Re: New/old Trojan?

[GuidoZ <uberguidoz () gmail com>]

There's a plethora of tools and information out there. If you're
serious about learning more on Windows forensics, my best
recommendation is a book by Harlan Carvey called "Windows Incident
Response". He has some info on it here: http://www.windows-ir.com

Harlan does frequent the SecFocus lists, so he may be on this one as
well. He's extremely helpful when asked a question. Try popping it up
in Security Basics - I know he monitors that one. Mention his book and
ask for help/info, hopefully he'll reply shortly. ;)

--
Peace. ~G


On Mon, 22 Nov 2004 05:06:34 -0600, nixsec <nixsec () area66 org> wrote:
> I usually use linux as operating system but for games i go with
> windows,i used this installation of windows 2000 SP4 around 6 times(Did
> not do Windows update cause didn't really care about the system since it
> was gaming only), and sygate firewall detected this weird application
> trying to connect to remote site atm-bank.ru, tried looking on google
> for Mmnkijia.exe and could not find anything on it, this application
> hides itself in the folder when using windows explorer to view the
> folder C:\WINNT\system32\ the file would not show up, using tcpview from
> sysinternals i found several ports open:
>
> <Non-existant Process>:976      TCP     xfiles:247      xfiles:0
> LISTENING  (searched on google and said this was a service called
> subntbcst_tftp)
> <Non-existant Process>:976      TCP     xfiles:18855    xfiles:0
> LISTENING
> <Non-existant Process>:976      TCP     xfiles:21134    xfiles:0
> LISTENING
> <Non-existant Process>:976      TCP     xfiles:38493    xfiles:0
> LISTENING
>
> (Tcpview.exe would crash when i attempted to kill the process, when i
> reopened it those ports would still be open i think i managed ot kill
> the process one time or crashed it somehow and few minutes later got
> back up and running)
>
> I loaded up windows in safe mode with command prompt and from there the
> file would be visible, i found also a DLL file which the exe uses called
> Mngepfne.dll (maybe loaded to hide processes and files?) , i backed
> these up for further examination  and removed them from the system32
> folder, this seemed to fix the problem for now and all the ports are
> closed, but i got no idea where it came from! Later i checked the page
> atm-bank.ru and the index page says page not found, so my only guess is
> it accesses that web site and the owners of it can check the web server
> log files to find infected IPs i did a whois on that server name and its
> a few months old only created:  2004.06.26. If anyone has info  or would
> like a copy of the binary files to examine them let me know.
>
> Sygate firewall log:
> C:\WINNT\system32\Mmnkijia.exe
> Parent Version :
> Parent Description :
> Parent Process ID :     0x394 (Heximal) 916 (Decimal)
>
> File Version :          5.0.2920.0
> File Description :      Internet Explorer (IEXPLORE.EXE)
> File Path :             C:\Program Files\Internet Explorer\IEXPLORE.EXE
> Process ID :            0x3D4 (Heximal) 980 (Decimal)
>
> Connection origin :     local initiated
> Protocol :              TCP
> Local Address :         192.168.1.102
> Local Port :            1046
> Remote Name :           atm-bank.ru
> Remote Address :        66.132.236.44
> Remote Port :           80 (HTTP - World Wide Web)
>
> Ethernet packet details:
> Ethernet II (Packet Length: 76)
>        Destination:    00-06-25-63-64-64
>        Source:         00-00-21-ff-8a-0d
> Type: IP (0x0800)
> Internet Protocol
>        Version: 4
>        Header Length: 20 bytes
>        Flags:
>                .1.. = Don't fragment: Set
>                ..0. = More fragments: Not set
>        Fragment offset:0
>        Time to live: 128
>        Protocol: 0x6 (TCP - Transmission Control Protocol)
>        Header checksum: 0x9209 (Correct)
>        Source: 192.168.1.102
>        Destination: 66.132.236.44
> Transmission Control Protocol (TCP)        Acknowledgment number: 0
>        Header length: 28
>        Flags:
>                0... .... = Congestion Window Reduce (CWR): Not set
>                .0.. .... = ECN-Echo: Not set
>                ..0. .... = Urgent: Not set
>                ...0 .... = Acknowledgment: Not set
>                .... 0... = Push: Not set
>                .... .0.. = Reset: Not set
>                .... ..1. = Syn: Set
>                .... ...0 = Fin: Not set
>        Checksum: 0x7128 (Correct)
>        Data (0 Bytes)
>
> Binary dump of the packet:
> 0000:  00 06 25 63 64 64 00 00 : 21 FF 8A 0D 08 00 45 00 | ..%cdd..!.....E.
> 0010:  00 30 00 77 40 00 80 06 : 09 92 C0 A8 01 66 42 84 | .0.w ()         fB.
> 0020:  EC 2C 04 16 00 50 A7 95 : 7D F3 00 00 00 00 70 02 | .,...P..}.....p.
> 0030:  40 00 28 71 00 00 02 04 : 05 B4 01 01 04 02 6B 02 | @.(q..........k.
> 0040:  72 75 00 00 01 00 01 39 : 2E 32 35 35             | ru.....9.255
>
>        Source port: 1046
>        Destination port: 80
>        Sequence number: 2811592179
>
> Im thinking of maybe installing snort on the windows system and
> reactivate the trojan to see what happens, would like to learn more on
> windows forensics, any tips or other software good to be used to
> gather/examine data ?
>
> Paulo Ferreira.