Security Incidents mailing list archives
Re: New Trojan
From: Jay Castaldo <fupayme2003 () hotmail com>
Date: 28 Oct 2003 13:30:44 -0000
In-Reply-To: <20031027210616.5343.qmail () web41607 mail yahoo com> Wow, I guess people went different routes to fix the trojan whether is was backing up rundll32.dll or reformating, but like I stated before after doing the rundll32.dll uninstall command, the registry keys didn't reappear and the ports I stated were open from my netstats while ineffected, suddenly closed. I'm of course no 100% sure my system is totally cleaned but I would believe so. Good luck everybody, keep the input going because this is very good reading. Thanks again Jay
Received: (qmail 3507 invoked from network); 27 Oct 2003 21:48:34 -0000 Received: from outgoing2.securityfocus.com (205.206.231.26) by mail.securityfocus.com with SMTP; 27 Oct 2003 21:48:34 -0000 Received: from lists.securityfocus.com (lists.securityfocus.com [205.206.231.19]) by outgoing2.securityfocus.com (Postfix) with QMQP id 6232E8F8AD; Mon, 27 Oct 2003 08:45:27 -0700 (MST) Mailing-List: contact incidents-help () securityfocus com; run by ezmlm Precedence: bulk List-Id: <incidents.list-id.securityfocus.com> List-Post: <mailto:incidents () securityfocus com> List-Help: <mailto:incidents-help () securityfocus com> List-Unsubscribe: <mailto:incidents-unsubscribe () securityfocus com> List-Subscribe: <mailto:incidents-subscribe () securityfocus com> Delivered-To: mailing list incidents () securityfocus com Delivered-To: moderator for incidents () securityfocus com Received: (qmail 21435 invoked from network); 27 Oct 2003 15:00:44 -0000 Message-ID: <20031027210616.5343.qmail () web41607 mail yahoo com> Date: Mon, 27 Oct 2003 13:06:16 -0800 (PST) From: Harlan Carvey <keydet89 () yahoo com> Subject: RE: New Trojan To: incidents () securityfocus com In-Reply-To: <BNEALFHAGAFLNAGBLHNLGEMBENAA.lucretias () shaw ca> MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Lucretia, Easier said than done on Win2k and above...thanks to WFP. --- Lucretia <lucretias () shaw ca> wrote:Correct, you must take steps to remove wscript.exe and cscript.exe otherwise they will remain.-----Original Message----- From: lsi [mailto:stuart () cyberdelix net] Sent: Monday, October 27, 2003 6:04 AM To: Harlan Carvey Cc: incidents () securityfocus com Subject: Re: New Trojan Hi there,http://patriot.net/~carvdawg/docs/dark_side.htmlExcellent article on ADS, one point. You sayWindows Scripting Hoststarted shipping with W2K. However, it isapparently installed bydefault on Win98SE systems as well (I reinstalledthis machine justlast week). After reading your article I fired up a commandprompt and typedCSCRIPT - this caused the scripting host toappear. Which was odd,because I was sure I had told the installer *not*to install WindowsScripting Host.... So I click Start.. Settings.. Control Panel.. Addand RemovePrograms.. Windows Setup.. Accessories.. and sureenough WindowsScripting Host is *NOT* checked. However,CSCRIPT.EXE is in myC:\WINDOWS\COMMAND directory while WSCRIPT.EXE isin my C:\WINDOWSdirectory anyhow. So I would like to report to you: 1. WSH is shipped with Win98SE as well. 2. telling the installer not to install it doesnot work.Stuart On 25 Oct 2003 at 10:42, Harlan Carvey wrote: Date sent: Sat, 25 Oct 2003 10:42:41 -0700(PDT)From: Harlan Carvey<keydet89 () yahoo com>Subject: Re: New Trojan To: incidents () securityfocus comJay,I don't know if this is a new trojan oranything,but I have tried doing some research on theInternetand couldn't find anything on it. Well it hastworegistry entries in my Run, and RunOnce. Hereisthe name of both keys acbdhpd and the valuesarepointing to a file1129 I can not seem to find rundll32 C:\WINNT\system32:acbdhpd.dll,Init 1.Given the colon, it looks like you might have aDLLhidden in an alternate data stream. Is yourfilesystem NTFS?I tried killing my explorer.exe to see if thatisreason I can't find it because