SV: [SPAM] RE: interesting trojan found

["Peter Kruse" <kruse () krusesecurity dk>]

Hi Todd,

> But if it is a rootkit, does it not hide from normal AV scanning?

Nope, you'll see it in the systemprocess, but since it's active in memory,
you won't be able to end it.

The trojan is a RDBot variant (Spybot). Like other variants, from this
string, it spreads across local and remote networks. It's uses several
exploits to compromise unpactched MS Windows boxs, as well as searches for
shares with weak passwords. When executed, it creates a mutex "[rxBot v0.6.5
pk + ftpd]". If another instance of this worm is already running, it will
exit. The malware carries a backdoor that allows a malicious user to control
the infected host through IRC channels. As stated in the first posting, it
droppes a copy of itself to the windows system folder. Nextup it modifies
registry with several runas keys under the value "update run msword".

This RDbot includes a keylogger, that will log all keyboard activity and
save this to a text file. A remote user can collect this information through
IRC and possibly gain access to others services.

---
Med venlig hilsen // Kind regards

Peter Kruse,                        Voice: (+45) 88136030
Security- and virusanalyst,         Cel    (+45) 28490532
CSIS ApS                            Fax    (+45) 28176030
http://www.csis.dk                  E-mail pkr () csis dk

PGP fingerprint
79FD 0648 158E 6B9E 236F  CFDA 7C58 64D6 BE83 FA60

Combined Services & Integrated Solutions
Gevno Gade 11a
4660 Store Heddinge, Denmark

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html