Results 1 to 10 of 10

Thread: YES! I have no new antipoints: a new trojan instead!

  1. #1
    Senior Member nihil's Avatar
    Join Date
    Jul 2003
    Location
    United Kingdom: Bridlington
    Posts
    17,188

    YES! I have no new antipoints: a new trojan instead!

    Ha! I bet that fooled you


    Hi guys 'n gals, as i am typing this ; a piece of malware is attempting to install itself onto my PC! (isn't this exciting...an infection in realtime? .........might even be a first for the AO Forum? )

    It has already downloaded itself, and from my initial research seems to be the latest member of the CoolWeb trojan/hijacker scumware family.

    I was alerted to it by RegistryProt (http:\www.diamondcs.com.au) and also by WinPatrol (BillP Studios...sorry havent got a link to that to hand). They both went about it in different ways, which I find interesting, and a good example of why you should have multi-layered defences.

    RegistryProt saw that it had tried to register itself as a service:

    HKEY=KEY_LOCAL_MACHINE
    SOFTWARE\MICROSOFT\WINDOWS\CURRENT VERSION\\RUN SERVICES\NAME=SVC SERVICE

    The proggy is called "svcinit.exe"

    WinPatrol reported the fact that I had a new program in my start up files the same "svcinit.exe"

    I used Hijack This!, and confirmed that there was a new program trying to start...the same one.

    I then hunted around for the payload, and found the following with about the right time/datestamp:

    "tapicfg.exe" and "web.exe" which are in C:\, the root direcory. Svcinit is in C:\WINDOWS\SYSTEM\

    They appear to be packed in UPX, so I could not make much of them at first glance..........I don't think I have my machine with UPX running at the moment (moved house recently).

    I am not sure what bad elements it has, but it certainly wants to hijack, and to phone home I think.

    The reason that I am making such a big deal of this is that when I "kill" something with RegistryProt or WinPatrol, that is usually the end of the matter. This thing has been bringing up warning messages about every 10 minutes for the past couple of hours!...so it has some sort of autoload running and IT IS STEALTHED!!!........I used Hijack This as well as Windoze, and could see NOTHING.

    I also updated Spybot Search & Destroy, AdAware6 (last release October 2) and AVG 6.0, and they spotted nothing!

    I checked out Merijn's site:

    http://www.spywareinfo.com/~merijn/cwschronicles.html

    He says that SpyBot does not get these WebCool b******ds, because they are too slippery and he has a separate tool for them. You can get it from the links at the bottom of his web page.

    I don't know about you guys, but I was not even aware of this.........I thought SpyBot was the "full shilling" as we say in certain parts of the world.

    The product is "CWShredder"..............I have just downloaded the latest version and will see what it can do. I will report back later.

    I have captured the files that I can find (apart from the hidden process) for subsequent torture........oops I meant "analysis" and will send Merijn a copy of the installer, because it self deletes, so is a rare item (hey...maybe I should put it on eBay?).

    Good Luck folks,

    Cheers


    Johnno

  2. #2
    Senior Member
    Join Date
    Sep 2003
    Posts
    156
    thank for the heads up nihil.


    t.e.k.n.o.

  3. #3
    Senior Member
    Join Date
    Jan 2003
    Posts
    220
    Wow...sounds exciting...good luck. Also some nice programs I might look into
    [gloworange]And then it happened... a door opened to a world... rushing through the phone line like heroin through an addict\'s veins, an electronic pulse is sent out, a refuge from the day-to-day incompetencies is sought... a board is found. \"This is it... this is where I belong...\" I know everyone here... even if I\'ve never met them, never talked to them, may never hear from them again... I know you all...[/gloworange]

  4. #4
    Senior Member
    Join Date
    Mar 2003
    Posts
    301
    Thanks for the info! This sounds like a tricky little bugger. Glad you gots everything sorted out so far. Keep us updated

    PeacE
    -BoB
    #!/usr/local/bin/perl -s-- -export-a-crypto-system-sig -RSA-in-3-lines-PERL
    ($k,$n)=@ARGV;$m=unpack(H.$w,$m.\"\\0\"x$w),$_=`echo \"16do$w 2+4Oi0$d*-^1[d2%
    Sa2/d0<X+d*La1=z\\U$n%0]SX$k\"[$m*]\\EszlXx++p|dc`,s/^.|\\W//g,print pack(\'H*\'
    ,$_)while read(STDIN,$m,($w=2*$d-1+length($n||die\"$0 [-d] k n\\n\")&~1)/2)

