optix pro 1.2 problem

Discussion in 'Trojan Defence Suite' started by zak_dashiell, Feb 8, 2003.

Thread Status:
Not open for further replies.
  1. zak_dashiell

    zak_dashiell Registered Member

    Joined:
    Mar 18, 2002
    Posts:
    45
    i have been hit by optix pro 1.2 (the name is based on the tds3 console) twice in the last couple of weeks. the first time it hit, i was not infected since my soft firewall (outpost free) warned me of an outgoing regsvr connection. so i was able to kill and delete the process with tds3. i scanned all hdd's and it came out clean.

    i was not so lucky the second time. i accidentally came about it when i did a regular scheduled complete scan of the hdd's. tds3 came out with this result (copied from scandump.txt):

    "Scan Control Dumped @ 12:35:20 08-02-03
    Positive identification: RAT.Optix Pro 1.2 Launcher
    File: c:\windows\winampw.exe"

    I deleted it from the console, did a rescan, came out clean and restarted the pc (i usually do this after an at, av and reg scan). i went on to the net but i get an error "windows cannot find iexplore.exe" and all programs that i try to run. :'( :'(

    i cannot even open regedit nor cmd. tried to put in winxp cd but even my ntloader (system commander) warned me of a bootsector/mbr change so "scan from dos". used my other pc to access wilders forum and search thread on optix pro (by randy bell -thanks :) ) and cleaned it that way.

    anyway, my questions are:
    1. how do i get infected with this rat?
    2. how can i prevent getting infected short of not using my pc or using it half way?

    i use winxp pro on a lynksys router with tds3 on demand, nod32 on access, outpostfree on windows start up. msmsgs.exe and svchost.exe blocked by outpost. all ports are stealth as per grc.
     
  2. root

    root Registered Member

    Joined:
    Feb 19, 2002
    Posts:
    1,723
    Location:
    Missouri, USA
    Hi Zak. The only way i know you can get a RAT is by downloading it or clicking on an attachment in email. If you are using Outlook or OE and use the preview, you can get infected by just picking up your email. There is also file sharing, infected CDs or floppies.
    I am not aware of any "unusual" way to get infected.
    Do you have kids or a wife that uses your machine?
    May I suggest you invest in some imaging software. It is invaluable in a situation such as this.
    Sorry to hear you got nailed so hard. :(
     
  3. grey_ghost

    grey_ghost Registered Member

    Joined:
    Apr 28, 2002
    Posts:
    60
    Hi,

    As Root said this is a powerful Trojan. With many ways to infect.

    One suggestion I can make is to run TDS with Exec Protection enabled.

    This way it will stop the Trojan before it can infect your system it’s much harder to clean after infection.

    You already know how to clean Optix but here is a good reference to get information, as well as using Randy’s good advice. :)

    http://www.diamondcs.com.au/web/alerts/optixpro.htm

    Regards
     
  4. FanJ

    FanJ Guest

    I second that.
    Use Execution Protection from TDS-3.
    And the Process Memory Space Scan by TDS-3 is really a good thing to do.
     
  5. zak_dashiell

    zak_dashiell Registered Member

    Joined:
    Mar 18, 2002
    Posts:
    45
    i am very sorry that it took me this long to reply. i had been accessing the forum since 4 hours ago and i keep getting timed out! is there something wrong?

    root,

    "you are using Outlook or OE and use the preview"

    yes but i only use my pop3 with work messages. does it mean that i got it from work attachments and someone in the office is infected with it? i also use web-based mails but i have never opened any of them since last month before deleting them (most that i got are spam anyway).

    "Do you have kids or a wife that uses your machine?"

    yes to both but my kids only used the infected pc to watch dvd and used the other pc to go to shockwave.com. the other pc that my wife uses for chat, webmail and general surfing was never infected!

