Re: Trojan program

From: H C (keydet89at_private)
Date: Fri Oct 19 2001 - 10:36:29 PDT

  • Next message: Mike Peterson: "Trojan Program Thread"

    Have you done any analysis of the "iexplore.exe" file,
    such at gathering the MAC times from the file, seeing
    if there is any information in the resource section of
    the file, or run 'strings' on it?
    
    Have you recorded the LastWrite times from the
    Registry keys in question?
    
    Have you conducted a search of any of the anti-virus
    web sites with regards to 'iexplore.exe'?
    
    --- Mike Peterson <slidefxat_private> wrote:
    > Does anyone have information on a IRC Trojan with
    > the
    > following characteristics.
    > 
    > Opens IRC channels on 6667 and connects to some IRC
    > channel on 6668.
    > 
    > It sets a registry key
    > 
    >
    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Default
    > web browser  =  "c:\winnt\system32\iexplore.exe"
    > 
    > And changes the shell
    > 
    >
    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WindowsNT\CurrentVersion\Winlogon\Shell
    > changes it from "Explorer.exe" to "Explorer.exe
    > iexplore.exe"
    > 
    > I found a 9 KB file named iexplore.exe in
    > c:\winnt\system32 and also found the iexplore.exe
    > process running.
    > 
    > Norton Antivirus did not catch the Trojan
    > 
    > Here is some of the network traffic
    > 
    > Frame   Time    Src MAC Addr   Dst MAC Addr  
    > Protocol
    >  Description                                        
    >  
    >             Src Other Addr  Dst Other Addr  Type
    > Other
    > Addr
    > 110     5.159   G7SUJ          NICSRV01       TCP   
    >  
    >  .AP..., len:   26, seq:  67030892-67030917,
    > ack:3550877285, win:  G7SUJ           209.116.7.97  
    > 
    > IP
    > 
    > + FRAME: Base frame properties
    > + ETHERNET: ETYPE = 0x0800 : Protocol = IP:  DOD
    > Internet Protocol
    > + IP: ID = 0x612A; Proto = TCP; Len: 66
    > 
    > page 31
    > 
    > 
    > Network Monitor trace  Fri 10/19/01 07:47:37 
    > trojan.TXT
    > 
    > + TCP: .AP..., len:   26, seq:  67030892-67030917,
    > ack:3550877285, win: 8280, src: 8184  dst: 6668 
    > 
    > 00000:  00 00 0C 07 AC 47 00 B0 D0 1A 49 5C 08 00 45
    > 00   .....G....I\..E.
    > 00010:  00 42 61 2A 00 00 80 06 AF D9 0A 68 46 75 D1
    > 74   .Ba*.......hFu.t
    > 00020:  07 61 1F F8 1A 0C 03 FE CF 6C D3 A6 16 65 50
    > 18   .a.......l...eP.
    > 00030:  20 58 0F CE 00 00 55 53 45 52 20 63 68 78 76
    > 20    X....USER chxv 
    > 00040:  69 78 64 6F 20 70 6E 6A 68 20 3A 61 64 6F 61
    > 0A   ixdo pnjh :adoa.
    > 
    > Frame   Time    Src MAC Addr   Dst MAC Addr  
    > Protocol
    >  Description                                        
    >  
    >             Src Other Addr  Dst Other Addr  Type
    > Other
    > Addr
    > 113     5.214   0004DD749F42   G7SUJ          TCP   
    >  
    >  .AP..., len:   68, seq:3550877285-3550877352, ack: 
    > 67030892, win 209.116.7.97    G7SUJ           IP
    > 
    > + FRAME: Base frame properties
    > + ETHERNET: ETYPE = 0x0800 : Protocol = IP:  DOD
    > Internet Protocol
    > + IP: ID = 0x8DED; Proto = TCP; Len: 108
    > + TCP: .AP..., len:   68, seq:3550877285-3550877352,
    > ack:  67030892, win: 4140, src: 6668  dst: 8184 
    > 
    > 00000:  00 B0 D0 1A 49 5C 00 04 DD 74 9F 42 08 00 45
    > 00   ....I\...t.B..E.
    > 00010:  00 6C 8D ED 40 00 2E 06 94 EC D1 74 07 61 0A
    > 68   .l..@......t.a.h
    > 00020:  46 75 1A 0C 1F F8 D3 A6 16 65 03 FE CF 6C 50
    > 18   Fu.......e...lP.
    > 00030:  10 2C B2 D6 00 00 3A 64 72 61 67 6F 6E 73 2E
    > 67   .,....:dragons.g
    > 00040:  61 2E 75 73 2E 64 61 6C 2E 6E 65 74 20 4E 4F
    > 54   a.us.dal.net NOT
    > 
    > Frame   Time    Src MAC Addr   Dst MAC Addr  
    > Protocol
    >  Description                                        
    >  
    >             Src Other Addr  Dst Other Addr  Type
    > Other
    > Addr
    > 127     5.516   G7SUJ          NICSRV01       TCP   
    >  
    >  .AP..., len:   32, seq:  67030928-67030959,
    > ack:3550879444, win:  G7SUJ           209.116.7.97  
    > 
    > IP
    > 
    > + FRAME: Base frame properties
    > + ETHERNET: ETYPE = 0x0800 : Protocol = IP:  DOD
    > Internet Protocol
    > + IP: ID = 0x692A; Proto = TCP; Len: 72
    > + TCP: .AP..., len:   32, seq:  67030928-67030959,
    > ack:3550879444, win: 8280, src: 8184  dst: 6668 
    > 
    > 00000:  00 00 0C 07 AC 47 00 B0 D0 1A 49 5C 08 00 45
    > 00   .....G....I\..E.
    > 00010:  00 48 69 2A 00 00 80 06 A7 D3 0A 68 46 75 D1
    > 74   .Hi*.......hFu.t
    > 00020:  07 61 1F F8 1A 0C 03 FE CF 90 D3 A6 1E D4 50
    > 18   .a............P.
    > 00030:  20 58 76 C4 00 00 4A 4F 49 4E 20 23 77 68 6F
    > 7A    Xv...JOIN #whoz
    > 00040:  79 65 72 64 61 64 64 79 20 72 61 74 70 61 63
    > 6B   yerdaddy ratpack
    > 
    > 
    > I know that I will need to rebuild the machine, but
    > does anyone have experience with this one?  I looked
    > at the Run key a number of times before I realized
    > the
    > Default Web Browser key doesn't fit in.
    > 
    > Mike
    > 
    > 
    > 
    > 
    > 
    > 
    > __________________________________________________
    > Do You Yahoo!?
    > Make a great connection at Yahoo! Personals.
    > http://personals.yahoo.com
    > 
    >
    ----------------------------------------------------------------------------
    > This list is provided by the SecurityFocus ARIS
    > analyzer service.
    > For more information on this free incident handling,
    > management 
    > and tracking system please see:
    > http://aris.securityfocus.com
    > 
    
    
    __________________________________________________
    Do You Yahoo!?
    Make a great connection at Yahoo! Personals.
    http://personals.yahoo.com
    
    ----------------------------------------------------------------------------
    This list is provided by the SecurityFocus ARIS analyzer service.
    For more information on this free incident handling, management 
    and tracking system please see: http://aris.securityfocus.com
    



    This archive was generated by hypermail 2b30 : Fri Oct 19 2001 - 10:50:58 PDT