Possible new virus/trojan

Printable View

March 20th, 2004, 04:36 AM
Draco980172

Possible new virus/trojan

We have been seeing some strange behavior on one of our computers. We first noticed that the computer was trying to send out several thousand emails in a very shot period of time. Thanks to our firewall rules they were blocked. We tracked down the computer, someones home laptop running WinXP they brought in :rolleyes: without any antivirus on it :mad:. After scanning with up to date antivirus and trojan scanners and finding nothing, I started digging a little deeper and began finding some unusual things. First of all the computer was trying about every 3 seconds to contact Tiffany.fvngh.com with a source port of 3024 and a destination port of 53. BTW, this Tiffany server has an IRC server running on port 80 with well over a thousand clients connected to it... all in hidden rooms...??? Oh well, back to our computer. Port 3024 was bound to svchost.exe. SvcHost.exe was also bound to ports 123, 135, 1025, 1900, 2869, 3002, 3003, 3004, 3005, 3009 and 5000. The only two other processes that I could not account for was Wscript.exe (there was no scripts running that I could find) and SysWeb.exe.

Have any of you been seeing this behaviour? Any suggestions?
March 20th, 2004, 04:55 AM
InfiniteL00p

Haven't seen this specifically, but it sure looks like it's a RAT or listening Trojan. It takes commands from those IRC channels (much like the other fools). The destination port of 53 is usually DNS, yes? This is a good tactic because most firewalls will let port 53 in/out unless explicitlly blocked..

Hmm...

SvcHost.exe is a good name to hide a nefarious service. It may be a modified version of BO2K or something else with source available, so maybe a Trojan or virus scanner wouldn't pick it up.

l00p
March 20th, 2004, 05:16 AM
Tedob1

Yes! fire the person that brought in an unprotected laptop and connected it to your network.

the newer versions of the agobot worm take commands from irc servers. once contacted the operator can give commands to downdoad anything s/he pleases. mailserver a differant back door what ever. one of the commands its set to take is to remove itself. this way when av is (if ever) updated nothing will be found. at least for however long it takes to catolog all the different software the spammers are uploading to the victims boxen after they initially take control.

if i were you id tell them the laptop must be reformatted and reinstalled and nothing can be removed from it because of the extreame danger of this virus...just for spite!

PHATBOT....its the newest ver of the agobot. couldn't think of it before...long day. although its the latest many of them do the same but with the way this thing is spreading there's a good chance thats your baby
March 20th, 2004, 03:03 PM
InfiniteL00p

Tedob1 - isn't PHATBOT a P2P based virus?

Even so, it would be good form to check if anyone in your company (mainly that person with the untrusted laptop) is using P2P services across your network. Big no-no.

l00p
March 20th, 2004, 04:37 PM
Draco980172

We keep pretty close track of any P2P traffic at work. It is not allowed. What they do at home is another matter though. I did not see any signs of it on the laptop. I did several searches on various security sites as well as on the sites of various antivirus vendors and several Google searches. None of these searches came up with anything that matched more than one or two of the symptoms. That is why I am thinking that it might be new or a varient of an existing virus or trojan. I am going to try and do some more investigations on the laptop on Monday to see if I can get some more information.
March 20th, 2004, 10:21 PM
Tedob1

"Tedob1 - isn't PHATBOT a P2P based virus?"

it initially spreads that way but infected computer scans for all the common vulns on the net then infects those they find. im not saying it is phatbot but one like it if updated virus scans didn't detect it then its probably gone and all that remains is the mailing software.
March 21st, 2004, 01:53 PM
nihil

"svchost.exe" AND "SvcHost.exe"?????????????

If that is the case then I would say that the one with the capital letters is the imposter?

Try getting "HijackThis", run it and post the log. I am afraid you will have to search for it, as I don't know what sites are up these days..........they have been getting DoS attacks.

Good luck
March 21st, 2004, 03:46 PM
sumdumguy

http://209.133.47.200/~merijn/files/HijackThis.exe

hey nihil.. where you been ? AWOL ? :D

spywareinfo,merijn, and as of two days ago, tomcoyote's forum are back..

actually... merijn isn't quite back..

http://www.spywareinfo.com/~merijn/index.html

Quote:

March 19, 2004:
Merijn.org will not be online again soon.
Mike Healan has gotten all the sites that have been attacked back up, but when he tried to put up merijn.org for a few hours, it was immediately flooded off the net again. The DDoS is attack still continuing. A mirror of my site will be kept online at http://www.spywareinfo.com/~merijn/.

However, the webserver running merijn.org is still online, even though the domain doesn't resolve to the IP of that server. You can reach it by adding 209.133.47.200 www.merijn.org to your hosts file.