Security Incidents mailing list archives

SV: Strange servicepack.exe file (not service.exe) found.

From: "Peter Kruse" <kruse () krusesecurity dk>
Date: Wed, 17 Dec 2003 01:07:28 +0100

Hi Chip,

Just took a quick look at the sample and it seems to be a new variant of
"Istbar". A family of backdoors that downloads several applications
(porndialers and stuff like that). 

The code is written in Microsoft Visual C++ and packed with UPX. 

When executed, the malware will drop copies of itself on the local
harddisk and modify registry in order to restart after reboot:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run<Random
Entry>="C:\Program Files\<Random Folder>\<malware.exe> 

Next it will contact several websites from where it will download other
components:

http://cnt.rapidblaster.com/(**)run?
http://devcnt.rapidblaster.com/(***)run?
http://cnt.rapidblaster.com/(***).run

A search on google will bring up several hits for other variants of
Istbar.

Kind regards
Peter Kruse
http://www.krusesecurity.dk

-----Oprindelig meddelelse-----
Fra: Chip Mefford [mailto:cmefford () avwashington com] 
Sendt: 16. december 2003 19:29
Til: incidents () securityfocus com
Emne: Strange servicepack.exe file (not service.exe) found.


Running in the task manager on a windows 98 box on
our lan. The machine was misbehaving badly yesterday
morning. IE 5.5 was broken, will not browse anything,
even a local file. Mozilla 1.5 works fine. The machine
has been flattened and is being reloaded with Win2K.

This machine was screwed down as tight as we could make
it and still have it be useful. It was used by staff
that had no dedicated workstations to access our webmail
and such things.

I know nothing about reverse engineering binary executables. 
Strings output showed some concerning lines.

I've posted the file "servicepack.exe" in zipped and
tarred formats both at this url.

http://www.eruditium.org/cmefford/securityfocus/




------------------------------------------------------------------------
---
------------------------------------------------------------------------
----



---------------------------------------------------------------------------
----------------------------------------------------------------------------

Current thread:

Strange servicepack.exe file (not service.exe) found. Chip Mefford (Dec 16)
- RE: Strange servicepack.exe file (not service.exe) found. Bojan Zdrnja (Dec 17)
- SV: Strange servicepack.exe file (not service.exe) found. Peter Kruse (Dec 17)
- Re: Strange servicepack.exe file (not service.exe) found. Eric Chien (Dec 17)
  - RE: Strange servicepack.exe file (not service.exe) found. James C Slora Jr (Dec 17)
    - RE: Strange servicepack.exe file (not service.exe) found. John Ives (Dec 17)
    - RE: Strange servicepack.exe file (not service.exe) found. Rob Shein (Dec 18)
    - RE: Strange servicepack.exe file (not service.exe) found. John Ives (Dec 18)
    - RE: Strange servicepack.exe file (not service.exe) found. Harlan Carvey (Dec 17)
    - RE: Strange servicepack.exe file (not service.exe) found. James C Slora Jr (Dec 17)
    - RE: Strange servicepack.exe file (not service.exe) found. Harlan Carvey (Dec 18)
    - RE: Strange servicepack.exe file (not service.exe) found. David Gillett (Dec 18)
    - Re: Strange servicepack.exe file (not service.exe) found. Doug Foster (Dec 19)

(Thread continues...)