Trojan Variant/Combination
Results 1 to 8 of 8

Thread: Trojan Variant/Combination

  1. #1
    AO Ancient: Team Leader
    Join Date
    Oct 2002
    Posts
    5,197

    Trojan Variant/Combination

    This one has been bugging me for couple of weeks or more due to the fact it is on a "customer/freind's" machine 45 minutes away so I have been trying to deal with it remotely which was made more difficult by the fact that either the trojan removed the right of anyone to access the computer from the network or the numbnuts contractor my friend hired previously did..... Either way - I couldn't get onto the box until I went down there and fixed that little issue.

    Sort of side note: This network had been utterly unfirewalled for an unknown period of time prior to my arrival on the scene..... That changed immediately.......

    The symptom: On each login a window would open named EXPL32 and would attempt port 6667 connections to various IRC servers at bugme. (Typical of a couple of trojans - right down to where it tries to connect). All the connections failed so I wasn't overly worried and none of the other machines on the network displayed any symptoms of any malicious code and packet-sniffing connections didn't turn up anything suspicious.

    Virus scanning the system gave nothing. Searching for expl32* across the entire drive found nothing. Searching the registry for expl32 found nothing. Spybot found loads of stuff - none of it to do with this Trojan. Running fport gave me some interesting results prior to running spybot but nothing looked terribly out of whack.

    So I dug around the registry - specifically HKLM\software\microsoft\windows\run - and found an odd little entry - c:\winnt\security\database\users\lsass.exe. Hmm... That isn't supposed to be there is it?.... So I went to the folder and found:-

    *******************

    04/20/2003 11:18p 37,376 boot.exe
    01/17/2003 01:00p 20,992 empavms.exe
    07/29/2003 09:51a 77 ipservers.dll
    05/01/2002 02:32p 25,600 Libparse.exe
    05/04/2003 10:46p 556,544 lsass.exe
    04/28/2001 06:18p 34,304 moo.dll
    08/14/2002 02:27p 6,656 nhtml.dll
    12/15/2002 04:22p 37,888 restart.exe
    02/05/2003 02:08p 75,331 users.dll
    11/12/2003 06:51a 3,709 wind.dll
    12 File(s) 1,500,630 bytes

    *******************

    A quick comparison with the lsass.exe file in the system32 folder showed a huge size difference, (system32 version is about 33k), and the properties don't show it as being a M$ file. Moo.dll is a mess-up of an IRC app, users is a dictionary of common usernames, (i'm keeping that one.... ), wind.dll has a created date/time of the last restart of the machine which I did this am. I haven't played with the exe's yet. (the LSASS.EXE must be a dropper of sorts)

    I renamed the folder to userstrojan, removed the registry key and restarted.... Bingo! Gone, I'm happier now.....

    Zipped up the files, transfered them to the server and deleted the folder and emptied the recycle bin. Cool, now just email it to myself.... Well, the email got here but BitDefender had stripped the .zip because it contained infected files.... Hrumph..... But on the bright side it proves out my strategy of having a double layer of virus protection for email using different AV engines.... Now I'm getting really happy..... Renamed the zip file to Trojan.txt and resent it... Bingo it arrived. Saved it, renamed it back to zip and unpacked it.... there are the files.... nice. I took NAV 6.00.03 with the latest liveupdate defs dated 11/05/03, (some time after the trojan was first noticed), and scanned the folder..... Nothing!!!! Opened the folder and scanned each file individually..... Nothing!!!!! Hmmm.... Even though several of these files can be found in file lists for different trojans on Symantec's site none of them show as infected files with this version of NAV - but Bitdefender zapped them in a compressed file.....

    I submitted them to Symantec for their perusal and am awaiting their thoughts.

    Hope this little experience helps others to track down an unrecognized nasty.....
    Don\'t SYN us.... We\'ll SYN you.....
    \"A nation that draws too broad a difference between its scholars and its warriors will have its thinking done by cowards, and its fighting done by fools.\" - Thucydides

  2. #2
    Just a Virtualized Geek MrLinus's Avatar
    Join Date
    Sep 2001
    Location
    Redondo Beach, CA
    Posts
    7,324
    http://securityresponse.symantec.com....ratsou.b.html <--- looks somewhat like this. Perhaps someone modified the virus and took out the "infected" files?
    Goodbye, Mittens (1992-2008). My pillow will be cold without your purring beside my head
    Extra! Extra! Get your FREE copy of Insight Newsletter||MsMittens' HomePage

  3. #3
    Just Another Geek
    Join Date
    Jul 2002
    Location
    Rotterdam, Netherlands
    Posts
    3,401

    Re: Trojan Variant/Combination

    Originally posted here by Tiger Shark
    Zipped up the files, transfered them to the server and deleted the folder and emptied the recycle bin. Cool, now just email it to myself.... Well, the email got here but BitDefender had stripped the .zip because it contained infected files.... Hrumph..... But on the bright side it proves out my strategy of having a double layer of virus protection for email using different AV engines.... Now I'm getting really happy..... Renamed the zip file to Trojan.txt and resent it... Bingo it arrived. Saved it, renamed it back to zip and unpacked it.... there are the files.... nice.
    I think you need a better content scanner if you can easily circumvent it by renaming the file

    But looks like you did a great job. Isn't hunting for stuff like this exciting?
    Oliver's Law:
    Experience is something you don't get until just after you need it.

