The EXE in question contains a copy of the BioNet trojan. Among other things the trojan gives remote access to the intruders, install a keystroke logger, and emails the keystokes to the account jester@cn-s.net. If the trojan is running under Windows 9x (it can also run under NT/200) it it also emails the user's password. Valentin Kolesnikov <valikat_private> from Kasperky Labs has stated the maliciouscode is the Backdoor.Bionet.318. In our case executing the EXE resulted in a strange error message. Something like "30.10.2001 not a valid data". The EXE appears to fail to extract any files. Yet if you change the EXE's extension to ZIP and drop it in WinZip you can extract a number of files. In any case, when you execute FIX_NIMDA.exe it will start two new processes named win32cfg.exe and keyboard.exe. They drop a file named win32cfg.exe in, at least under Windows 2000, C:\WINNT\System32\win32cfg.exe. It also drops C:\WINNT\System32\keyeye.ini, C:\WINNT\System32\keyboards.dll, and C:\WINNT\System32\keyboards.exe. C:\WINNT\System32\keyeye.ini is the keystroke logger configuration file. The actual keystokes data are save in C:\WINNT\keylog.txt. The trojan creates open shares for all drive from C: to Z:. The backdoor stores its configuration parameters in the registry under HKCU\Software\Cyberium Technologies\BioNet 3. It does some more mucking with the registry. AV vendors have some information about a BioNet trojan but their information differs substancially from the behaviour displayed, files and keys accessed, by the backdoor in FIX_NIMDA.exe. This may document either older or different version fo the backdoor: http://www.symantec.com/avcenter/venc/data/backdoor.bionet.40a.html http://www.symantec.com/avcenter/venc/data/backdoor.bionet.318.html http://www.symantec.com/avcenter/venc/dyn/20648.html http://vil.nai.com/vil/virusSummary.asp?virus_k=99008 http://www.nsclean.com/psc-bionet.html http://www.sophos.com/virusinfo/analyses/trojbionet.html http://www.europe.f-secure.com/v-descs/bionet.shtml This may indicate that AV software cannot detect this variation of it. Check your systems manually. The many different versions of thi trojan at http://www.megasecurity.org/trojans/bionet/Bionet_all.html Some other analysis of BioNet (again they may of versions different from the one in the fake message and thus information may not apply): http://www.mischel.dhs.org/bionet312analysis.asp To stop the keylogger and backdoor all you need to do is kill the win32cfg.exe and keyboards.exe processes, but we haven't yet determined how is ensures to start after the machine is rebooted Its also interesting to note that the comments in the keyeye.ini file are in German, cn-s.net is also located in Germany, and the machine appears to have been the first to send out the fake messages, 217.228.174.48 [ pD9E4AE30.dip.t-dialin.net ] is also in Germany. -- Elias Levy SecurityFocus http://www.securityfocus.com/ Si vis pacem, para bellum ---------------------------------------------------------------------------- This list is provided by the SecurityFocus ARIS analyzer service. For more information on this free incident handling, management and tracking system please see: http://aris.securityfocus.com
This archive was generated by hypermail 2b30 : Mon Oct 01 2001 - 10:09:25 PDT