oct 01 2001 - 04:01:47 PDT

  • Next message: nikoat_private: "rpc.statd"

    The EXE in question contains a copy of the BioNet trojan. Among other
    things the trojan gives remote access to the intruders, install a keystroke
    logger, and emails the keystokes to the account jester@cn-s.net. If the
    trojan is running under Windows 9x (it can also run under NT/200) it
    it also emails the user's password.
    
    Valentin Kolesnikov <valikat_private> from Kasperky Labs has stated
    the maliciouscode is the Backdoor.Bionet.318.
    
    In our case executing the EXE resulted in a strange error message. Something
    like "30.10.2001 not a valid data". The EXE appears to fail to extract
    any files. Yet if you change the EXE's extension to ZIP and drop it in
    WinZip you can extract a number of files.
    
    In any case, when you execute FIX_NIMDA.exe it will start two new processes
    named win32cfg.exe and keyboard.exe. They drop a file named win32cfg.exe
    in, at least under Windows 2000, C:\WINNT\System32\win32cfg.exe.
    It also drops C:\WINNT\System32\keyeye.ini, C:\WINNT\System32\keyboards.dll,
    and C:\WINNT\System32\keyboards.exe.
    
    C:\WINNT\System32\keyeye.ini is the keystroke logger configuration file.
    The actual keystokes data are save in C:\WINNT\keylog.txt.
    
    The trojan creates open shares for all drive from C: to Z:.
    
    The backdoor stores its configuration parameters in the registry under
    HKCU\Software\Cyberium Technologies\BioNet 3. It does some more mucking
    with the registry.
    
    AV vendors have some information about a BioNet trojan but their
    information differs substancially from the behaviour displayed, files and
    keys accessed, by the backdoor in FIX_NIMDA.exe. This may document either
    older or different version fo the backdoor:
    
    http://www.symantec.com/avcenter/venc/data/backdoor.bionet.40a.html
    http://www.symantec.com/avcenter/venc/data/backdoor.bionet.318.html
    http://www.symantec.com/avcenter/venc/dyn/20648.html
    http://vil.nai.com/vil/virusSummary.asp?virus_k=99008
    http://www.nsclean.com/psc-bionet.html
    http://www.sophos.com/virusinfo/analyses/trojbionet.html
    http://www.europe.f-secure.com/v-descs/bionet.shtml
    
    This may indicate that AV software cannot detect this variation of it.
    Check your systems manually.
    
    The many different versions of thi trojan at
    http://www.megasecurity.org/trojans/bionet/Bionet_all.html
    
    Some other analysis of BioNet (again they may of versions different
    from the one in the fake message and thus information may not apply):
    
    http://www.mischel.dhs.org/bionet312analysis.asp
    
    To stop the keylogger and backdoor all you need to do is kill the
    win32cfg.exe and keyboards.exe processes, but we haven't yet determined
    how is ensures to start after the machine is rebooted
    
    Its also interesting to note that the comments in the keyeye.ini file
    are in German, cn-s.net is also located in Germany, and the machine
    appears to have been the first to send out the fake messages,
    217.228.174.48 [ pD9E4AE30.dip.t-dialin.net ] is also in Germany.
    
    -- 
    Elias Levy
    SecurityFocus
    http://www.securityfocus.com/
    Si vis pacem, para bellum
    
    ----------------------------------------------------------------------------
    This list is provided by the SecurityFocus ARIS analyzer service.
    For more information on this free incident handling, management 
    and tracking system please see: http://aris.securityfocus.com
    



    This archive was generated by hypermail 2b30 : Mon Oct 01 2001 - 10:09:25 PDT