Trojan injected to explorer.exe

TDS detected a trojan injected in explorer.exe, I chose to close the process and delete the file. Then TDS notified me that it closed the process but did not delete the file, however, I scanned explorer.exe again and TDS doesn't detect anything...
Did TDS remove the trojan?
Is it excluding it because it couldn't delete it?
Or it doesn't detect it because it's not running?

 

Ok, i just noticed that a .exe file that my av detected and deleted also has a .dll file with the same name in the same dir (system32), but when i delete the dll, after about 5 seconds it creates the dll again, i'm pretty certain it's the dll of the trojan injected in explorer.exe.
So what can I do to remove this trojan?

 

I'm sorry if i'm breaking any rule by double/tripple posting, but I can't edit my previous posts, what I wanted to say is:
I restarted TDS and it's set to automaticaly scan the process list when started, and it detected the explorer.exe again, as "RAT. Deep Throat".
I got very sensitive data here including credit cards and bank accounts, so please help me remove this trojan ASAP, any help will be greatly appreciated!

 

Hi Shlomi & welcome. If you are using the TDS trial please make sure you have downloaded the latest radius file from here. Instruction are on the page. Do a FULL system scan with all boxes ticked in scan configuration.
http://tds.diamondcs.com.au/index.php?page=update
Here is some info about deepthroat which may help you to eradicate it:

Note this info' is quite old and there may be other variants

Since the original dissection was performed, the author has released a new version. Now we have details on all current versions available + their characteristics.

Latest Version disected (15th March 1999)

Well a new version has been released & thanks to one of Xploiter.com's visitors (Nick), I have been able to get hold of a copy to dissect.

Features

There are several new features as listed here.......

Msg Box Manager
Hide\Show Start bar
FTP Server - Starts a FTP Server.
Capture Screen
Turn Monitor On/Off
Get Cached Passwords
Spawn Prog (Runs program on the host)
Reboot (Please use it wisely Don't be a Lamer!!!!).
Scanner
Ping Host
Host System info
Swap mouse buttons
Freeze Mouse
Hide desktop icons.
Hide start button.
Hide clock.
Hide the system tray.
List windows
Kill window - (But it does not work on - Internet Explorer or Explorer).
Password server
Change server password
Remove server password
Send Password to server
Change Hosts Wallpaper
Delete file
Show picture
Ftp port
Play sound
Change time
Extra Irc Scanner Feature (To let Irc Scanners scan for it DT leaves open port 6670 (Tcp))
Sweep list scanner - Scans for hosts that are running the server
Package
There are three known versions of the same server file & these are distributed as follows:

dtv2_1.zip - contains just the server - systempatch.exe (300kb dated 23/2/99)
winsp00fer.zip - A self installing package - winsp00fer.exe (390kb dated 8/2/99)
backwebserv.zip - A self installing package - winsp00fer.exe (390kb dated 8/2/99)

Installation

I will go through the installation routine individually for all three versions. I am using a program called Inctrl 3 (In Control) that basically monitors what files are changed when a particular program is run. A report is then generated & it is this report that I will show here.

If you cannot understand the report & what has been modified, you may contact me for further information & help.

Installation report: systempatch.exe - (generated by INCTRL 3, version 3.01)

Monday, March 15, 1999 10:54 AM
Windows 95, version 4.00

FILES AND DIRECTORIES ADDED: (4)
c:\WINDOWS\SYSTEM\acdt.dat
c:\WINDOWS\SYSTEM\pddt.dat
c:\WINDOWS\SYSTEM\systemio.exe
c:\WINDOWS\systray.exe

REGISTRY KEYS ADDED: (1)
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\General\Settings

REGISTRY KEY VALUES CHANGED: (2)
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
Value "SystemTray": from "SysTray.Exe" to "c:\windows\systray.exe"

REGISTRY KEY VALUES ADDED: (2)
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\General\Settings\ol="0"
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\General\Settings\pass="0"

Installation report: WinSp00fer.exe - (generated by INCTRL 3, version 3.01)

Monday, March 15, 1999 12:16 PM
Windows 95, version 4.00

FILES AND DIRECTORIES ADDED: (2)
c:\WINDOWS\SYSTEM\acde.dat
c:\WINDOWS\systray.exe

FILES CHANGED: (2)
c:\WINDOWS\SYSTEM\acdt.dat
c:\WINDOWS\SYSTEM\pddt.dat

REGISTRY KEY VALUES CHANGED: (2)
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
Value "Systemtray": from "c:\systray.exe" to "c:\windows\systray.exe"

REGISTRY KEY VALUES ADDED: (2)
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\General\Settings\ol="0"
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\General\Settings\pass="0"

Installation report: BackWebServ.EXE - (generated by INCTRL 3, version 3.01)

Monday, March 15, 1999 12:39 PM
Windows 95, version 4.00

FILES AND DIRECTORIES ADDED: (2)
c:\WINDOWS\SYSTEM\systemio.exe
c:\WINDOWS\systray.exe

FILES CHANGED: (3)
c:\WINDOWS\SYSTEM\acde.dat
c:\WINDOWS\SYSTEM\acdt.dat
c:\WINDOWS\SYSTEM\pddt.dat

REGISTRY KEY VALUES CHANGED: (
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\
Applets\Popup
Value "AlwaysOnTop": from "12320768" to "12255232"
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\
Applets\Popup
Value "MaxOnMsgRcv": from "12255233" to "12320769"
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\
Applets\Popup
Value "Sound": from "12320768" to "12255232"
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
Value "Systemtray": from "c:\systray.exe" to "c:\windows\systray.exe"

REGISTRY KEY VALUES ADDED: (2)
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\General\Settings\ol="0"
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\General\Settings\pass="0"
Detection

The following listing was taken on my machine using TotoStat after I installed the trojan & clearly shows the ports that is listens on.

