Full Disclosure mailing list archives
Re: New virus - possible rootkit
From: "Joel R. Helgeson" <joel () helgeson com>
Date: Fri, 22 Sep 2006 14:58:08 -0500
THis is actually a rootkit that is as serious as I had feared. I am gathering up more information. If you have the files in the directories specified, you have a problem. The file is http://www.appiant.net/infected.zip password is infected If you are infected with the rootkit, it does not alarm on any of the files... Joel ----- Original Message ----- From: "Joel R. Helgeson" <joel () helgeson com> To: <full-disclosure () lists grok org uk> Sent: Wednesday, September 20, 2006 3:30 PM Subject: [Full-disclosure] New virus - possible rootkit
Virus Alert - Possible Rootkit -- The files ARE NOT detected by ANY current AV Scanning signature engine. I do not have the time to write a report on the entire analysys but I wanted to get the data out to everyone ASAP so that you can detect this running on your computers. I'm finding that this is pretty widespread here on my customers' network. This appears to be an IRC bot that encrypts its traffic to fly beneath the radar. What makes it more interesting is that the directories it creates have SYSTEM ownership and only system and creator/owner can access the files. Changing permissions on the files or directorys will only be changed back. It also appears that if you remove the file, it will start revoking permissions on all files and will remove everyones but SYSTEM's permission to all files. This is very, very early prelim info. and I am trying to both quarrantine the damage, investigate the infection on top of trying to get the word out. (I know what the cygwin files are, but they came with the infection so I include them here.) I've uploaded the .zip file with all the programs in their respective directories recursed to my web site, I'll have it up there by 21 Sep, 2006. http://www.appiant.net The files and locations: c:\windows\system32\cygcrypt-0.dll (linux crypto) c:\windows\system32\cygwin1.dll (linux command) c:\windows\system32\dntus26.exe (used for remote admin) c:\windows\system32\javadebug.dll (actually a text file) c:\windows\system32\rundl32.exe (ircbot interface) c:\windows\system32\zonedown.bat (batch file that launches rundl32.exe with the text from javadebug.dll I dont know what else it does yet) c:\windows\system32\scardsvrs.exe (the device that appears to launch the zonedown.bat file... still working) c:\windows\system32\wbem\svchost.exe (Serv-u ftp service - modified -) c:\windows\system32\wbem\wbem.exe (workin on what this one does)... it also placed files in a hidden directory with only system priviledges: c:\windows\system32\DirectX\Dinput\Others\ The file placed in there was a snippet of a movie, divx encoded... the filename was Min2 (no extension). Below is what the AVERT labs reported when I submitted the file. Joel Helgeson Appiant, Inc. 952-858-9111 ------------------------------- AVERT Labs - Beaverton Current Scan Engine Version:4.4.00 Current DAT Version:4855 Thank you for your submission. Analysis ID: 2533501 NameFindings DetectionType Extra cygcrypt-0.dll no malware n cygwin1.dll no malware n dntus26.exe heuristic detection remadm-dwrc Application n javadebug.dll inconclusive no rundl32.exe current detection iroffer Application no scardsvrs.exe heuristic detection srvany Application no svchost.exe current detection servu-daemon Application no wbem.exe heuristic detection srvany Application no zonedown.batinconclusiveno current detection [ rundl32.exe svchost.exe ] Our analysis detected a potentially unwanted program file or joke program with our current DAT files and engine. It is recommended that you update your DAT and engine files and scan your computer again. You may not want this program installed. If you do not want it installed, we recommend that you use the Add/Remove Program in the Windows Control Panel to completely uninstall the detected program. You can also contact the Virus Information Library for information about manually uninstalling potentially unwanted programs. If you are not seeing this with the product you are using, please speak with technical support so that they can help you determine the cause of this discrepancy. If you use the McAfee VirusScan Online or VirusScan Retail products, and do not have the Dat File Version specified, please visit http://www.webimmune.net/extra/getextra.aspx and use the detection name supplied in this message to receive an extra.dat file for detection. inconclusive [ javadebug.dll zonedown.bat ] Upon analysis the file submitted does not appear to contain one of the 100,000 known threats in the AutoImmune database. The file may contain a new malware threat, or no code capable of being infected. Your submission is being forwarded to an AVERT Researcher for further analysis. You will be contacted by AVERT through e-mail with the results of that analysis. heuristic detection [ dntus26.exe scardsvrs.exe wbem.exe ] The file received may contain a potentially unwanted program file or joke program. This potential threat was identified with our most powerful set of heuristic DAT drivers. Heuristic drivers can make false-positive identifications, as such, this issue is being escalated to AVERT for a thorough review. In the meantime, it is recommended that you update your DAT and engine files and scan your computer again. You will be contacted through e-mail with the results of our analysis. Warning: McAfee products do not clean potentially unwanted program files or joke programs. The attached will only detected the potentially unwanted program. If you do not want it installed, we recommend that you use the Add/Remove Program in the Windows Control Panel to completely uninstall the detected program. You can also contact the Virus Information Library for information about manually uninstalling potentially unwanted programs. no malware [ cygcrypt-0.dll cygwin1.dll ] AVERT has found no indications of malicious code. Upon examining the file, we observed no malicious behavior. If you still believe the files you sent contain a virus or trojan, please provide more information on why you feel these are suspect files. Regards, McAfee AVERT tm A division of McAfee, Inc _______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
_______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Current thread:
- New virus - possible rootkit Joel R. Helgeson (Sep 20)
- Re: New virus - possible rootkit Bipin Gautam (Sep 21)
- Re: New virus - possible rootkit Joel R. Helgeson (Sep 22)