Security Incidents mailing list archives
Re: Trojan found...
From: Les Ault <aultl () comcast net>
Date: Thu, 17 Apr 2003 20:47:49 -0500
This is the file list contained in the archive. I checked Add/Remove programs and found MIRC installed so appearently part of the file was executed. However, the 406.reg file adds the trojan to the run key and the folder that this key points to does not exist which is why I was under the impression that it had not executed. Thanks to everyone that responded. Les Ault ======= At 2003-04-18, 00:16:00 you wrote: =======
Hi, It just one of the many "IRC/Flood" bot variants ... I have - maybe - the same sample (MD5 of SYSNET32.EXE: e9965ab04702d270ba59056d012ffb0f) here. Kaspersky Anti-Virus (www.kaspersky.com) identifies the files in the SYSNET32 archive as follows: SYSNET32.EXE packed: UPX SYSNET32.EXE archive: RAR SYSNET32.EXE/archive comment ok. SYSNET32.EXE/21.txt ok. SYSNET32.EXE/21ftp.txt ok. SYSNET32.EXE/80.txt ok. SYSNET32.EXE/80c.txt ok. SYSNET32.EXE/scripts.txt ok. SYSNET32.EXE/unicodbag.txt infected: Exploit.IIS.WebDir SYSNET32.EXE/users2.txt ok. SYSNET32.EXE/cisco.ini infected: Backdoor.IRC.Microb SYSNET32.EXE/drx2.inf ok. SYSNET32.EXE/NetworkChecker.exe packed: UPX SYSNET32.EXE/NetworkChecker.exe infected: not-a-virus:Tool.HideWindows SYSNET32.EXE/sysnet32.exe packed: ASPack SYSNET32.EXE/sysnet32.exe infected: not-a-virus:mIRC.5.82 SYSNET32.EXE/dll/aftp.dll infected: Backdoor.IRC.Bnc.l SYSNET32.EXE/dll/bnc.dll infected: Backdoor.IRC.Bnc.l SYSNET32.EXE/dll/clone.dll infected: Backdoor.IRC.Mox SYSNET32.EXE/dll/main.dll infected: Backdoor.IRC.Bnc.l SYSNET32.EXE/dll/master.dll infected: Backdoor.IRC.Bnc.g SYSNET32.EXE/dll/run.dll infected: Backdoor.IRC.Bnc.l SYSNET32.EXE/dll/scan.dll infected: Backdoor.IRC.Microb SYSNET32.EXE/dll/scripts.dll infected: Backdoor.IRC.Mox SYSNET32.EXE/dll/servscan.dll infected: Backdoor.IRC.Bnc.l SYSNET32.EXE/Sysinfo.dll infected: not-a-virus:Tool.Win32.Moo SYSNET32.EXE/dll/update.dll infected: Backdoor.IRC.Bnc.l SYSNET32.EXE/dll/user.dll infected: Backdoor.IRC.Bnc.l SYSNET32.EXE/dll/vars.dll infected: Backdoor.IRC.Bnc.g SYSNET32.EXE/ACSFX.DRV infected: Backdoor.IRC.Flood.ap SYSNET32.EXE/406.reg ok. SYSNET32.EXE/Answer.txt ok. McAfee detects the most of the files as "IRC/Flood.y": http://vil.nai.com/vil/content/v_99923.htm Regards, Axel Pettinger -------- Original Message -------- Subject: Trojan found... Date: Tue, 15 Apr 2003 19:24:49 -0500 From: Les Ault <aultl () comcast net> To: "incidents () securityfocus org" <incidents () securityfocus org> Whilst patching my webserver this morning I found the following files in the root directory of my webserver. Has anyone seen this trojan before? I have done some googling and checked the securityfocus website with no luck. It appears to use the unicode IIS exploit. I only got hit because I just re-installed IIS yesterday :), needless to say the trojan did not execute as I have done some very basic checking and no registry keys have been created and the folder the trojan installed to was never created. I found it approximately 30 minutes after it was downloaded, according to the file time stamp. C:\test.scr C:\tests.scr C:\tesst.scr C:\sysnet32.exe
[snip..] ---------------------------------------------------------------------------- Attend Black Hat Briefings & Training Europe, May 12-15 in Amsterdam, the world's premier event for IT and network security experts. The two-day Training features 6 hand-on courses on May 12-13 taught by professionals. The two-day Briefings on May 14-15 features 24 top speakers with no vendor sales pitches. Deadline for the best rates is April 25. Register today to ensure your place. http://www.securityfocus.com/BlackHat-incidents ----------------------------------------------------------------------------
Current thread:
- Trojan found... Les Ault (Apr 17)
- Re: Trojan found... Harlan Carvey (Apr 19)
- <Possible follow-ups>
- Re: Trojan found... Les Ault (Apr 19)
- Re: Trojan found... aladin168 (Apr 24)
- Re: Trojan found... Patrick Nolan (Apr 25)