Does anyone have information on a IRC Trojan with the following characteristics. Opens IRC channels on 6667 and connects to some IRC channel on 6668. It sets a registry key HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Default web browser = "c:\winnt\system32\iexplore.exe" And changes the shell HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WindowsNT\CurrentVersion\Winlogon\Shell changes it from "Explorer.exe" to "Explorer.exe iexplore.exe" I found a 9 KB file named iexplore.exe in c:\winnt\system32 and also found the iexplore.exe process running. Norton Antivirus did not catch the Trojan Here is some of the network traffic Frame Time Src MAC Addr Dst MAC Addr Protocol Description Src Other Addr Dst Other Addr Type Other Addr 110 5.159 G7SUJ NICSRV01 TCP .AP..., len: 26, seq: 67030892-67030917, ack:3550877285, win: G7SUJ 209.116.7.97 IP + FRAME: Base frame properties + ETHERNET: ETYPE = 0x0800 : Protocol = IP: DOD Internet Protocol + IP: ID = 0x612A; Proto = TCP; Len: 66 page 31 Network Monitor trace Fri 10/19/01 07:47:37 trojan.TXT + TCP: .AP..., len: 26, seq: 67030892-67030917, ack:3550877285, win: 8280, src: 8184 dst: 6668 00000: 00 00 0C 07 AC 47 00 B0 D0 1A 49 5C 08 00 45 00 .....G....I\..E. 00010: 00 42 61 2A 00 00 80 06 AF D9 0A 68 46 75 D1 74 .Ba*.......hFu.t 00020: 07 61 1F F8 1A 0C 03 FE CF 6C D3 A6 16 65 50 18 .a.......l...eP. 00030: 20 58 0F CE 00 00 55 53 45 52 20 63 68 78 76 20 X....USER chxv 00040: 69 78 64 6F 20 70 6E 6A 68 20 3A 61 64 6F 61 0A ixdo pnjh :adoa. Frame Time Src MAC Addr Dst MAC Addr Protocol Description Src Other Addr Dst Other Addr Type Other Addr 113 5.214 0004DD749F42 G7SUJ TCP .AP..., len: 68, seq:3550877285-3550877352, ack: 67030892, win 209.116.7.97 G7SUJ IP + FRAME: Base frame properties + ETHERNET: ETYPE = 0x0800 : Protocol = IP: DOD Internet Protocol + IP: ID = 0x8DED; Proto = TCP; Len: 108 + TCP: .AP..., len: 68, seq:3550877285-3550877352, ack: 67030892, win: 4140, src: 6668 dst: 8184 00000: 00 B0 D0 1A 49 5C 00 04 DD 74 9F 42 08 00 45 00 ....I\...t.B..E. 00010: 00 6C 8D ED 40 00 2E 06 94 EC D1 74 07 61 0A 68 .l..@......t.a.h 00020: 46 75 1A 0C 1F F8 D3 A6 16 65 03 FE CF 6C 50 18 Fu.......e...lP. 00030: 10 2C B2 D6 00 00 3A 64 72 61 67 6F 6E 73 2E 67 .,....:dragons.g 00040: 61 2E 75 73 2E 64 61 6C 2E 6E 65 74 20 4E 4F 54 a.us.dal.net NOT Frame Time Src MAC Addr Dst MAC Addr Protocol Description Src Other Addr Dst Other Addr Type Other Addr 127 5.516 G7SUJ NICSRV01 TCP .AP..., len: 32, seq: 67030928-67030959, ack:3550879444, win: G7SUJ 209.116.7.97 IP + FRAME: Base frame properties + ETHERNET: ETYPE = 0x0800 : Protocol = IP: DOD Internet Protocol + IP: ID = 0x692A; Proto = TCP; Len: 72 + TCP: .AP..., len: 32, seq: 67030928-67030959, ack:3550879444, win: 8280, src: 8184 dst: 6668 00000: 00 00 0C 07 AC 47 00 B0 D0 1A 49 5C 08 00 45 00 .....G....I\..E. 00010: 00 48 69 2A 00 00 80 06 A7 D3 0A 68 46 75 D1 74 .Hi*.......hFu.t 00020: 07 61 1F F8 1A 0C 03 FE CF 90 D3 A6 1E D4 50 18 .a............P. 00030: 20 58 76 C4 00 00 4A 4F 49 4E 20 23 77 68 6F 7A Xv...JOIN #whoz 00040: 79 65 72 64 61 64 64 79 20 72 61 74 70 61 63 6B yerdaddy ratpack I know that I will need to rebuild the machine, but does anyone have experience with this one? I looked at the Run key a number of times before I realized the Default Web Browser key doesn't fit in. Mike __________________________________________________ Do You Yahoo!? Make a great connection at Yahoo! Personals. http://personals.yahoo.com ---------------------------------------------------------------------------- This list is provided by the SecurityFocus ARIS analyzer service. For more information on this free incident handling, management and tracking system please see: http://aris.securityfocus.com
This archive was generated by hypermail 2b30 : Fri Oct 19 2001 - 08:39:57 PDT