Security Incidents mailing list archives

Trojan found...

From: Les Ault <aultl () comcast net>
Date: Tue, 15 Apr 2003 19:24:49 -0500

Whilst patching my webserver this morning I found the following files in the root directory of my webserver.
Has anyone seen this trojan before? I have done some googling and checked the securityfocus website with no luck.
It appears to use the unicode IIS exploit. I only got hit because I just re-installed IIS yesterday :), needless to say
the
trojan did not execute as I have done some very basic checking and no registry keys have been created and the folder
the trojan installed to was never created. I found it approximately 30 minutes after it was downloaded, according to
the file time stamp.

C:\test.scr
C:\tests.scr
C:\tesst.scr
C:\sysnet32.exe

All of the .scr files are FTP command files, i.e. contain a ftp server address , username, password, and command to
download a file.
I have the downloaded file, (sysnet32.exe), but it was never executed. It is a self-extracting rar file. I say it has
never executed because contained
in the rar file is a .reg file that adds the trojan to the HKLM\Software\Microsoft\Windows\CurrentVersion\Run key and
that key is empty.
The folder that that registry entry points to does not exist either. Also contained in the rar file is a txt file that
lists users and which groups to add them to, none of these users exist on the system. Server is currently running fully
patched Win2k Advanced Server with IIS 5.0 (patched now...).
If anyone has had experience with this trojan of knows where I can find info on it I would be greatful.

Les Ault
aultl () comcast net
2003-04-15

----------------------------------------------------------------------------
Attend Black Hat Briefings & Training Europe, May 12-15 in Amsterdam, the
world's premier event for IT and network security experts. The two-day
Training features 6 hand-on courses on May 12-13 taught by professionals.
The two-day Briefings on May 14-15 features 24 top speakers with no vendor
sales pitches. Deadline for the best rates is April 25. Register today to
ensure your place. http://www.securityfocus.com/BlackHat-incidents
----------------------------------------------------------------------------

Current thread:

Trojan found... Les Ault (Apr 17)
- Re: Trojan found... Harlan Carvey (Apr 19)
- <Possible follow-ups>
- Re: Trojan found... Les Ault (Apr 19)
- Re: Trojan found... aladin168 (Apr 24)
  - Re: Trojan found... Patrick Nolan (Apr 25)