Security Incidents mailing list archives
Re: New Trojan????
From: Mike Oxbig <mike_oxbig () USA NET>
Date: Wed, 1 Nov 2000 12:17:47 EST
On Tue, 31 Oct 2000 12:28:50 -0700, Dave Woods <dave () TECHWEAVERS NET> wrote to INCIDENTS () SECURITYFOCUS COM
One of our computers here recently became infected with something I have never seen before. When the computer starts up (winME) it opens up 2 copies of the FreeExtractor prog that exctracts the following files:
mirc.ini
directs the mIRC client in this case to connect outbound to gt.mine.nu on port 6667, automatically join a channel, and spawn hidden Windows using the program temp2.exe. Fortunately, it is hosed in the form posted. The Trojan dropper is hosed too. Does the infectee even have mIRC installed? mIRC is a powerful script based client able to grab Windows sockets. It can be scripted for example to send UDP floods.IRC WarBots are often used to flood other chatters off the IRC network. The IRC network is used primarily to discuss Britney Spears' cup size, and transfer pirated copies of Whistler .
pri.ini
clean version of script.ini, used by mirc32.exe, includes a routine to uninstall the mIRC Trojan's INI and configuration files
20139.txt
list of IP addresses running the WarBot on port 20139.
gates.txt
list of "good" IP addresses used to cloak the WarBots. Gates.txt is correlated with a list of good IRC nicks in temp.scr. Used internally within the IRC network to flood participants with /msgs /invites /etc and facilitate preventing the WarBots from being disconnected by IRC servers. You missed the chance to make headlines with a cleverly designed PR-Marketing-FUD-Disguised-as-an-ALERT(tm) of the 1,600+ "compromised" hosts ready to take down the 'Net.
temp.exe
The FreeExtractor I guess. It wasn't in the Zip.
temp2.exe
is a UPX 1.01 compressed version of the HideWindow program available here http://www.winsite.com/info/pc/win95/desktop/hidewndw.zip/downl.html HideWindow allows launching programs and forcing the apps' windows to remain hidden.
whvlxd.dat
an INI file for the FreeExtractor program. Can be opened in Notepad. This was a mistake, it calls the installer "temp.exe" over and over, not the mIRC client loader.
temp.scr
safe to open in notepad, a list of alternate nicks used by the client to reconnect to another server when the client is disconnected. Correlated with gates.txt
gates.txt contains a lot of ip's / domains in it that look to be possibly infected hosts that this "program" is creating as some of them are isp accounts ie port200.hs.ip.com
Actually gates.txt contains a dynamic list of "good" client IP addresses used as spoofs by the WarBots. Many headlines have been grabbed by persons and companies reporting similar lists as compromised hosts ready to cobble B2B and the promise of SOAP.
I have attached the files in a zip with a password of pass101
Thanks for the malware.
If anyone has seen or knows what this is or how to remove it let me know.
Disconnect the WindowsME box from the network. Search the Registry for references to temp.exe. I can only assume temp.exe is the extractor based on the reference to temp.exe in the FreeExtractors configuration file whvlxd.dat. Remove references to temp.exe there or look inside MSCONFIG for where it loads. Isn't there an Undo-on-steroids feature in WinowsMe to rollback the HDD to known good state? Mirc.ini has all of the other files in it's MRU of recently opened files. It also shows a last used IP address, server, and nick. But it is hosed. The dropper is hosed. Did the sender hose the thing, or was the hoser sitting at the Workstation where you found this mess? -- ____________________________________________________________________ Get free email and a permanent address at http://www.amexmail.com/?A=1
Current thread:
- New Trojan???? Dave Woods (Nov 01)
- Re: New Trojan???? TJ Jablonowski (Nov 02)
- Re: New Trojan???? David Knaack (Nov 02)
- Re: New Trojan???? Nexus (Nov 02)
- Re: New Trojan???? Andrew McCall (Nov 02)
- <Possible follow-ups>
- Re: New Trojan???? Mike Oxbig (Nov 02)
- Re: New Trojan???? Erick B. (Nov 02)
- Re: New Trojan???? Mike Oxbig (Nov 05)
- Re: New Trojan???? wait3r (Nov 05)