Re: New Trojan????

[Mike Oxbig <mike_oxbig () USA NET>]

On Tue, 31 Oct 2000 12:28:50 -0700, Dave Woods <dave () TECHWEAVERS NET>
wrote to INCIDENTS () SECURITYFOCUS COM

> One of our computers here recently became infected with something I have
> never seen before.
>
> When the computer starts up (winME) it opens up 2 copies of the
> FreeExtractor prog that exctracts the following files:

> mirc.ini
directs the mIRC client in this case to connect outbound to gt.mine.nu on port
6667, automatically join a channel, and spawn hidden Windows using the program
temp2.exe. Fortunately, it is hosed in the form posted. The Trojan dropper is
hosed too. Does the infectee even have mIRC installed?

mIRC is a powerful script based client able to grab Windows sockets. It can be
scripted for example to send UDP floods.IRC WarBots are often used to flood
other chatters off the IRC network. The IRC network is used primarily to
discuss Britney Spears' cup size, and transfer pirated copies of Whistler .

> pri.ini
clean version of script.ini, used by mirc32.exe, includes a routine to
uninstall the mIRC Trojan's INI and configuration files

> 20139.txt
list of IP addresses running the WarBot on port 20139.

> gates.txt
list of "good" IP addresses used to cloak the WarBots. Gates.txt is correlated
with a list of good IRC nicks in temp.scr. Used internally within the IRC
network to flood participants with /msgs /invites /etc and facilitate
preventing the WarBots from being disconnected by IRC servers.

You missed the chance to make headlines with a cleverly designed 
PR-Marketing-FUD-Disguised-as-an-ALERT(tm) of the 1,600+ "compromised" hosts
ready to take down the 'Net.

> temp.exe
The FreeExtractor I guess. It wasn't in the Zip.

> temp2.exe
is a UPX 1.01 compressed version of the HideWindow program available here
http://www.winsite.com/info/pc/win95/desktop/hidewndw.zip/downl.html
HideWindow allows launching programs and forcing the apps' windows to remain
hidden.

> whvlxd.dat
an INI file for the FreeExtractor program. Can be opened in Notepad. This was
a mistake, it calls the installer "temp.exe" over and over, not the mIRC
client loader.

> temp.scr
safe to open in notepad, a list of alternate nicks used by the client to
reconnect to another server when the client is disconnected. Correlated with
gates.txt

> gates.txt contains a lot of ip's / domains in it that look to be possibly
> infected hosts that this "program" is creating as some of them are isp
> accounts ie port200.hs.ip.com

Actually gates.txt contains a dynamic list of "good" client IP addresses used
as spoofs by the WarBots. Many headlines have been grabbed by persons and
companies reporting similar lists as compromised hosts ready to cobble B2B and
the promise of SOAP.

> I have attached the files in a zip with a password of pass101

Thanks for the malware. 

> If anyone has seen or knows what this is or how to remove it let me know.

Disconnect the WindowsME box from the network. Search the Registry for
references to temp.exe. I can only assume temp.exe is the extractor based on
the reference to temp.exe in the FreeExtractors configuration file whvlxd.dat.
Remove references to temp.exe there or look inside MSCONFIG for where it
loads. Isn't there an Undo-on-steroids feature in WinowsMe to rollback the HDD
to known good state?

Mirc.ini has all of the other files in it's MRU of recently opened files. It
also shows a last used IP address, server, and nick. But it is hosed. The
dropper is hosed. Did the sender hose the thing, or was the hoser sitting at
the Workstation where you found this mess?
-- 


____________________________________________________________________
Get free email and a permanent address at http://www.amexmail.com/?A=1