Security Incidents mailing list archives
Re: unknown trojan (attached)
From: nick () VIRUS-L DEMON CO UK (Nick FitzGerald)
Date: Tue, 13 Jun 2000 19:08:08 +1200
Hi, Due to Email problems over the weekend, I have just received this...
Tonight I received the following file and ran. It did nothing noticeable, so I immediately became suspicious. A few moments later, I noticed on my gateway machine, connections attempts to port 113 from a remote machine, "chapterhouse.sugar-river.net" [206.183.143.241]. A quick check of masqueraded connections on the gateway showed a connection from that particular Win98 machine [192.168.1.101:1027] to the remote host [206.183.143.241:6667]. Knowing that 6667 is an often used port for IRC servers, I started up an IRC client and connected to that host. It was indeed an IRC server. A quick check showed 4 users online with the "Real Name" field set to "Im trojaned", one of which was my IP address. I then knew for sure it was a trojan.
<<snip>> This sounds like a new "Tasmer" variant. You'll find it mentioned on several antivirus web sites, but probably not find much by way of accurate/detailed analyses of it actions. The basic idea is as Jeremy has described -- the client joins an IRC channel alerting anyone/anything that knows to watch and can be remote controlled via private messaging over IRC. The two other variants I've seen not only have the FTP file retrieving and running capability but distributed password cracking and maybe a DoS agent (exactly what that code did was not terribly important at the time we analysed the earlier ones). I hope to look at this one after dinner or first thing in the morning... -- Nick FitzGerald Computer Virus Consulting Ltd. Ph/FAX: +64 3 3529854
Current thread:
- Re: unknown trojan (attached) Jeremy L. Gaddis (Jun 10)
- <Possible follow-ups>
- Re: unknown trojan (attached) Nick FitzGerald (Jun 13)