Proto Local IP Port Remote IP Port State

TCP 0.0.0.0 :6670 0.0.0.0 :0 LISTEN
TCP 0.0.0.0 :3150 0.0.0.0 :0 LISTEN
TCP 0.0.0.0 :2140 0.0.0.0 :0 LISTEN
UDP 0.0.0.0 :3150 0.0.0.0 :0 LISTEN
UDP 0.0.0.0 :2140 0.0.0.0 :0 LISTEN

If you have these ports open, then you probably have Deep Throat installed.

Removal

Backup your registry.
Using Regedit, drill down to the keys shown in the relevant reports & remove the values that were created.
Reboot your computer, enter pure DOS mode (press F8 at the "Starting Windows 95" message & select command prompt only) & delete the file called systray.exe in c:\windows (300kb).
Delete the file called systemio.exe in your c:\windows\system directory - this one gets all the passwords.
Restart your computer & enter Windows.
Run TotoStat & ensure that the ports are no longer listening. They should be gone!
You should now be clean.
Old Version

Deep Throat is one of the newer trojans that have sprouted. I found this one on 29/11/98 & promptly decided to take it apart. This is what I found: -

Introduction


This trojan is very similar to Netbus although it uses the UDP Protocol. I have tested it on Win95/98 which it does work on but on my NT4 machine, it did not. The author is however trying his hardest to get it woking on NT as well so be warned.
The trojan will not show up via the vulcan nerve pinch (Ctrl-Alt-Delete) & no icon is displayed in the task bar.
The program has been written in Delphi with the resulting executables compressed with the Neolite Exe Compressor. This makes it near impossible to check it's default strings.
Package
By default the server & client arrive in a zip file called 'dtv1.zip' (506kb). Two other zip files are also available namely 'fonts.zip' (61kb) & 'installer.zip' (264kb). These other zips contain the extra fonts that the client needs with the installer package containing the trojan wrapped in 'Saran Wrap' making it look like a genuine installer program - Run the installer & you install the trojan.

Back to the 'dtv1.zip' file, it contains two files, the GUI client 'RemoteControl.exe' (265kb dated 24th October 199 & the server 'Systempatch.exe' (254kb dated 24th October 199.

Installation

Once the server is run, it creates a registry key under
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
with the file name of the server file name and a description field of "SystemDLL32".

The file will not delete itself like BO although you will not be able to delete the file as the server is now in it's 'run' state. The file could be installed anywhere on your system.

The server will now restart every time the machine is rebooted. By default it listens on port 2140 UDP but interestingly also hooks port 3150 UDP as well. Once the client has connected, port 60000 is also hooked!

 

Thanks, I replaced the explorer.exe with one from dllcache in safe mode and TDS doesn't detect it anymore, but considering it could have infected other files as well, i'll update the definitions now and do a full system scan, thanks for your help.

 

You should also change all your passwords to be safe.
if it was me I would change all passwords and reformat to be sure

 

How about getting the HijackThis and scan all the autostarts, that would be good to see if anything is wrong or suspicious in any way.
Did you look in the autostart Explorer in TDS and in the running processes if there is anything suspicious?
Do you also use Port Explorer (grab a trial if you're not!) and look if there are any suspicious connections and the applications used by them.
In the autostarts forum here are a download link and instructions for using and posting it's log.
Would certainly change the most urgent passwords then do all the checks (the autostart log) and scans to make susre you're really clean and when all that is really clear change all passwords again.
Are you on XP?
After being cleansed out completely, disable system restore, reboot, enable system restore again and make manually a new restore point so you can't get infected again.

Looking forward to your next step, please keep us updated, trying to save your system.
In the meantime while scanning you might like to check your passwordfile(s) and find out which to change everywhere.

 

I would ask you to also send the results of ASViewer to gavin@diamondcs.com.au so I can look for suspicious startups

http://www.diamondcs.com.au/index.php?page=asviewer

Please turn on the 3 SHOW options at the top of the menu, then choose SAVE and send the text file

 

Thank you all, I followed all your advices and my PC now seems to be trojan free. I just hope it stays that way

 

That sounds like good news Shlomi, did that include sending the ASViewer log to Gavin to have a proper look just to be really really really sure? Don't hesitate to do so, as we all want to be very sure your sensitive info is all well cared for and no surprises to be expected.
Keep TDS updated and scan more frequently a few days.

 

Yes Jooske, I did.
And a little unrelated question, can I submit UPX scramblers to that submit@diamondcs.com.au E-Mail? Or is it only for trojans?

 

If it would not be OK Gavin can always tell us or just delete what is not usefull, so don't hesitate to send them in!