    "you invest in some imaging software"

    i use acronis true image to make my images. i was really tempted to restore the image initially but what kept my itching fingers out of it is my curiousity to resolve this another way with your help, of course. i am just a newbie but wanted to learn :D

    "Sorry to hear you got nailed so hard"

    :'( :'( :'(


    grey_ghost,

    tds3 is configured for maximum protection at start up except for "boost tds process priority" and "process memory space scan".

    what really kept me wondering on the second infection, was that when i started tds3, it never flashed the screen that a trojan is active in memory unlike the first infection. is it because it was just a "launcher"?

    yes, exec protection is enabled.

    "You already know how to clean Optix but here is a good reference to get information, as well as using Randy’s good advice"

    i did go to tds site first but i was more confused than helped. i did delete the trojan from the console as mentioned but that prevented me from running programs. it never mentioned what to do if such a situation happens. it said something about a "cleanrun.reg" but i do not know what it is for. remember, i am new to all of this.

    "it’s much harder to clean after infection"

    does this mean that i am not cleaned yet? :eek: :eek: tds3 said i am free, nod32 slept on the whole thing (it is trojan, remember :D ) and outpost never jumped yet. do i have to break out my images now?

    FanJ,

    only the Process Memory Space scan is not activated on tds startup. and tds autostart is also off. i use it as "on demand". i know that it should autostart but my pc has its limits. :(

    may i suggest that somebody post a definitive method to remove this powerful trojan just like what you did with opaserv for people like me?

    thanks everyone for all your feedback!!
     
  6. FanJ

    FanJ Guest

    Hi Zak,

    It is important to have a good anti-trojan running resident.
    In your case that is the Execution Protection part of TDS-3, for which indeed TDS-3 has to been started.
    You might choose the start-up manually or at system startup.
    I know that the Process Memory Space Scan takes a heavy load from your system during its processing.
    But it is an important part of TDS-3.
    What about this suggestion:
    Reboot your PC, start TDS-3 manually, and then do that Process Memory Space Scan manually. You can do that by:
    System Testing > Proces Memory Scan.
    It might take some time before it is finished, maybe more than 10 minutes, but -as said- it really is a very important part of TDS-3.
    About my own set-up: I only run that Process Memory Space Scan manually, but one thing is for sure: I certainly DO run it!!!!!

    PS: I'm sure that Gavin/Wayne/Jason will jump in to help you further with that Optix-thing. I will send them a link to this thread.
     
  7. zak_dashiell

    zak_dashiell Registered Member

    Joined:
    Mar 18, 2002
    Posts:
    45
    :eek: :eek: i might not still be clean after all!! i just did a reboot and when i opened ie6 it is not my homepage anymore but some "download free media codec" site with a .ru extension.

    help! help!
     
  8. FanJ

    FanJ Guest

    http://www.diamondcs.com.au/web/alerts/optixpro.htm

    Quote from that page (highlighting by me):
    [hr]

    Diamond Computer Systems Security Advisory
    ===============================

    RELEASE DATE: Fri, 5th April 2002
    RISING THREAT: Optix Pro Trojan

    This advisory is being released to help raise the awareness of a new trojan that is set to become a widespread attack tool of the underground in a matter of weeks. Optix Pro poses a great threat to the security of users worldwide, and it is already being hailed by underground users and those in the trojan "scene" as one of the best trojans ever created.

    Being a full-featured trojan, Optix Pro weighs in at 889,344 bytes before compression. This may be one factor that will slow the spread of this trojan. However, it will most likely be used after initial stealth infection by the small Optix Lite, a very popular "uploader trojan".


    DESCRIPTION

    Optix Pro has all the features common in today's Remote Access Trojans, and many more. Highly praised by the underground are the screen capture and webcam capture which are very clear and fast. The first release of Optix Pro came just 2 days ago at the time of this writing, released on the night of Wednesday April 3, 2002. Due to the stability, speed, and features of Optix Pro (not to mention its growing userbase) we anticipate that it will become the trojan of choice for many trojan users.

