-
October 5th, 2003, 02:35 AM
#1
YES! I have no new antipoints: a new trojan instead!
Ha! I bet that fooled you
Hi guys 'n gals, as i am typing this ; a piece of malware is attempting to install itself onto my PC! (isn't this exciting...an infection in realtime? .........might even be a first for the AO Forum? )
It has already downloaded itself, and from my initial research seems to be the latest member of the CoolWeb trojan/hijacker scumware family.
I was alerted to it by RegistryProt (http:\www.diamondcs.com.au) and also by WinPatrol (BillP Studios...sorry havent got a link to that to hand). They both went about it in different ways, which I find interesting, and a good example of why you should have multi-layered defences.
RegistryProt saw that it had tried to register itself as a service:
HKEY=KEY_LOCAL_MACHINE
SOFTWARE\MICROSOFT\WINDOWS\CURRENT VERSION\\RUN SERVICES\NAME=SVC SERVICE
The proggy is called "svcinit.exe"
WinPatrol reported the fact that I had a new program in my start up files the same "svcinit.exe"
I used Hijack This!, and confirmed that there was a new program trying to start...the same one.
I then hunted around for the payload, and found the following with about the right time/datestamp:
"tapicfg.exe" and "web.exe" which are in C:\, the root direcory. Svcinit is in C:\WINDOWS\SYSTEM\
They appear to be packed in UPX, so I could not make much of them at first glance..........I don't think I have my machine with UPX running at the moment (moved house recently).
I am not sure what bad elements it has, but it certainly wants to hijack, and to phone home I think.
The reason that I am making such a big deal of this is that when I "kill" something with RegistryProt or WinPatrol, that is usually the end of the matter. This thing has been bringing up warning messages about every 10 minutes for the past couple of hours!...so it has some sort of autoload running and IT IS STEALTHED!!!........I used Hijack This as well as Windoze, and could see NOTHING.
I also updated Spybot Search & Destroy, AdAware6 (last release October 2) and AVG 6.0, and they spotted nothing!
I checked out Merijn's site:
http://www.spywareinfo.com/~merijn/cwschronicles.html
He says that SpyBot does not get these WebCool b******ds, because they are too slippery and he has a separate tool for them. You can get it from the links at the bottom of his web page.
I don't know about you guys, but I was not even aware of this.........I thought SpyBot was the "full shilling" as we say in certain parts of the world.
The product is "CWShredder"..............I have just downloaded the latest version and will see what it can do. I will report back later.
I have captured the files that I can find (apart from the hidden process) for subsequent torture........oops I meant "analysis" and will send Merijn a copy of the installer, because it self deletes, so is a rare item (hey...maybe I should put it on eBay?).
Good Luck folks,
Cheers
Johnno
-
October 5th, 2003, 03:41 AM
#2
Senior Member
thank for the heads up nihil.
-
October 5th, 2003, 03:58 AM
#3
Wow...sounds exciting...good luck. Also some nice programs I might look into
[gloworange]And then it happened... a door opened to a world... rushing through the phone line like heroin through an addict\'s veins, an electronic pulse is sent out, a refuge from the day-to-day incompetencies is sought... a board is found. \"This is it... this is where I belong...\" I know everyone here... even if I\'ve never met them, never talked to them, may never hear from them again... I know you all...[/gloworange]
-
October 5th, 2003, 04:37 AM
#4
Thanks for the info! This sounds like a tricky little bugger. Glad you gots everything sorted out so far. Keep us updated
PeacE
-BoB
#!/usr/local/bin/perl -s-- -export-a-crypto-system-sig -RSA-in-3-lines-PERL
($k,$n)=@ARGV;$m=unpack(H.$w,$m.\"\\0\"x$w),$_=`echo \"16do$w 2+4Oi0$d*-^1[d2%
Sa2/d0<X+d*La1=z\\U$n%0]SX$k\"[$m*]\\EszlXx++p|dc`,s/^.|\\W//g,print pack(\'H*\'
,$_)while read(STDIN,$m,($w=2*$d-1+length($n||die\"$0 [-d] k n\\n\")&~1)/2)
-
October 5th, 2003, 12:54 PM
#5
Trend Micro BKDR_CALYPS.A Technical Details
Since it arrives as UPX-compressed, this backdoor is encrypted and prevented from direct disassembly and code analysis. It is written in Microsoft Visual C++ 6.0, a high-level programming language.
