This one has been bugging me for couple of weeks or more due to the fact it is on a "customer/freind's" machine 45 minutes away so I have been trying to deal with it remotely which was made more difficult by the fact that either the trojan removed the right of anyone to access the computer from the network or the numbnuts contractor my friend hired previously did..... Either way - I couldn't get onto the box until I went down there and fixed that little issue.

Sort of side note: This network had been utterly unfirewalled for an unknown period of time prior to my arrival on the scene..... That changed immediately.......

The symptom: On each login a window would open named EXPL32 and would attempt port 6667 connections to various IRC servers at bugme. (Typical of a couple of trojans - right down to where it tries to connect). All the connections failed so I wasn't overly worried and none of the other machines on the network displayed any symptoms of any malicious code and packet-sniffing connections didn't turn up anything suspicious.

Virus scanning the system gave nothing. Searching for expl32* across the entire drive found nothing. Searching the registry for expl32 found nothing. Spybot found loads of stuff - none of it to do with this Trojan. Running fport gave me some interesting results prior to running spybot but nothing looked terribly out of whack.

So I dug around the registry - specifically HKLM\software\microsoft\windows\run - and found an odd little entry - c:\winnt\security\database\users\lsass.exe. Hmm... That isn't supposed to be there is it?.... So I went to the folder and found:-

*******************

04/20/2003 11:18p 37,376 boot.exe
01/17/2003 01:00p 20,992 empavms.exe
07/29/2003 09:51a 77 ipservers.dll
05/01/2002 02:32p 25,600 Libparse.exe
05/04/2003 10:46p 556,544 lsass.exe
04/28/2001 06:18p 34,304 moo.dll
08/14/2002 02:27p 6,656 nhtml.dll
12/15/2002 04:22p 37,888 restart.exe
02/05/2003 02:08p 75,331 users.dll
11/12/2003 06:51a 3,709 wind.dll
12 File(s) 1,500,630 bytes

*******************

A quick comparison with the lsass.exe file in the system32 folder showed a huge size difference, (system32 version is about 33k), and the properties don't show it as being a M$ file. Moo.dll is a mess-up of an IRC app, users is a dictionary of common usernames, (i'm keeping that one.... ), wind.dll has a created date/time of the last restart of the machine which I did this am. I haven't played with the exe's yet. (the LSASS.EXE must be a dropper of sorts)

I renamed the folder to userstrojan, removed the registry key and restarted.... Bingo! Gone, I'm happier now.....

Zipped up the files, transfered them to the server and deleted the folder and emptied the recycle bin. Cool, now just email it to myself.... Well, the email got here but BitDefender had stripped the .zip because it contained infected files.... Hrumph..... But on the bright side it proves out my strategy of having a double layer of virus protection for email using different AV engines.... Now I'm getting really happy..... Renamed the zip file to Trojan.txt and resent it... Bingo it arrived. Saved it, renamed it back to zip and unpacked it.... there are the files.... nice. I took NAV 6.00.03 with the latest liveupdate defs dated 11/05/03, (some time after the trojan was first noticed), and scanned the folder..... Nothing!!!! Opened the folder and scanned each file individually..... Nothing!!!!! Hmmm.... Even though several of these files can be found in file lists for different trojans on Symantec's site none of them show as infected files with this version of NAV - but Bitdefender zapped them in a compressed file.....

I submitted them to Symantec for their perusal and am awaiting their thoughts.

Hope this little experience helps others to track down an unrecognized nasty.....