I began working on a computer today running Windows 2000 SP3 that had some strange problems. The user companied that ZoneAlarm would not startup on this computer.

I started looking through his computer. After just a few minutes I found programs that were using funny names to startup like serany.exe task32.exe and server.exe. Norton Antivirus wasn’t checking any of these files so I downloaded TDS. After installing it and scanning it found numerous files that contained the RAT Trojan.

One of the files it found was in a folder named c:\winnt\system32\dhcp\files. When I went and opened this folder I found a bunch of other files which I have zipped in a folder and uploaded to my website. It can be downloaded at
Link removed. Available by request to AV and AT vendors only.Pieter

I've deleted the services that this Trojan creates. I cleaned up the startup entries that it put in the registry. The trouble is that when I startup the computer it still kills the Norton AntiVirus and ZoneAlarm processes.

Using TCPView and Process Explorer from Systems Internals I’ve removed all the suspicious files accessing the Internet. I don’t think the Trojan is fully removed. Should I just reformat the computer and start over? What do the files in the possible-trojan.zip do? I hope I'm making sense. If not please ask me to clarify. Thanks in advanced for your help.

--
Zach Echlin

Hi Zach,

I removed the download link in your post because it is against our TOS.
I have made it available to DiamondsCS and Eset.
Other AV and AT vendors can contact me by IM to get the link.

Regards,

Pieter

Thanks, Im not at work and will need a little sleep soon, but I trust I can get a copy tomorrow :) We'll let you know what to do.

If there is a folder created by a trojan like that then it probably contains only scripts and other trojan files which can all be deleted. For now just kill any running EXE files in there. Then there isnt really a danger since you know what you are doing. You might like Port Explorer ;D

Hi,

Yes this is a trojan, delete the entire folder "files" inside your

Windows\System32\dhcp\

It is mIRC based and uses a vulnerability scanner xScan to find more machines. Immediately set a STRONG Admin password on your machine.. well on all accounts, and delete any accounts you dont recognise. This thing uses your machine to scan for more people with no/weak admin password and infect them too >:(

Disable the guest account as well if you have it enabled !

This is looking nastier the more I look at it..

Email me (gavin@diamondcs.com.au) if you need more help, a lot of changes have been effected once your machine was taken. If possible a backup or format would be good, if you can do this easily it might be best :) Then you can secure the machine properly before anything like this happens again.

You had better email me this ::)

C:\\winnt\\system32\\server.exe

And if there is a service called New VDL System Control Verifier then stop and disable it.. if you cant find this then I'll probably be recommending a format when you email me :-\

:o wow that one major nasty

ekkkkkkkkkkkkkkkkkkkkkkkkkkkkkkkk

im scared is this a new nasty or an old one

cause thats some scary stuff

In case some people are wondering 'why format? why not just try to disinfect?', one problem with a highly compromised machine is that you don't know what other compromises have been made as a result of the initial one. In other words, being infected by one trojan often opens the door for hackers to execute anything on your system so one attack vector can create many others, and as there is no concrete way to determine what other malicious software has been executed, the only way to ensure your system is restored to a clean state is to format and reinstall the operating system. This isn't so much a problem with viruses as they rarely open other attack vectors, their goal is simply to infect and spread, not to give access to hackers as trojans do.

:'( so basicly your pc has aids or cancer it spread all over that sux

:(im so sorry for any one that gets this

:-\ but Wayne my pc with my fully upgraded tds and updated data base with excution protection enabled would protect me from that nasty right?

This trojan has about 100 files. I can tell exactly what it is, a growing threat facing NT/2000/XP users these days. Its setting the victim machine up as a fileserver for XDCC bots on IRC channels. This one also uses a vulnerability scanner to find more machines with no ADMIN password, or a weak password, or a guest account enabled.

If you haven't deleted the files yet, or are going to format anyway Zach.. try running

Windows\System32\dhcp\files\copy\remall.bat

This is included by the hackers to enable removing of services they added, users, turn off the terminal server and more. Im not yet sure of the extent of removal from this, but there will surely be some things left over or not right.

This analysis will take a great deal of time, so Zach best to email me and we will keep up to date on your status. If you dont want to format perhaps you wont NEED to, although its recommended for reasons mentioned by Wayne above.

STRONG ADMIN passwords please NT/2000/XP people! Especially you .EDU's which are the prime target of XDCC hackers :-\

I had occasion once to support a department of an edu (in this case a Class C net) and it was policy to forbid the use of firewalls (or even NAT) in order to preserve some right or another (I never did understand the rationale, I was too busy being horrified by the implications!)

Gavin or Wayne, As XP has a system restore capability, will using it to a time prior to infection (if known) get rid of the problem? Or can these Trojans still reactivate?

Personally I make regular disk images after doing full virus, trojan, spyware scans & a disk clean up. This is useful when system restore won't work especially when beta testing ;D

I think that would remove it, since the registry at that time wouldn't have all the services installed. The files could be deleted and a strong Admin password set, then we could carefully check if any components were left behind..

Zach, if you still have the machine in that state, I found reference to a few more files it has installed, so I would love a copy if possible :)

-{ Quote: " quoting: Wayne - DiamondCS link=board=5;threadid=10403;start=0#msg67773 date=1055910786]
This isn't so much a problem with viruses as they rarely open other attack vectors, their goal is simply to infect and spread, not to give access to hackers as trojans do.

" }-

Isn't "attackers" a better word than hackers? Most people who use trojans on others are script kiddies, not hackers.

Ahh I wish I had as much spare time as you ... :)

This "trojan" is effectively a HACK kit, so not in this case :)

The trojan in question is simply an automation of what could be done manually, and surely would be best called a hack - isn't that what you would call connecting to port 445 for a null password or dictionary attack on the Administrator account ?

This takes it further, being automated and becoming somewhat like a worm, but it is simply an automated hack, sorry ;D