" And maddest of all, to see life as it is and not as it should be" --Miguel Cervantes
-
October 5th, 2003, 01:18 PM
#6
just for info.. nihil you forgot the tilde just before merijin from your weblink, the full address is
http://www.spywareinfo.com/~merijn/cwschronicles.html
Z
Quis Custodiet Ipsos Custodes
-
October 5th, 2003, 02:21 PM
#7
Thanks Zonewalker, sorry about the typo.......I would never make it as a secretary
IKnowNot.....................looks as if it is the Apocalypse backdoor trojan, not what I first thought. I think I got it before Trend, as they say It has been discovered for 11 hours or so, and I first noticed it about 15 hours ago..........for a while I just told RegistryProt and WinPatrol to reverse the entries (NOTE: neither of them block...they just let you "undo" or reverse things) Thanks for the info...seems I was on the wrong track
I was a bit curious about WebCool to be honest, as it is supposed to be loaded via pop-ups, usually on prOn sites Well I don't allow pop-ups and I don't do prOn sites, other than by accident (can't afford the viagra!). That's what made me think it was a new variant. CWshredder only found a couple of Registry entries it did not like, and none of the mass of other files and stuff..........makes sense now?
It is a bit difficult when these malwares use "common components", at first I thought it might be a variant on 007 starr, only there did not seem to be enough matches.
I was looking at a couple of French "security sites" and wonder if one of them might have been compromised. I certainly did not get it through e-mail, and I am running an up to date agnitum firewall, so I don't suspect my ISP sub-net.
Cheers
-
October 5th, 2003, 08:56 PM
#8
I think they are all having problems with this one. Either that or those at Trend are drunker then me.
Trend says on the page linked above they discovered it Oct 4.
The pattern file needed is 644 ..... But that was out Oct 2.
The link is bad to the pattern file right now ( zip format ) and has been for hours, was actually unavailable before that for some reason.
I checked the “What’s New” text file that came with the pattern file when I downloaded it on the 2nd, it does in fact contain the name “BKDR_CALYPS.A”
So you got me on this one.
" And maddest of all, to see life as it is and not as it should be" --Miguel Cervantes
-
October 5th, 2003, 09:40 PM
#9
Hi, IKnowNot.........................I guess it has me as well, there was nothing from Trend on the net, when I looked.
I guess we should both change our IDs to "IKnownihil"
I do get confused by the time zones, and the fact that the big AVs publish from several countries. I just looked and they said 19 hours.............elapsed, that is.
I wonder about this...from their site :
In the wild: No
Language: English
Platform: Windows 95, 98, ME, NT, 2000
Encrypted: Yes
Size of virus: 58,880 Bytes (UPX- compressed); 131,072 Bytes (Uncompressed)
Pattern file needed: 644
Scan engine needed: 5.600
Discovered: 19 hours, 23 minutes ago
(Oct. 4, 2003 6:08:11 PM GMT -0800)
Detection available: 19 hours, 23 minutes ago
(Oct. 4, 2003 6:08:13 PM GMT -0800)
We know that the thing is in the wild.............it is here in Bridlington on the East Coast of Yorksire and it was pretty wild here last night............we had a storm
I find the Discovery and Detection data amazing...........a ZERO response time? Hell, Trend will corner the market? (I wonder who supplies their viagra)
Confusion all round I think?
Thanks for the contribution though, and fair play to Trend, at least they seem to have "gotten there first" in identifying it?
Cheers
-
October 5th, 2003, 10:04 PM
#10
Banned
thanks for the diamondcs.com link nihil, i just downloaded Port Explorer and found some interesting things... sounds like a bad bug you got there, hope i dont get it!
Posting Permissions
- You may not post new threads
- You may not post replies
- You may not post attachments
- You may not edit your posts
-
Forum Rules
|
|