Re: unknown trojan (attached)

[nick () VIRUS-L DEMON CO UK (Nick FitzGerald)]

Hi,

Due to Email problems over the weekend, I have just received this...

> Tonight I received the following file and ran.  It did nothing
> noticeable, so I immediately became suspicious.  A few moments
> later, I noticed on my gateway machine, connections attempts to
> port 113 from a remote machine, "chapterhouse.sugar-river.net"
> [206.183.143.241]. A quick check of masqueraded connections on the
> gateway showed a connection from that particular Win98 machine
> [192.168.1.101:1027] to the remote host [206.183.143.241:6667].
> Knowing that 6667 is an often used port for IRC servers, I started
> up an IRC client and connected to that host.  It was indeed an IRC
> server.  A quick check showed 4 users online with the "Real Name"
> field set to "Im trojaned", one of which was my IP address.  I then
> knew for sure it was a trojan.
<<snip>>

This sounds like a new "Tasmer" variant.

You'll find it mentioned on several antivirus web sites, but probably
not find much by way of accurate/detailed analyses of it actions.
The basic idea is as Jeremy has described -- the client joins an IRC
channel alerting anyone/anything that knows to watch and can be
remote controlled via private messaging over IRC.  The two other
variants I've seen not only have the FTP file retrieving and running
capability but distributed password cracking and maybe a DoS agent
(exactly what that code did was not terribly important at the time we
analysed the earlier ones).

I hope to look at this one after dinner or first thing in the
morning...


--
Nick FitzGerald
Computer Virus Consulting Ltd.
Ph/FAX: +64 3 3529854