  4. #4
    AO Ancient: Team Leader
    Join Date
    Oct 2002
    Posts
    5,197
    Ms. M: Yep, that was one of the ones I found while poking around but it didn't demonstrate a lot of the other "key" items for that trojan such as the registry keys which was making it harder to track down..... So I took off in another direction....<sigh> Once I found it there were several of the files listed in the writeup - they were just in the wrong darned place....

    Dice: Yeah.... The scanner on the "front" server is a command line Kaspersky BitDefender version.... It works fine on "normal" files but it must only scan certain types - clearly .txt is ignored - as it was by NAV on the "back" server. There is no config file for the app so I can't change it's behavior. It's not a devastating flaw insofar as clicking the text file will open it in notepad..... Is it a way for someone who already has inside access to move malware in? Yes, but then I'm screwed anyway......
    Don\'t SYN us.... We\'ll SYN you.....
    \"A nation that draws too broad a difference between its scholars and its warriors will have its thinking done by cowards, and its fighting done by fools.\" - Thucydides

  5. #5
    AO Ancient: Team Leader
    Join Date
    Oct 2002
    Posts
    5,197
    Well.... Symantec responded:-

    Developer notes:
    C:\Trojan\wind.dll is non-repairable threat. NAV with the latest beta definition detects this. Please delete this file and replace it if neccessary. Please follow the instruction at the end of this email message to install the latest beta definitions.
    C:\Trojan\users.dll is a clean file.
    C:\Trojan\restart.exe is a clean file.
    C:\Trojan\nhtml.dll is a clean file.
    C:\Trojan\moo.dll is a clean file.
    C:\Trojan\lsass.exe The submitted program is an mIRC client software. It is not malicious itself. However, if it is driven by the malicious scripts, it can be used in malicious purposes (e.g., as a Backdoor.Trojan). If you do not use it as an mIRC client, we recommend you to delete this file.
    C:\Trojan\Libparse.exe is a clean file.
    C:\Trojan\ipservers.dll is a clean file.
    C:\Trojan\empavms.exe This utility performs no malicious actions. However, it may be used by trojans to hide application windows. If you do not use this program, we would recommend you to delete it.
    C:\Trojan\boot.exe This utility is nonmalicious; however, it could be used by an intruder who has gained access to your system. If you do not use this program, we recommend that you delete it.



    Symantec Security Response has determined that the sample(s) that you provided are infected with a virus, worm, or Trojan. We have created beta definitions that will detect this threat. Please follow the instruction at the end of this email message to download and install the latest beta definitions.
    Downloading and Installing Beta Definition Instructions:
    1. Open your Web browser. If you are using a dial-up connection, connect to any Web site, such as: http://securityresponse.symantec.com/
    2. Click this link to the ftp site: ftp://ftp.symantec.com/public/englis...tadefsi32.exe. If it does not go to the site (this could take a minute or so if you have a slow connection), copy and paste the address into the address bar of your Web browser and then press Enter.
    3. When a download dialog box appears, save the file to the Windows desktop.
    4. Double-click the downloaded file and follow the prompts.
    Now if I'm reading that right the second para implies that they have created a new set of Beta definitions in response to my submission...... If that's correct I think we should change the naming convention for these things to something more akin to the taxonomy system for animals/plants etc. Then it's full name could be Trojanicus.IRCum.TigerSharkicus.....
    Don\'t SYN us.... We\'ll SYN you.....
    \"A nation that draws too broad a difference between its scholars and its warriors will have its thinking done by cowards, and its fighting done by fools.\" - Thucydides

  6. #6
    Just Another Geek
    Join Date
    Jul 2002
    Location
    Rotterdam, Netherlands
    Posts
    3,401
    Originally posted here by Tiger Shark
    Now if I'm reading that right the second para implies that they have created a new set of Beta definitions in response to my submission...... If that's correct I think we should change the naming convention for these things to something more akin to the taxonomy system for animals/plants etc. Then it's full name could be Trojanicus.IRCum.TigerSharkicus.....
    LOL. I'd go for Trojanicus.Galeocerdo.Cuvier
    Oliver's Law:
    Experience is something you don't get until just after you need it.

  7. #7
    AO Ancient: Team Leader
    Join Date
    Oct 2002
    Posts
    5,197
    Sir Dice: Educated in the taxonomic names of the Elasmobranchs too..... You are impressive.... But the Genus name still needs to be IRCum to indicate the type of Trojan - That was why I included the family name.....

    PS: I am a fish geek as well as a computer geek.... 9 Marine aquariums in the house - 2000 gallon pond and stream in the yard - SCUBA diver - underwater photographer - love coral reefs and warm seawater - hate cold, dark freshwater - So I live by the great lakes about as far from a coral reef as I can in this country...... Can you see anything wrong with that picture.... 'Cos I can.....
    Don\'t SYN us.... We\'ll SYN you.....
    \"A nation that draws too broad a difference between its scholars and its warriors will have its thinking done by cowards, and its fighting done by fools.\" - Thucydides

  8. #8
    Just Another Geek
    Join Date
    Jul 2002
    Location
    Rotterdam, Netherlands
    Posts
    3,401
    Originally posted here by Tiger Shark
    Sir Dice: Educated in the taxonomic names of the Elasmobranchs too..... You are impressive.... But the Genus name still needs to be IRCum to indicate the type of Trojan - That was why I included the family name.....
    HAHAHA. Nah, I'm just clever enough to google for latin name tiger shark
    Oliver's Law:
    Experience is something you don't get until just after you need it.

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •