Re: New virus - possible rootkit

["Joel R. Helgeson" <joel () helgeson com>]

THis is actually a rootkit that is as serious as I had feared.

I am gathering up more information.  If you have the files in the 
directories specified, you have a problem.

The file is http://www.appiant.net/infected.zip

password is infected

If you are infected with the rootkit, it does not alarm on any of the 
files...

Joel
----- Original Message ----- 
From: "Joel R. Helgeson" <joel () helgeson com>
To: <full-disclosure () lists grok org uk>
Sent: Wednesday, September 20, 2006 3:30 PM
Subject: [Full-disclosure] New virus - possible rootkit


> Virus Alert - Possible Rootkit
> --
>
> The files ARE NOT detected by ANY current AV Scanning signature engine.
>
> I do not have the time to write a report on the entire analysys but I 
> wanted
> to get the data out to everyone ASAP so that you can detect this running 
> on
> your computers.  I'm finding that this is pretty widespread here on my
> customers' network.
>
> This appears to be an IRC bot that encrypts its traffic to fly beneath the
> radar. What makes it more interesting is that the directories it creates
> have SYSTEM ownership and only system and creator/owner can access the
> files.  Changing permissions on the files or directorys will only be 
> changed
> back.  It also appears that if you remove the file, it will start revoking
> permissions on all files and will remove everyones but SYSTEM's permission
> to all files.
>
> This is very, very early prelim info. and I am trying to both quarrantine
> the damage, investigate the infection on top of trying to get the word 
> out.
> (I know what the cygwin files are, but they came with the infection so I
> include them here.)
>
> I've uploaded the .zip file with all the programs in their respective
> directories recursed to my web site, I'll have it up there by 21 Sep, 
> 2006.
> http://www.appiant.net
>
> The files and locations:
> c:\windows\system32\cygcrypt-0.dll (linux crypto)
> c:\windows\system32\cygwin1.dll     (linux command)
> c:\windows\system32\dntus26.exe    (used for remote admin)
> c:\windows\system32\javadebug.dll  (actually a text file)
> c:\windows\system32\rundl32.exe    (ircbot interface)
> c:\windows\system32\zonedown.bat (batch file that launches rundl32.exe 
> with
> the text from javadebug.dll I dont know what else it does yet)
> c:\windows\system32\scardsvrs.exe (the device that appears to launch the
> zonedown.bat file... still working)
> c:\windows\system32\wbem\svchost.exe (Serv-u ftp service - modified -)
> c:\windows\system32\wbem\wbem.exe (workin on what this one does)...
>
> it also placed files in a hidden directory with only system priviledges:
> c:\windows\system32\DirectX\Dinput\Others\
>
> The file placed in there was a snippet of a movie, divx encoded...  the
> filename was Min2 (no extension).
>
> Below is what the AVERT labs reported when I submitted the file.
>
> Joel Helgeson
> Appiant, Inc.
> 952-858-9111
>
> -------------------------------
>
> AVERT Labs - Beaverton
> Current Scan Engine Version:4.4.00
> Current DAT Version:4855
> Thank you for your submission.
>
> Analysis ID: 2533501
> NameFindings        DetectionType    Extra
> cygcrypt-0.dll        no malware    n
> cygwin1.dll    no malware    n
> dntus26.exe    heuristic detection    remadm-dwrc    Application    n
> javadebug.dll    inconclusive    no
> rundl32.exe    current detection    iroffer    Application    no
> scardsvrs.exe    heuristic detection    srvany    Application    no
> svchost.exe    current detection    servu-daemon    Application    no
> wbem.exe    heuristic detection    srvany    Application    no
> zonedown.batinconclusiveno
>
> current detection [ rundl32.exe svchost.exe ]
> Our analysis detected a potentially unwanted program file or joke program
> with our current DAT files and engine. It is recommended that you update
> your DAT and engine files and scan your computer again. You may not want
> this program installed. If you do not want it installed, we recommend that
> you use the Add/Remove Program in the Windows Control Panel to completely
> uninstall the detected program. You can also contact the Virus Information
> Library for information about manually uninstalling potentially unwanted
> programs. If you are not seeing this with the product you are using, 
> please
> speak with technical support so that they can help you determine the cause
> of this discrepancy.
> If you use the McAfee VirusScan Online or VirusScan Retail products, and 
> do
> not have the Dat File Version specified, please visit
> http://www.webimmune.net/extra/getextra.aspx and use the detection name
> supplied in this message to receive an extra.dat file for detection.
>
> inconclusive [ javadebug.dll zonedown.bat ]
> Upon analysis the file submitted does not appear to contain one of the
> 100,000 known threats in the AutoImmune database. The file may contain a 
> new
> malware threat, or no code capable of being infected. Your submission is
> being forwarded to an AVERT Researcher for further analysis. You will be
> contacted by AVERT through e-mail with the results of that analysis.
>
> heuristic detection [ dntus26.exe scardsvrs.exe wbem.exe ]
> The file received may contain a potentially unwanted program file or joke
> program. This potential threat was identified with our most powerful set 
> of
> heuristic DAT drivers. Heuristic drivers can make false-positive
> identifications, as such, this issue is being escalated to AVERT for a
> thorough review. In the meantime, it is recommended that you update your 
> DAT
> and engine files and scan your computer again. You will be contacted 
> through
> e-mail with the results of our analysis. Warning: McAfee products do not
> clean potentially unwanted program files or joke programs. The attached 
> will
> only detected the potentially unwanted program. If you do not want it
> installed, we recommend that you use the Add/Remove Program in the Windows
> Control Panel to completely uninstall the detected program. You can also
> contact the Virus Information Library for information about manually
> uninstalling potentially unwanted programs.
>
> no malware [ cygcrypt-0.dll cygwin1.dll ]
> AVERT has found no indications of malicious code. Upon examining the file,
> we observed no malicious behavior. If you still believe the files you sent
> contain a virus or trojan, please provide more information on why you feel
> these are suspect files.
>
>
> Regards,
>
>
>
> McAfee AVERT tm
> A division of McAfee, Inc
>
> _______________________________________________
> Full-Disclosure - We believe in it.
> Charter: http://lists.grok.org.uk/full-disclosure-charter.html
> Hosted and sponsored by Secunia - http://secunia.com/ 

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/