Security Incidents mailing list archives

RE: New Trojan

From: John Ives <jives () socrates Berkeley EDU>
Date: Sat, 25 Oct 2003 19:27:42 -0700 (PDT)


As has already been mentioned the colon means that it was stored in an
Alternate Data Stream.  Since I don't have anything to add in that
respect, I will suggest a tool for getting to the ADS.  As a part of this
GCWN practical assignment, Ryan Means wrote a Windows Shell Extension for
finding, saving or deleting streams.  The tool (w/ source) can be found at
http://www.giac.org/practical/GCWN/Ryan_Means_GCWN.zip and the
accompanying paper, with a discussion of streams and the tool can be found
at http://www.giac.org/practical/GCWN/Ryan_Means_GCWN.pdf.  Ryan really
did a good job on the paper, and I've been using the tool for a few months
without problem.  In case you are wondering the tool is not a stand-alone
tool and must be installed on the system, but it still can be useful.

John

On Sat, 25 Oct 2003, Jerry Heidtke wrote:


The trojan is stored in an Alternate Data Stream attached to your C:\WINNT\system32 directory. Most 
anti-virus/anti-trojan scanners will not be able to detect it there, just as you will not be able to see it in a 
normal directory listing.

There are tools available to let you see and manipulate an Alternate Data Stream. You may be able to delete it by:

1. killing the process with Task Manager (or pskill.exe from www.sysinternals.com if Task Manager can't do it),
2. deleting the registry keys
3. type the following at a command prompt: "echo . > C:\WINNT\system32:acbdhpd.dll (or find a tool to directly delete 
it, search google for "ntfs+ads"

Hope this helps.

Jerry

-----Original Message-----
From: Jay Castaldo [mailto:fupayme2003 () hotmail com]
Sent: Saturday, October 25, 2003 3:18 AM
To: incidents () securityfocus com
Subject: New Trojan




I don't know if this is a new trojan or anything, but I have tried doing some research on the Internet and couldn't 
find anything on it. Well it has two registry entries in my Run, and RunOnce.  Here is the name of both keys acbdhpd 
and the values are pointing to a file1129 I can not seem to find rundll32 C:\WINNT\system32:acbdhpd.dll,Init 1.  I 
tried killing my explorer.exe to see if that is reason I can't find it because I am most likely using a trojanized 
explorer.exe, but I could only find a copy in my temp, I delete through DOS and delete the registry entries to no 
success, the registry keys appear within 30 seconds and the file pops right back up.  Anybody seen this or can give 
me some help to get this out without reloading? It has also opened up two TCP, 3799, and 41225 and two UDP ports, 
1129, 1241.  Thanks

---------------------------------------------------------------------------
Network with over 10,000 of the brightest minds in information security
at the largest, most highly-anticipated industry event of the year.
Don't miss RSA Conference 2004! Choose from over 200 class sessions and
see demos from more than 250 industry vendors. If your job touches
security, you need to be here. Learn more or register at
http://www.securityfocus.com/sponsor/RSA_incidents_031023
and use priority code SF4.
----------------------------------------------------------------------------


Confidentiality Notice: This e-mail message, including any attachments,
is for the sole use of the intended recipient(s) and may contain
confidential and privileged information.  Any unauthorized review, use,
disclosure or distribution is prohibited.  If you are not the intended
recipient, please contact the sender by reply e-mail and destroy all
copies of the original message.

---------------------------------------------------------------------------
Network with over 10,000 of the brightest minds in information security
at the largest, most highly-anticipated industry event of the year.
Don't miss RSA Conference 2004! Choose from over 200 class sessions and
see demos from more than 250 industry vendors. If your job touches
security, you need to be here. Learn more or register at
http://www.securityfocus.com/sponsor/RSA_incidents_031023
and use priority code SF4.
----------------------------------------------------------------------------


---------------------------------------------------------------------------
Network with over 10,000 of the brightest minds in information security
at the largest, most highly-anticipated industry event of the year.
Don't miss RSA Conference 2004! Choose from over 200 class sessions and
see demos from more than 250 industry vendors. If your job touches
security, you need to be here. Learn more or register at
http://www.securityfocus.com/sponsor/RSA_incidents_031023
and use priority code SF4.
----------------------------------------------------------------------------

Current thread:

RE: New Trojan, (continued)
- RE: New Trojan Rob Shein (Oct 25)
  - RE: New Trojan Tiago Halm (Oct 26)
- Re: New Trojan Damian Gerow (Oct 27)
  - RE: New Trojan Rob Shein (Oct 28)
    - Re: New Trojan Damian Gerow (Oct 28)
  - Re: New Trojan Brian Eckman (Oct 28)
    - Re: New Trojan Damian Gerow (Oct 28)
  - Re: New Trojan Damian Gerow (Oct 28)
    - Re: New Trojan Russell Fulton (Oct 28)
- RE: New Trojan Jerry Heidtke (Oct 25)
  - RE: New Trojan John Ives (Oct 26)
- Re: New Trojan Grzegorz (Oct 25)
  - Re: New Trojan Harlan Carvey (Oct 27)
- Re: New Trojan sean (Oct 25)
- Re: New Trojan Jay Castaldo (Oct 27)
  - Re: New Trojan Damian Gerow (Oct 27)
  - RE: New Trojan Chris Fussell (Oct 27)
- RE: New Trojan Tran, John (Oct 27)
  - Re: New Trojan Damian Gerow (Oct 27)
- RE: New Trojan Matt Vaughan (Oct 28)
- Re: New Trojan Jay Castaldo (Oct 28)

(Thread continues...)