Re: Trojan found...

[Les Ault <aultl () comcast net>]

  This is the file list contained in the archive. I checked Add/Remove programs and found MIRC installed so appearently 
part of the file was executed. However, the 406.reg file adds the trojan to the run key and the folder that this key 
points to
does not exist which is why I was under the impression that it had not executed.  Thanks to everyone that responded.

Les Ault

       
======= At 2003-04-18, 00:16:00 you wrote: =======

> Hi,
>
> It just one of the many "IRC/Flood" bot variants ...
>
> I have - maybe - the same sample (MD5 of SYSNET32.EXE:
> e9965ab04702d270ba59056d012ffb0f) here. Kaspersky Anti-Virus 
> (www.kaspersky.com) identifies the files in the SYSNET32 archive as 
> follows:
>
> SYSNET32.EXE   packed: UPX
> SYSNET32.EXE   archive: RAR
> SYSNET32.EXE/archive comment   ok.
> SYSNET32.EXE/21.txt    ok.
> SYSNET32.EXE/21ftp.txt ok.
> SYSNET32.EXE/80.txt    ok.
> SYSNET32.EXE/80c.txt   ok.
> SYSNET32.EXE/scripts.txt       ok.
> SYSNET32.EXE/unicodbag.txt     infected: Exploit.IIS.WebDir
> SYSNET32.EXE/users2.txt        ok.
> SYSNET32.EXE/cisco.ini infected: Backdoor.IRC.Microb
> SYSNET32.EXE/drx2.inf  ok.
> SYSNET32.EXE/NetworkChecker.exe        packed: UPX
> SYSNET32.EXE/NetworkChecker.exe        infected: not-a-virus:Tool.HideWindows
> SYSNET32.EXE/sysnet32.exe      packed: ASPack
> SYSNET32.EXE/sysnet32.exe      infected: not-a-virus:mIRC.5.82
> SYSNET32.EXE/dll/aftp.dll      infected: Backdoor.IRC.Bnc.l
> SYSNET32.EXE/dll/bnc.dll       infected: Backdoor.IRC.Bnc.l
> SYSNET32.EXE/dll/clone.dll     infected: Backdoor.IRC.Mox
> SYSNET32.EXE/dll/main.dll      infected: Backdoor.IRC.Bnc.l
> SYSNET32.EXE/dll/master.dll    infected: Backdoor.IRC.Bnc.g
> SYSNET32.EXE/dll/run.dll       infected: Backdoor.IRC.Bnc.l
> SYSNET32.EXE/dll/scan.dll      infected: Backdoor.IRC.Microb
> SYSNET32.EXE/dll/scripts.dll   infected: Backdoor.IRC.Mox
> SYSNET32.EXE/dll/servscan.dll  infected: Backdoor.IRC.Bnc.l
> SYSNET32.EXE/Sysinfo.dll       infected: not-a-virus:Tool.Win32.Moo
> SYSNET32.EXE/dll/update.dll    infected: Backdoor.IRC.Bnc.l
> SYSNET32.EXE/dll/user.dll      infected: Backdoor.IRC.Bnc.l
> SYSNET32.EXE/dll/vars.dll      infected: Backdoor.IRC.Bnc.g
> SYSNET32.EXE/ACSFX.DRV infected: Backdoor.IRC.Flood.ap
> SYSNET32.EXE/406.reg   ok.
> SYSNET32.EXE/Answer.txt        ok.
>
> McAfee detects the most of the files as "IRC/Flood.y":
> http://vil.nai.com/vil/content/v_99923.htm
>
> Regards,
> Axel Pettinger
>
>
>
> -------- Original Message --------
> Subject: Trojan found...
> Date: Tue, 15 Apr 2003 19:24:49 -0500
> From: Les Ault <aultl () comcast net>
> To: "incidents () securityfocus org" <incidents () securityfocus org>
>
> Whilst patching my webserver this morning I found the following files in the root directory of my webserver.
> Has anyone seen this trojan before? I have done some googling and checked the securityfocus website with no luck.
> It appears to use the unicode IIS exploit. I only got hit because I just re-installed IIS yesterday :), needless to 
> say the
> trojan did not execute as I have done some very basic checking and no registry keys have been created and the folder 
> the trojan installed to was never created. I found it approximately 30 minutes after it was downloaded, according to 
> the file time stamp.
>
> C:\test.scr
> C:\tests.scr
> C:\tesst.scr
> C:\sysnet32.exe
[snip..]




----------------------------------------------------------------------------
Attend Black Hat Briefings & Training Europe, May 12-15 in Amsterdam, the 
world's premier event for IT and network security experts.  The two-day 
Training features 6 hand-on courses on May 12-13 taught by professionals.  
The two-day Briefings on May 14-15 features 24 top speakers with no vendor 
sales pitches.  Deadline for the best rates is April 25.  Register today to 
ensure your place. http://www.securityfocus.com/BlackHat-incidents 
----------------------------------------------------------------------------