    Like Optix Lite, the Pro version has a security program terminator feature that, when activated, will close all popular security programs down every 60 seconds (Optix Lite cycled every 45 seconds). TDS-3 easily detects Optix Pro due to precision scanning techniques with advanced routines such as the critical Process Memory Space scanning. TDS-3 also has specific routines to target Optix Pro with file scanning, it would be extremely difficult (and probably not worth the hackers effort) to infect a TDS-3 system with all protection enabled, even with highly modified Optix Pro servers. TDS-3 Execution Protection will use the advanced signatures and block the execution of Optix Pro servers, preventing the infection from occurring in the first place.

    In the unlikely event that a TDS-3 protected system is infected, users can simply rename TDS-3.EXE to be able to launch the application. Even a completely unknown trojan with this ability can be detected with the Process Memory Space scan as TDS-3 looks for such suspicious process terminating characteristics.


    SPECIFICATIONS


    Family Name Optix
    Class Remote Access Trojan (RAT)
    Compiler Borland Delphi 5
    Author s13az3, Evil Eye Software
    Known Variants 1.0
    FileSize Client v1.0
    381,952 bytes (Compressed - UPX 1.20)
    EditServer v1.0
    367,616 bytes (Compressed - UPX 1.20)
    Server v1.0
    889,344 bytes - Not Compressed (before editing, editor adds 2 bytes)
    Server v1.0 UPX Compressed
    336,384 bytes
    Default Port TCP 3410 (Configurable)
    Default Install Copies itself to %windir%\spooll32.exe (Configurable)
    Default Autostart REGISTRY - HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run "vscanner" (Configurable)
    Other Autostarts Stealth method - copies itself as wmmiexe.exe to %WINDIR% and modifies the key at HKEY_CLASSES_ROOT\exefile\shell\open\command to read wmmiexe.exe "%1" %*
    This will run the server when any executable file is run.




    FEATURES

    Server Options - Server info, System info, steal passwords. Restart, close, remove server. Power options include Shutdown, suspend, logoff, reboot, bluescreen.

    File Options - Full file manager. New folder, upload/download, execute, delete, find, copy, paste, rename, view/set attributes, get size, set as wallpaper, play .wav file, display image.
    Process manager. View processes, kill processes.
    Window manager. View, close windows. Show/hide, bring to front, send to back.
    Registry manager. Add/delete/modify registry keys and values.


    Keyboard/Chat Options - Message boxes (any)
    Keylogger
    Client-Client chat (Multiple client connections available)
    Client-Victim chat (Matrix window)
    Send keys as if typed on remote keyboard

    Spy Options - Screen capture
    Webcam capture

    Fun options - Show/Hide clock, start button. Flash keyboard lights, open/close CDROM, monitor on/off, screensaver on/off, swap/restore mouse buttons, enable/disable keyboard/mouse, set Internet Explorer start page, send to URL, beep PC speaker 200 times.

    Notify Options - ICQ Notify, CGI online list, Email notify with inbuilt relay if selected. IRC notify.

    Firewall and Antivirus killing - The trojan contains an astounding 209 process names (or registry keys in special cases*) which are hard-coded into the server file, effectively covering all well known and (and some not so well known) anti-virus programs, anti-trojan programs, firewalls, and process viewers/monitors. If the option to kill these programs is enabled, on execution of the trojan the users defences are killed, and every 60 seconds the program checks the process list again for and of the names. Essentially this means all security programs known to the trojan (estimated to be around 80 programs) can be shut down and they cannot run again as the trojan will recognise them in the next scan 60 seconds later.

    *In some cases a process will not be terminated correctly. In this case, the trojan deletes the vital registry key that loads the program on startup, and there is an option to then force the PC to reboot.