I am mostlikelyusing a trojanized explorer.exe,I'm curious about that statement, given that you really don't have anything to base it on.but I could only find a copy in my temp, I delete through DOSanddelete the registry entries to no success, the registry keys appear within 30 seconds and thefilepops right back up.What file? I thought you said you couldn't see anything, so what file is popping right back up?Anybody seen this or can give me some help to get this out withoutreloading? Ithas also opened up two TCP, 3799, and 41225and twoUDP ports, 1129, 1241. ThanksHow have you determined this? What tool areyouusing to determine that this particular issue is opening those ports, and they're not beingopened bysome other process? In a nutshell, it looks as if you've gotsomething onyour system, but it's hidden in an alternatedatastream. I'm willing to help, you can get me as"carvdawg" onAIM and "keydet89" on Yahoo Messenger.---------------------------------------------------------------------------Network with over 10,000 of the brightest mindsin information securityat the largest, most highly-anticipated industryevent of the year.Don't miss RSA Conference 2004! Choose from over200 class sessions andsee demos from more than 250 industry vendors.If your job touchessecurity, you need to be here. Learn more orregister athttp://www.securityfocus.com/sponsor/RSA_incidents_031023and use priority code SF4.---------------------------------------------------------------------------- -- Stuart Udall stuart at cyberdelix dot net -http://www.cyberdelix.net/..revolution through evolution want to make some cash? check outhttp://cyberdelix.net/affiliates.htm--------------------------------------------------------------------------- Network with over 10,000 of the brightest minds ininformation securityat the largest, most highly-anticipated industryevent of the year.Don't miss RSA Conference 2004! Choose from over200 class sessions andsee demos from more than 250 industry vendors. Ifyour job touchessecurity, you need to be here. Learn more orregister athttp://www.securityfocus.com/sponsor/RSA_incidents_031023and use priority code SF4.------------------------------------------------------------------------------------------------------------------------------------------------------- Network with over 10,000 of the brightest minds in information security at the largest, most highly-anticipated industry event of the year. Don't miss RSA Conference 2004! Choose from over 200 class sessions and see demos from more than 250 industry vendors. If your job touches security, you need to be here. Learn more or register at http://www.securityfocus.com/sponsor/RSA_incidents_031023 and use priority code SF4. ----------------------------------------------------------------------------
--------------------------------------------------------------------------- Network with over 10,000 of the brightest minds in information security at the largest, most highly-anticipated industry event of the year. Don't miss RSA Conference 2004! Choose from over 200 class sessions and see demos from more than 250 industry vendors. If your job touches security, you need to be here. Learn more or register at http://www.securityfocus.com/sponsor/RSA_incidents_031023 and use priority code SF4. ----------------------------------------------------------------------------
Current thread:
- RE: New Trojan, (continued)
- RE: New Trojan John Ives (Oct 26)
- Re: New Trojan Grzegorz (Oct 25)
- Re: New Trojan Harlan Carvey (Oct 27)
- Re: New Trojan sean (Oct 25)
- Re: New Trojan Jay Castaldo (Oct 27)
- Re: New Trojan Damian Gerow (Oct 27)
- RE: New Trojan Chris Fussell (Oct 27)
- RE: New Trojan Tran, John (Oct 27)
- Re: New Trojan Damian Gerow (Oct 27)
- RE: New Trojan Matt Vaughan (Oct 28)
- Re: New Trojan Jay Castaldo (Oct 28)
- RE: New Trojan Thompson, Jason (Oct 28)
- RE: New Trojan David LeBlanc (Oct 28)
- RE: New Trojan James C. Slora, Jr. (Oct 31)