File listing at the end.. you'll see that it includes files common to other mIRC based trojans. More unique to this one is the inclusion of a blowfish library and some ActiveX controls. Perhaps my Google skills are not so finely honed, but I couldn't find any previous mention of this particular zombie. If someone has pointers to some in-depth analysis already performed on this package, I'd be interested. Snort actually spotted the initial login of the trojan. The packet payload included: length = 118 000 : 4E 49 43 4B 20 5B 70 41 5D 2D 38 33 34 31 38 0A NICK [pA]-83418. 010 : 55 53 45 52 20 50 65 61 5E 52 68 61 6D 61 6E 5E USER Pea^Rhaman^ 020 : 20 22 6E 61 74 30 31 2E 64 68 63 70 2D 31 32 30 "nat01.dhcp-120 030 : 2E 63 6F 72 65 2D 32 2E 6F 63 34 38 2E 5B 70 41 .core-2.oc48.[pA 040 : 5D 2D 32 32 31 36 33 2E 67 6F 76 22 20 22 6D 79 ]-22163.gov" "my 050 : 67 69 72 6C 67 6F 74 2E 6E 61 69 6C 65 64 2E 6F girlgot.nailed.o 060 : 72 67 22 20 3A 50 61 6E 69 63 20 41 74 74 61 63 rg" :Panic Attac 070 : 6B 20 32 2E 30 0A k 2.0. For email clients that won't format that nicely, the text is: NICK [pA]-83418. USER Pea^Rhaman^ "nat01.dhcp-120.core-2.oc48.[pA]-22163.gov" "mygirlgot.nailed.org" :Panic Attack 2.0. While I've made some attempt to delve the purpose of some of the components, I don't have the time to study it in detail. I present it here for the group. I've found the following files. All were found in the \winnt\fonts directory on a Win2k machine. Some of these files are common among other IRC kits. The OCX files are ActiveX files for various functions. DNS.oca DNS.ocx msccctl32.ocx MSWINSCK.OCX WhoIs.ocx WINSCK.OCX blowfish.dll - public domain blowfish encryption library bootdrv.dll - non-malicious mIRC library that returns machine information boywonder.dat - non-malicious text file d2colour.exe - utility to hide windows msfnt32i.exe - packet generator, used to generate the actual attack wget.exe - utility used to retrieve files via HTTP or FTP explorer.exe - modified version of the mIRC client. Libparse.exe - utility that shows running processes and allows killing of processes psexec.exe - utility that allows remote command execution STDE9.exe - remote installer svchost32.exe - another window hiding utility mcon.dll - configuration file moo.dll - library for mIRC that reports various machine statistics MSWINSCK.DEP - dependency file for setup wizard navdb.dbx - a list of names/words that the scripts use as IRC nicknames sysmal.ini - mostly empty config file, probably just needs to exist I have the above files in a tar.gz archive if previous examples are not available. -- Andy Shelley Cbeyond Communications andyat_private ---------------------------------------------------------------------------- <Pre>Lose another weekend managing your IDS? Take back your personal time. 15-day free trial of StillSecure Border Guard.</Pre> <A href="http://www.securityfocus.com/stillsecure"> http://www.securityfocus.com/stillsecure </A>
This archive was generated by hypermail 2b30 : Fri Mar 07 2003 - 14:57:06 PST