Trojan program

From: Mike Peterson (slidefxat_private)
Date: Fri Oct 19 2001 - 06:01:47 PDT

  • Next message: Ulrich Eckhardt: "Re: many port 4599 probes"

    Does anyone have information on a IRC Trojan with the
    following characteristics.
    
    Opens IRC channels on 6667 and connects to some IRC
    channel on 6668.
    
    It sets a registry key
    
    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Default
    web browser  =  "c:\winnt\system32\iexplore.exe"
    
    And changes the shell
    
    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WindowsNT\CurrentVersion\Winlogon\Shell
    changes it from "Explorer.exe" to "Explorer.exe
    iexplore.exe"
    
    I found a 9 KB file named iexplore.exe in
    c:\winnt\system32 and also found the iexplore.exe
    process running.
    
    Norton Antivirus did not catch the Trojan
    
    Here is some of the network traffic
    
    Frame   Time    Src MAC Addr   Dst MAC Addr   Protocol
     Description                                          
                Src Other Addr  Dst Other Addr  Type Other
    Addr
    110     5.159   G7SUJ          NICSRV01       TCP     
     .AP..., len:   26, seq:  67030892-67030917,
    ack:3550877285, win:  G7SUJ           209.116.7.97   
    IP
    
    + FRAME: Base frame properties
    + ETHERNET: ETYPE = 0x0800 : Protocol = IP:  DOD
    Internet Protocol
    + IP: ID = 0x612A; Proto = TCP; Len: 66
    
    page 31
    
    
    Network Monitor trace  Fri 10/19/01 07:47:37 
    trojan.TXT
    
    + TCP: .AP..., len:   26, seq:  67030892-67030917,
    ack:3550877285, win: 8280, src: 8184  dst: 6668 
    
    00000:  00 00 0C 07 AC 47 00 B0 D0 1A 49 5C 08 00 45
    00   .....G....I\..E.
    00010:  00 42 61 2A 00 00 80 06 AF D9 0A 68 46 75 D1
    74   .Ba*.......hFu.t
    00020:  07 61 1F F8 1A 0C 03 FE CF 6C D3 A6 16 65 50
    18   .a.......l...eP.
    00030:  20 58 0F CE 00 00 55 53 45 52 20 63 68 78 76
    20    X....USER chxv 
    00040:  69 78 64 6F 20 70 6E 6A 68 20 3A 61 64 6F 61
    0A   ixdo pnjh :adoa.
    
    Frame   Time    Src MAC Addr   Dst MAC Addr   Protocol
     Description                                          
                Src Other Addr  Dst Other Addr  Type Other
    Addr
    113     5.214   0004DD749F42   G7SUJ          TCP     
     .AP..., len:   68, seq:3550877285-3550877352, ack: 
    67030892, win 209.116.7.97    G7SUJ           IP
    
    + FRAME: Base frame properties
    + ETHERNET: ETYPE = 0x0800 : Protocol = IP:  DOD
    Internet Protocol
    + IP: ID = 0x8DED; Proto = TCP; Len: 108
    + TCP: .AP..., len:   68, seq:3550877285-3550877352,
    ack:  67030892, win: 4140, src: 6668  dst: 8184 
    
    00000:  00 B0 D0 1A 49 5C 00 04 DD 74 9F 42 08 00 45
    00   ....I\...t.B..E.
    00010:  00 6C 8D ED 40 00 2E 06 94 EC D1 74 07 61 0A
    68   .l..@......t.a.h
    00020:  46 75 1A 0C 1F F8 D3 A6 16 65 03 FE CF 6C 50
    18   Fu.......e...lP.
    00030:  10 2C B2 D6 00 00 3A 64 72 61 67 6F 6E 73 2E
    67   .,....:dragons.g
    00040:  61 2E 75 73 2E 64 61 6C 2E 6E 65 74 20 4E 4F
    54   a.us.dal.net NOT
    
    Frame   Time    Src MAC Addr   Dst MAC Addr   Protocol
     Description                                          
                Src Other Addr  Dst Other Addr  Type Other
    Addr
    127     5.516   G7SUJ          NICSRV01       TCP     
     .AP..., len:   32, seq:  67030928-67030959,
    ack:3550879444, win:  G7SUJ           209.116.7.97   
    IP
    
    + FRAME: Base frame properties
    + ETHERNET: ETYPE = 0x0800 : Protocol = IP:  DOD
    Internet Protocol
    + IP: ID = 0x692A; Proto = TCP; Len: 72
    + TCP: .AP..., len:   32, seq:  67030928-67030959,
    ack:3550879444, win: 8280, src: 8184  dst: 6668 
    
    00000:  00 00 0C 07 AC 47 00 B0 D0 1A 49 5C 08 00 45
    00   .....G....I\..E.
    00010:  00 48 69 2A 00 00 80 06 A7 D3 0A 68 46 75 D1
    74   .Hi*.......hFu.t
    00020:  07 61 1F F8 1A 0C 03 FE CF 90 D3 A6 1E D4 50
    18   .a............P.
    00030:  20 58 76 C4 00 00 4A 4F 49 4E 20 23 77 68 6F
    7A    Xv...JOIN #whoz
    00040:  79 65 72 64 61 64 64 79 20 72 61 74 70 61 63
    6B   yerdaddy ratpack
    
    
    I know that I will need to rebuild the machine, but
    does anyone have experience with this one?  I looked
    at the Run key a number of times before I realized the
    Default Web Browser key doesn't fit in.
    
    Mike
    
    
    
    
    
    
    __________________________________________________
    Do You Yahoo!?
    Make a great connection at Yahoo! Personals.
    http://personals.yahoo.com
    
    ----------------------------------------------------------------------------
    This list is provided by the SecurityFocus ARIS analyzer service.
    For more information on this free incident handling, management 
    and tracking system please see: http://aris.securityfocus.com
    



    This archive was generated by hypermail 2b30 : Fri Oct 19 2001 - 08:39:57 PDT