Security Incidents mailing list archives
Re: New/old Trojan?
From: Harlan Carvey <keydet89 () yahoo com>
Date: Fri, 26 Nov 2004 19:32:24 -0800 (PST)
Paulo,
...sygate firewall detected this weird application trying to connect to remote site atm-bank.ru, tried looking on google for Mmnkijia.exe and could not find anything on it,
This isn't surprising, really. Files can be named anything on Windows systems, and many bits of malware install themselves with random names.
this application hides itself in the folder when using windows explorer to view the folder C:\WINNT\system32\ the file would not show up,
Is the same true for 'dir'? How about if you map the C:\ drive remotely and then look for the file? Sounds like this malware may have rootkit-like qualities. Given your later description involving a DLL, I'd think it would be a user-mode rootkit, using DLL injection.
using tcpview from sysinternals i found several ports open: <Non-existant Process>:976 TCP xfiles:247 xfiles:0 LISTENING (searched on google and said this was a service called subntbcst_tftp)
This can often be misleading. Many times, people just don't seem to understand that these things can be bound to any port, so using a list of "well-known" ports can be useless.
(Tcpview.exe would crash when i attempted to kill the process, when i reopened it those ports would still be open i think i managed ot kill the process one time or crashed it somehow and few minutes later got back up and running)
Well, if TCPView is unable to get the process name or PID, there may be trouble when trying to kill the process, so this isn't unexpected. Did you try using any other tools, such as fport or openports?
I loaded up windows in safe mode with command prompt and from there the file would be visible, i found also a DLL file which the exe uses called Mngepfne.dll (maybe loaded to hide processes and files?) , i backed these up for further examination and removed them from the system32 folder, this seemed to fix the problem for now and all the ports are closed, but i got no idea where it came from!
Again, it sounds like it may be a user-mode rootkit of some kind. Given that it didn't seem to be effective when you booted to Safe Mode, I'd suggest checking the ubiquitous "Run" key in the Registry (now that you've removed the files, this shouldn't be a problem). This may have found it's way onto your system via the browser or some other package. Since you said you use it for gaming, if you've got it online, the issue may be someone guessing your password following username enumeration. Without more information about your system, it's hard to tell. One thing to try is this...if you haven't added anything new to the system (haven't installed software), you may be able to get an idea of when this was installed by getting the LastWrite time from the "Run" key (or whichever key the malware wrote it's presence to...)
Later i checked the page atm-bank.ru and the index page says page not found, so my only guess is it accesses that web site and the owners of it can check the web server log files to find infected IPs i did a whois on that server name and its a few months old only created: 2004.06.26. If anyone has info or would like a copy of the binary files to examine them let me know.
It seems from your logs that all you captured was the SYN packet, the initial packet for TCP communications. To see which page the malware was requesting, you'd have to let the process connect and complete the TCP handshake, then get request the page it wants.
Im thinking of maybe installing snort on the windows system and reactivate the trojan to see what happens, would like to learn more on windows forensics, any tips or other software good to be used to gather/examine data ?
Uh...get my book?? ;-) If you have copies of the files, I'd appreciate copies. Harlan ===== ------------------------------------------ Harlan Carvey, CISSP "Windows Forensics and Incident Recovery" http://www.windows-ir.com http://groups.yahoo.com/group/windowsir/ "Meddle not in the affairs of dragons, for you are crunchy, and good with ketchup." "The simplicity of this game amuses me. Bring me your finest meats and cheeses." ------------------------------------------
Current thread:
- New/old Trojan? nixsec (Nov 26)
- Re: New/old Trojan? GuidoZ (Nov 27)
- Re: New/old Trojan? Harlan Carvey (Nov 29)