RE: Trojan? DDOS Bot?

From: Brooke, O'neil (EXP) (o'neil.brookeat_private)
Date: Tue Aug 27 2002 - 12:02:42 PDT

  • Next message: Richman, Samuel : "Re: Trojan? DDOS Bot?"

    Hi Janus
    	This is expected trojan behavior. Take a look in your registry for
    the run keys, and either system.ini or win.ini has a load and a run setting
    as well that has been exploited by trojans.  A complete(?) list of
    initialization locations can be found at You want to
    determine what the initializtion vector is, disable it, reboot and then
    delete the trojan files. 
    	This may not end it though. Windows based trojans have two
    operational components for the server. There is the 'infector' executable
    which is any standard program with a hidden trojan payload. When the
    infector is executed registry keys or ini files are modified so that the
    server starts every time the computer does, it then extracts the trojan
    server code and saves it to a discrete file on your system. The 'server'
    component is a small executable (most are well under 100K) that can hide
    just about anywhere on the system, given that there are so many different
    trojans. The 'server' component is what initiates the connection to the IRC
    server and allows for remote control of your workstation.
    	A third type of program which I'll call an executable bundling
    program will take the trojan server and stuff it into an existing
    application. (i.e. creation of the 'infector' executable) If explorer.exe is
    infected in this way, when you delete the registry keys and reboot, the
    registry keys will be recreated and trojan re-installed since explorer is
    executed by windows on bootup. 
    	Trojans started connecting to IRC in this manner (AFAIK) so that the
    people behind the various trojan strains could disseminate their code
    (warez, uploads to ftp servers, exploited corporate cd mastering stations,
    etc) and collect the compromised hosts in one central location. It also
    offered some form of anonymity once commands to the trojan could be routed
    through the IRC server, since the attacker never establishes a connection
    directly with the infected host. 
    -----Original Message-----
    From: Janusat_private [mailto:Janusat_private]
    Sent: August 27, 2002 4:23 AM
    To: incidentsat_private
    Subject: Trojan? DDOS Bot?
    I recogniced some weird connections from my box (w98)
    to other computers. As soon as i connect to the
    internet a connection from local port 1026 to port 6667
    on was established. I connected to that
    server and it is an irc server (MusIRC Internet Relay
    Chat Network). I found a bot using my adress with a
    random name made up of letters. The server
    administrator told me that he has recognized these bots
    coming from many different hosts for quite ome time
    now. They all try to join a channel named #nutz on that
    server. He has seen people giving commands to those
    bots so he closed down the channel. They give a msg
    after kicked "Fuck you <name of the person that has
    kicked them>. To version request they reply with
    something like that too. I checked for open ports on my
    box and found 113 open. A few days ago i deleted a
    net-devil v.1.4 from my system. Not sure if that has
    anything to do with that. After installing a freeware
    firewall to see what it will do if i blocked its
    outgoing port and deleting it afterwards it just
    changed the outgoing port. As i am typing this a
    netstat -an reveals
      UDP         *:*                    
    I couldnt find a freeware tool to find out which
    process is using this specific irc connection, nor did
    a scan with f-prot or housecall or panda reveal any
    viral or trojan activity.
    Any help or info would be really appreciated. Thanks in
    This list is provided by the SecurityFocus ARIS analyzer service.
    For more information on this free incident handling, management 
    and tracking system please see:
    This list is provided by the SecurityFocus ARIS analyzer service.
    For more information on this free incident handling, management 
    and tracking system please see:

    This archive was generated by hypermail 2b30 : Tue Aug 27 2002 - 13:23:23 PDT