    Infected removal instructions - Rename the filenames of your main programs (eg. TDS-3.EXE), and use that to kill the server. Stay offline while you do this. Simply run a Process File scan and TDS should detect Optix Pro, even if modified. Process Memory scan will detect the server if this fails. To disinfect, simply Kill and Delete the process. Once you have done this, run a trace scan to find the leftover files, and possibly registry entry. Be sure to check if there is a file wmmiexe.exe in the Windows folder - if there is you'll need to change the above entry in the registry. DiamondCS Support can help with this by sending a registry file which fixes the association for EXE files, or download it here (cleanrun.reg).

    [hr]
    That file cleanrun.reg can be downloaded here (caution: this is a direct download-link!):

    http://www.diamondcs.com.au/cleanrun.reg
     
  9. zak_dashiell

    zak_dashiell Registered Member

    Joined:
    Mar 18, 2002
    Posts:
    45
    FanJ,

    "Infected removal instructions - Rename the filenames of your main programs (eg. TDS-3.EXE), and use that to kill the server. Stay offline while you do this. Simply run a Process File scan and TDS should detect Optix Pro, even if modified. Process Memory scan will detect the server if this fails. To disinfect, simply Kill and Delete the process. Once you have done this, run a trace scan to find the leftover files, and possibly registry entry. Be sure to check if there is a file wmmiexe.exe in the Windows folder - if there is you'll need to change the above entry in the registry. DiamondCS Support can help with this by sending a registry file which fixes the association for EXE files, or download it here (cleanrun.reg)."

    A previous post (i think from grey_ghost) already mentioned this link and i have already told him "been there, done that".

    To recap what i did:
    1. did a scheduled tds3 scan. it found the optix pro1.2 launcher in the windows folder. proceeded to delete it from the console. did a complete rescan. came out clean. reboot. cannot run any app anymore.

    Note: no trojan process was running in memory. otherwise, tds3 should have warned me that such process is running before i started the scan.

    2. used my other pc to go to the mentioned tds3 website link. renamed tds3 on the infected pc and tried to run it but wouldn't. the site mentioned about a cleanrun.reg but i do not know what that is for and i still do not know.

    3. using my other pc, i searched the wilders forum on anything about optix pro. it returned the thread started by randy_bell. used that to activate "run" on the infected pc.

    4. run tds3. returned clean. reboot. run tds3 again. returned clean again.

    5. FanJ suggested that i run "process memory space scan". returned clean. proceeded to go online (replug cables). tried to connect but my homepage was changed.

    6. FanJ posted the optix pro link and pasted the contents of the link. rename tds3 (although i was able to run it without renaming), run process file scan>> clean. run process memory space scan>> clean. downloaded the cleanrun.reg but haven't merge it yet until you can tell me what it does in layman's language.

    7. waiting for your next instruction...
     
  10. grey_ghost

    grey_ghost Registered Member

    Joined:
    Apr 28, 2002
    Posts:
    60
    Hi,

    Is the start page the only thing that you have that is wrong now?

    One of the things that can be done by Optix is to “set Internet Explorer start page, send to URL,“

    If this is the only thing wrong just set it back to the original start page.

    Cleanrun.reg is to set your .exe association correctly if you can not execute .exe files or applications.

    Be sure that exe protection is installed and running at all times.

    Regards
     
  11. zak_dashiell

    zak_dashiell Registered Member

    Joined:
    Mar 18, 2002
    Posts:
    45
    thanks grey_ghost...

    does it mean that i am clean, then?

    thanks everyone for all your feedback. i realize that even with the greatest software available on my system, i could still be hit and hit hard. without you guys and gals helping me out, i could have had lots of sleepless nights. and i would lose my confidence recommending these great softwares to my friends and acquaintances.

    more power!!!
     
  12. Gavin - DiamondCS

    Gavin - DiamondCS Former DCS Moderator

    Joined:
    Feb 10, 2002
    Posts:
    2,080
    Location:
    Perth, Western Australia
    Cleanrun.reg was what you needed - the winampa.exe file is the executable used to hook into the .EXE file association, and it makes sure Optix Pro is running whenever you run any EXE file.

