New Backdoor Trojan ????

Discussion in 'malware problems & news' started by Smokey, Apr 26, 2002.

Thread Status:
Not open for further replies.
  1. Smokey

    Smokey Registered Member

    Joined:
    Apr 1, 2002
    Posts:
    1,513
    Location:
    Annie's Pub
    :eek:
    Have anybody heard of a new backdoor trojan, placed in a file called WINLOGON.EXE o_O

    Original, non-trojan file WINLOGON.EXE is placed in directory \Windows\System32, size is 424 KB, company: Microsoft.

    Discovered today by NAV on my XP-machine:

    WINLOGON.EXE, size is 28.0 KB, placed in directory: \Windows\System

    Virus info NAV: Backdoor Trojan
                            No additional information

    Strange is, that TDS 3.2.1. don't recognized this file being a trojan...  o_O

    Smokey
     
  2. Paul Wilders

    Paul Wilders Administrator

    Joined:
    Jul 1, 2001
    Posts:
    12,472
    Location:
    The Netherlands
    Hello Smokey,

    I file name doesn't mean anything, since many nasties  have the abillity to rename a (trojan)server into whatever they want to.

    Reading your post, you do have TDS3 installed. I presume the radius files are up to date, and you did perform a deep scan, all files and relevant options included? If so, please send a copy from the file DCS for examination; feel free to cc to us: support@wilders.org

    Finally: I presume you do have a firewall installed. Have you been alerted regarding unknown apps wanting to connect outbound - and does the log file reveal anything in this context?

    regards.

    paul
     
  3. Smokey

    Smokey Registered Member

    Joined:
    Apr 1, 2002
    Posts:
    1,513
    Location:
    Annie's Pub
    Hello Paul!

    Have just send the files to DCS, it seems that also a JScript Script File is involved with this Backdoor Trojan...

    Deep scan with TDS don't give any alarm!

    Use ZAP 3 as firewall, no abnormal activities.

    Send you now the exe and the involved js-file by email (support@wilders.org)

    Ciao, Smokey
     
  4. Paul Wilders

    Paul Wilders Administrator

    Joined:
    Jul 1, 2001
    Posts:
    12,472
    Location:
    The Netherlands
    Hello Smokey,

    Excuse me for asking, but how do you know this?

    Thus, no outbound attempts from (trojan)servers?

    Looking forward to it - we will report back asap.

    regards.

    paul
     
  5. Paul Wilders

    Paul Wilders Administrator

    Joined:
    Jul 1, 2001
    Posts:
    12,472
    Location:
    The Netherlands
    Smokey,

    Both files received, and performed a deep scan using:

    - TDS3 anti-trojan
    - TrojanHunter anti-trojan
    - The Cleaner anti-trojan
    - Tauscan anti-trojan
    - NOD32 anti-virus
    - Dr.Web anti-virus
    - PC-Cillin anti-virus

    Both files came out clean.

    Performed an ANSI String:

    153:59295011.exe
    413: C:\WINDOWS\system\winlogon.exe
    673: SYSTEM
    723: WERKGROEP
    773: XXX (your name)
    835: Backdoor.Trojan
    8142: W1w=K?w
    8158: W1wWH<w
    18885: S,G-Hh
    20965: 333333333333
    21445: oooooooooooo
    21907: oooooooooooooo
    22218: ooooooo
    22786: ooooooooooooooo
    23010: ooooooooooooooo
    23221: oooooooooooo
    23462: ooooooooooo
    25664: <aaaa

    and:

    153: 59295011.js
    673: SYSTEM
    723: WERKGROEP
    773: XXX (your name)

    Thus, sofar it seems to point to a false positive, as far as these specific files are concerned. Since they have been quarantined, essential info probably has been zeroed. Nevertheless, I would recommend waiting for the DCS analysis - results probably beginning next week.

    Seems to me, NAV caught it first - and by quaranting made them harmless. Thus, TDS nor any other anti-trojan/anti-virus would alert on these files anymore.

    regards.

    paul
     
  6. Dan Perez

    Dan Perez Guest

    This is very interesting! Were you previously infected by Klez? I had to cleanup a network last night that was heavily hit by Klez.H and one of the symptoms I was seeing on multiple machines before I cleaned it up was that winlogon.exe was taking up 95+% of resources (the machines were Win2K). I had assumed at the time that this was due to the file being infected with the Elkern dropper. In any case, each machine had 300+ instances of Elkern (both varieties) and one (a zip archive) had the Klez.H. Due to the files that had to be deleted during the cleanup I went ahead and reapplied SP2 afterward which possibly overwrote a trojan winlogon.exe. Could there be another (in this case trojan) dropper in these latest Klez variants?
     
  7. Technodrome

    Technodrome Security Expert

    Joined:
    Feb 13, 2002
    Posts:
    2,140
    Location:
    New York
    YES, Klez.I

    Klez.I also randomly overwrites executable files in the system and releases a polymorphic virus called W32/Elkern.C, which is capable of infecting a large number of files. All of this may not cause visible damage during the initial phases of the attack, so the user might not realize that they have been hit. In the longer term, however, an infection from this virus could cause problems which prevent the computer from functioning properly. Klez.I can even block some applications which are in memory when the attack takes place.


    Technodrome
     
  8. Dan Perez

    Dan Perez Guest

    Yes, but does Klez.I include a trojan dropper. The Elkern dropper is not a trojan and was used by Klez.H and, I believe, Klez.E.

    TIA
     
  9. Smokey

    Smokey Registered Member

    Joined:
    Apr 1, 2002
    Posts:
    1,513
    Location:
    Annie's Pub
     
  10. Paul Wilders

    Paul Wilders Administrator

    Joined:
    Jul 1, 2001
    Posts:
    12,472
    Location:
    The Netherlands
    Hi Smokey,

    That's what has happened IMO.

    regards,

    paul
     
Loading...
Thread Status:
Not open for further replies.