  5. #5
    Senior Member IKnowNot's Avatar
    Join Date
    Jan 2003
    Posts
    792
    Trend Micro BKDR_CALYPS.A Technical Details

    Since it arrives as UPX-compressed, this backdoor is encrypted and prevented from direct disassembly and code analysis. It is written in Microsoft Visual C++ 6.0, a high-level programming language.
    " And maddest of all, to see life as it is and not as it should be" --Miguel Cervantes

  6. #6
    Senior Member Zonewalker's Avatar
    Join Date
    Jul 2002
    Posts
    949
    just for info.. nihil you forgot the tilde just before merijin from your weblink, the full address is

    http://www.spywareinfo.com/~merijn/cwschronicles.html

    Z
    Quis Custodiet Ipsos Custodes

  7. #7
    Senior Member nihil's Avatar
    Join Date
    Jul 2003
    Location
    United Kingdom: Bridlington
    Posts
    17,188
    Thanks Zonewalker, sorry about the typo.......I would never make it as a secretary

    IKnowNot.....................looks as if it is the Apocalypse backdoor trojan, not what I first thought. I think I got it before Trend, as they say It has been discovered for 11 hours or so, and I first noticed it about 15 hours ago..........for a while I just told RegistryProt and WinPatrol to reverse the entries (NOTE: neither of them block...they just let you "undo" or reverse things) Thanks for the info...seems I was on the wrong track

    I was a bit curious about WebCool to be honest, as it is supposed to be loaded via pop-ups, usually on prOn sites Well I don't allow pop-ups and I don't do prOn sites, other than by accident (can't afford the viagra!). That's what made me think it was a new variant. CWshredder only found a couple of Registry entries it did not like, and none of the mass of other files and stuff..........makes sense now?

    It is a bit difficult when these malwares use "common components", at first I thought it might be a variant on 007 starr, only there did not seem to be enough matches.

    I was looking at a couple of French "security sites" and wonder if one of them might have been compromised. I certainly did not get it through e-mail, and I am running an up to date agnitum firewall, so I don't suspect my ISP sub-net.

    Cheers

  8. #8
    Senior Member IKnowNot's Avatar
    Join Date
    Jan 2003
    Posts
    792
    I think they are all having problems with this one. Either that or those at Trend are drunker then me.

    Trend says on the page linked above they discovered it Oct 4.
    The pattern file needed is 644 ..... But that was out Oct 2.
    The link is bad to the pattern file right now ( zip format ) and has been for hours, was actually unavailable before that for some reason.

    I checked the “What’s New” text file that came with the pattern file when I downloaded it on the 2nd, it does in fact contain the name “BKDR_CALYPS.A”

    So you got me on this one.
    " And maddest of all, to see life as it is and not as it should be" --Miguel Cervantes

  9. #9
    Senior Member nihil's Avatar
    Join Date
    Jul 2003
    Location
    United Kingdom: Bridlington
    Posts
    17,188
    Hi, IKnowNot.........................I guess it has me as well, there was nothing from Trend on the net, when I looked.

    I guess we should both change our IDs to "IKnownihil"

    I do get confused by the time zones, and the fact that the big AVs publish from several countries. I just looked and they said 19 hours.............elapsed, that is.

    I wonder about this...from their site :

    In the wild: No

    Language: English

    Platform: Windows 95, 98, ME, NT, 2000

    Encrypted: Yes

    Size of virus: 58,880 Bytes (UPX- compressed); 131,072 Bytes (Uncompressed)

    Pattern file needed: 644

    Scan engine needed: 5.600

    Discovered: 19 hours, 23 minutes ago
    (Oct. 4, 2003 6:08:11 PM GMT -0800)

    Detection available: 19 hours, 23 minutes ago
    (Oct. 4, 2003 6:08:13 PM GMT -0800)



    We know that the thing is in the wild.............it is here in Bridlington on the East Coast of Yorksire and it was pretty wild here last night............we had a storm

    I find the Discovery and Detection data amazing...........a ZERO response time? Hell, Trend will corner the market? (I wonder who supplies their viagra)

    Confusion all round I think?

    Thanks for the contribution though, and fair play to Trend, at least they seem to have "gotten there first" in identifying it?

    Cheers

  10. #10
    thanks for the diamondcs.com link nihil, i just downloaded Port Explorer and found some interesting things... sounds like a bad bug you got there, hope i dont get it!

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •