Security Incidents mailing list archives
Re: New/old Trojan?
From: GuidoZ <uberguidoz () gmail com>
Date: Thu, 25 Nov 2004 23:10:29 -0800
There's a plethora of tools and information out there. If you're serious about learning more on Windows forensics, my best recommendation is a book by Harlan Carvey called "Windows Incident Response". He has some info on it here: http://www.windows-ir.com Harlan does frequent the SecFocus lists, so he may be on this one as well. He's extremely helpful when asked a question. Try popping it up in Security Basics - I know he monitors that one. Mention his book and ask for help/info, hopefully he'll reply shortly. ;) -- Peace. ~G On Mon, 22 Nov 2004 05:06:34 -0600, nixsec <nixsec () area66 org> wrote:
I usually use linux as operating system but for games i go with windows,i used this installation of windows 2000 SP4 around 6 times(Did not do Windows update cause didn't really care about the system since it was gaming only), and sygate firewall detected this weird application trying to connect to remote site atm-bank.ru, tried looking on google for Mmnkijia.exe and could not find anything on it, this application hides itself in the folder when using windows explorer to view the folder C:\WINNT\system32\ the file would not show up, using tcpview from sysinternals i found several ports open: <Non-existant Process>:976 TCP xfiles:247 xfiles:0 LISTENING (searched on google and said this was a service called subntbcst_tftp) <Non-existant Process>:976 TCP xfiles:18855 xfiles:0 LISTENING <Non-existant Process>:976 TCP xfiles:21134 xfiles:0 LISTENING <Non-existant Process>:976 TCP xfiles:38493 xfiles:0 LISTENING (Tcpview.exe would crash when i attempted to kill the process, when i reopened it those ports would still be open i think i managed ot kill the process one time or crashed it somehow and few minutes later got back up and running) I loaded up windows in safe mode with command prompt and from there the file would be visible, i found also a DLL file which the exe uses called Mngepfne.dll (maybe loaded to hide processes and files?) , i backed these up for further examination and removed them from the system32 folder, this seemed to fix the problem for now and all the ports are closed, but i got no idea where it came from! Later i checked the page atm-bank.ru and the index page says page not found, so my only guess is it accesses that web site and the owners of it can check the web server log files to find infected IPs i did a whois on that server name and its a few months old only created: 2004.06.26. If anyone has info or would like a copy of the binary files to examine them let me know. Sygate firewall log: C:\WINNT\system32\Mmnkijia.exe Parent Version : Parent Description : Parent Process ID : 0x394 (Heximal) 916 (Decimal) File Version : 5.0.2920.0 File Description : Internet Explorer (IEXPLORE.EXE) File Path : C:\Program Files\Internet Explorer\IEXPLORE.EXE Process ID : 0x3D4 (Heximal) 980 (Decimal) Connection origin : local initiated Protocol : TCP Local Address : 192.168.1.102 Local Port : 1046 Remote Name : atm-bank.ru Remote Address : 66.132.236.44 Remote Port : 80 (HTTP - World Wide Web) Ethernet packet details: Ethernet II (Packet Length: 76) Destination: 00-06-25-63-64-64 Source: 00-00-21-ff-8a-0d Type: IP (0x0800) Internet Protocol Version: 4 Header Length: 20 bytes Flags: .1.. = Don't fragment: Set ..0. = More fragments: Not set Fragment offset:0 Time to live: 128 Protocol: 0x6 (TCP - Transmission Control Protocol) Header checksum: 0x9209 (Correct) Source: 192.168.1.102 Destination: 66.132.236.44 Transmission Control Protocol (TCP) Acknowledgment number: 0 Header length: 28 Flags: 0... .... = Congestion Window Reduce (CWR): Not set .0.. .... = ECN-Echo: Not set ..0. .... = Urgent: Not set ...0 .... = Acknowledgment: Not set .... 0... = Push: Not set .... .0.. = Reset: Not set .... ..1. = Syn: Set .... ...0 = Fin: Not set Checksum: 0x7128 (Correct) Data (0 Bytes) Binary dump of the packet: 0000: 00 06 25 63 64 64 00 00 : 21 FF 8A 0D 08 00 45 00 | ..%cdd..!.....E. 0010: 00 30 00 77 40 00 80 06 : 09 92 C0 A8 01 66 42 84 | .0.w () fB. 0020: EC 2C 04 16 00 50 A7 95 : 7D F3 00 00 00 00 70 02 | .,...P..}.....p. 0030: 40 00 28 71 00 00 02 04 : 05 B4 01 01 04 02 6B 02 | @.(q..........k. 0040: 72 75 00 00 01 00 01 39 : 2E 32 35 35 | ru.....9.255 Source port: 1046 Destination port: 80 Sequence number: 2811592179 Im thinking of maybe installing snort on the windows system and reactivate the trojan to see what happens, would like to learn more on windows forensics, any tips or other software good to be used to gather/examine data ? Paulo Ferreira.
Current thread:
- New/old Trojan? nixsec (Nov 26)
- Re: New/old Trojan? GuidoZ (Nov 27)
- Re: New/old Trojan? Harlan Carvey (Nov 29)