    If you dont get a memory alarm then you are clean, TDS detects Optix Pro by many means :)
     
  13. zak_dashiell

    zak_dashiell Registered Member

    Joined:
    Mar 18, 2002
    Posts:
    45

    Many thanks Gavin.

    Two questions, though. Did it mean that i was not completely cleaned the first time i got optix pro? tds3 warned me of the winampw.exe in the windows folder but did not produce an alarm after tds3 initialized (meaning it was not in memory). Or did the execution protection prevented the running of the trojan but allowed the install of the hook anyway?
     
  14. Gavin - DiamondCS

    Gavin - DiamondCS Former DCS Moderator

    Joined:
    Feb 10, 2002
    Posts:
    2,080
    Location:
    Perth, Western Australia
    Hi zak_dashiell,

    If Execution Protection catches Optix Pro (it should) then it won't install winampa.exe at all. So I'm not sure when it got there, perhaps when you weren't running TDS ? :doubt:

    This file itself doesn't remain resident, it installs itself to the EXE file association so that each time you run an EXE, it runs whatever program you tried to run (so everything looks normal) and launches Optix Pro if it isn't already running. This is intended to keep a machine infected even if you manage to kill the trojan process.
     
  15. zak_dashiell

    zak_dashiell Registered Member

    Joined:
    Mar 18, 2002
    Posts:
    45
    hello Gavin,

    forgive me but i am getting more confused here.

    let us say that i was infected when tds isn't running. the launcher will then install optix pro into memory. now i run tds, shouldn't it flag that the trojan is in memory? i have configured tds to scan memory object scan, process file scan, memory mutex scan, and registry & file trace scan. but i came out clean everytime i run tds. does this mean that winampw.exe did not install the trojan into memory? execution protection could have not prevented its install since tds is not yet running.

    let us say that winampw.exe is already in the windows folder and has already a registry record. now i run tds, it did not flag me since no trojan is in memory. then i scan the windows folder (as part of a complete scan), tds flags me of its presence in the windows folder (as indicated in the console which i copied into the scandump.txt -see original post). shouldn't the console also show the registry and file traces of winampw.exe so that i can delete winampw.exe and repair its registry record, thus preventing the damaged file association later?
     
  16. Gavin - DiamondCS

    Gavin - DiamondCS Former DCS Moderator

    Joined:
    Feb 10, 2002
    Posts:
    2,080
    Location:
    Perth, Western Australia
    Hi again,

    I'll try to cover the question fully. The small EXE file doesn't install Optix Pro, Optix Pro installs IT :) So if you delete Optix Pro and leave this small file behind, EXE files won't open correctly.

    Do you run a Process Memory Scan ? A heavily modified Optix Pro should still be detected with File and Object Memory scanning, but to be sure a Process Memory Scan will find it.

    The Autostart Explorer shows the EXE shell command when it is modified, we will try to automate some more things for TDS4 such as pointing out this registry change. I think you would get a change in the Autostart Registry notification anyway :)
     
  17. zak_dashiell

    zak_dashiell Registered Member

    Joined:
    Mar 18, 2002
    Posts:
    45
    hello Gavin,

    it is clearer to me now...

    the winampw.exe might have been left behind from the original infection 2 weeks ago. tds flagged me of the presence of optix pro in memory so i deleted it then. but i remember it correctly that after deleting it i scanned my hdd completely and came out clean. it never flagged me of the presence of winampw.exe in the win dir. subsequent rescans came out clean also. o_O and i was still able to run apps UNTIL i deleted winampw.exe.

    "A heavily modified Optix Pro should still be detected with File and Object Memory scanning"

    apparently my pc is not infected anymore with optix pro. just the winampw.exe in my win dir.

    "we will try to automate some more things for TDS4 such as pointing out this registry change"

    PLUS if it is safe to delete it or repair it if possible.

    thanks Gavin and to all... i learned a lot about this optix pro from you and how to fully utilize the powerful features of tds from the experienced contributors and moderators of the forum. more power to all...
     
Thread Status:
Not open for further replies.