Discussion in 'malware problems & news' started by Primrose, Nov 13, 2002.

Thread Status:
Not open for further replies.
  1. Primrose

    Primrose Registered Member

    Sep 21, 2002

    Hey FanJ what is going on hereo_Oo_O Looks like these guys are coming in an Army supporting one another.
    Any thoughto_O?

    New form of massive attacks through troyanos

    By VSAntivirus Writing

    The MessageLabs company, informed yesterday, to have intercepted a great amount of messages with the massive shipment of a troyano, known like W32/Maz.A, Tr/Mastaz, Troj/Inor.A, Downloader-BO, etc.

    The extension of this threat, suggests them infected machines can be used in some class of attacks coordinated in great scale (the description of this troyano, as well as the one of a second that is unloaded and executed soon by first, in the connections at the end of the article).

    The details (to the date) contributed by MessageLabs are the following ones:
    Number of intercepted copies (to 12/nov/02): 615 First intercepted message: 10/nov/02, 14:58 GMT Origin of the first message: United Kingdom Amount of countries in which it has been reported like assets: 32 Percentage by countries (the 5 with more incidences) the United States...... 60.7 % Canada.............. 9.3% Korea South del....... 5.0% Great Britain........ 3.2% Mexico.............. 2,1%
    This troyano is connected to an Internet address, from where unloading and executes another troyano. Although until the moment a single type of troyano unloaded has been seen by first (Jeem.A), nothing guarantees that the same one cannot be updated by another version, perhaps more destructive.

    At the moment, the unloaded troyano turns to the infected computer a servant of mail smtp, allowing him the attacker to send mail through him, and what is more worrisome, it can be used to send as well to the first troyano in massive form, with the multiplying effect that it means.

    The analysis of MessageLabs, would indicate that the first big wave of troyanos was used to create new airdrop platforms to send after all the process, new messages infected with the first troyano.

    The original troyano does not have routines of propagation, single unloading and executes to the second troyano, which can become servant smtp to send as well, the messages infected to other users. The process is controlled by one or several attackers in remote form.

    The possibility does not discard that also has been sent hundreds of messages with the first troyano through servants who accept to give mail of other dominions (they open relay).

    The alert of MessageLabs comes by the fact that or the attackers, would be creating a species of army of troyanos, which could use for another class of attacks (single it is necessary to change the second unloaded troyano to modify the type of attack).

    In first intercepted copies the message presented/displayed some deficiencies surely due to the program used for the first massive shipment. There am an example here:

    Subject: mail %Space% %Space%
    Attached data: masteraz.exe (version A)
    jimkre.exe (version B)

    %Space% Hello! %Space% check %Space% out %Space%
    %Space%, the best %Space% FREE %Space% site! %Space%
    Message YOU GO: [ variable number ] %Space%
    MessageNumber: [ variable number ] %Space%

    Notice that variable %Space% would not have to be visible, supplanting itself by spaces. But this failed for some reason.


    Troj/Backdoor.Jeem.A. It installs the troyano "Inor.A"

    Name: Troj/Backdoor.Jeem.A
    Type: Trojan horse of remote access
    Alias: BKDR_JEEM.A, Backdoor-AML, Trojan.PSW.Jeem, Troj/Bdoor-AML
    Related: Troj/Inor.A, TROJ_INOR.A, Downloader.BO
    Date: 12/nov/02
    Platform: Windows 32-bits
    Sizes: 30.831 bytes (UPX), 69.743 bytes

    This troyano, tablet with tool UPX, is unloaded by the troyano " Inor.A " of a site of Internet, and copied in the computer infected with the name of OUTPUT.EXE .

    This file soon is executed by the same troyano that unloaded it (Inor).

    When it happens, the troyano with backdoor characteristics, copy to if same in the directory System of Windows with the name of MSREXE.EXE :

    ' C:\Windows\System' can vary according to the installed operating system (with that name by defect in Windows 9x/ME, like ' C:\WinNT\System32 ' in Windows NT/2000 and ' C:\Windows\System32 ' in Windows XP).

    The troyano remains then in memory, and opens ports 4668, 5262 and 6079 .

    Using port TCP 4668 , it forms to the equipment infected like a servant smtp. This allows the attacker to send electronic mail to the infected computer, and to use it to reenviar its own mail (like a servant smtp of a supplier anyone).

    In order to make sure that file MSREXE.EXE is executed in each resumption of Windows, the following entrance in the registry is created:

    Service System = C:\Windows\System\Msrexe.exe

    Also it adds the following entrance:

    [ characters at random ] = [ characters at random ]

    This entrance can contain any amount of these characters at random, for example an entrance in the mentioned registry, could see asi ':

    ç3943 = zn€rn‡;u†}rzn;{r


    Troj/Inor.A. Unloading and executes to the troyano "Jeem.A"

    Name: Troj/Inor.A
    Variant: Troj/Inor.B (single it changes the unloading site)
    Type: Trojan horse
    Alias: TROJ_INOR.A, INOR.A, TrojanDownloader.Win32.Inor, Downloader-BO, Downloader.BO, Troj/Dloader-BO, Downloader.Trojan, W32/Maz.A, Tr/Mastaz
    Related: Troj/Backdoor.Jeem.A, BKDR_JEEM.A, Troj/Jeem.A
    Date: 12/nov/02
    Platform: Windows 32-bits
    Sizes: 4.096 bytes (UPX), 16.384 bytes

    This troyano, tablet with utility UPX, propagates as attached to a sent electronic message in intentional form. Once executed, the troyano remains in memory and tries to connect itself to a certain site to unload and to execute another troyano.

    An example of message with the troyano associate is shown aqui ':
    Subject: mail %Space% %Space% attached Data: masteraz.exe (version A) jimkre.exe (version B) Text: %Space% Hello! %Space% check %Space% out %Space% %Space%, the best %Space% FREE %Space% site! %Space% Message YOU GO: [ variable number ] %Space% MessageNumber: [ variable number ] %Space%
    Notice that variable %Space% would not have to be visible, supplanting itself by spaces. But this failed for some reason.

    This single one is an example, since the message can be modified by its sender.

    When the troyano is executed (when opening and executing the user the associate), the same one tries to unload a file COUNTER.C of a site provided with accomodations in "".

    Once unloaded, COUNTER.C is recorded in the present folder with name OUTPUT.EXE .

    OUTPUT.EXE is detected by most of the antivirus like " Jeem.A ".

    If it fails the unloading, the troyano "Inor.A" modifies the registry, creating the following entrance, which will allow its execution in automatic form in each resumption of the system, reintentando the COUNTER.C unloading.

    inr\5Nzg1mOWKzFnuvu6 = [ name and way of the troyano ]

    When the COUNTER.C unloading is made successfully, the troyano creates the following entrance in the registry:

    (Predetermined) = "Donates"

    And when executing itself the unloaded troyano (Jeem.A), is created the following entrance:

    Time = [ hour of execution of the troyano ]

    In the body of the troyano "Inor.A" east text can be ***reflxed mng:

    Hello, world Inor
  2. Randy_Bell

    Randy_Bell Registered Member

    May 24, 2002
    Santa Clara, CA
    Symantec Security Response - Downloader.BO

    Downloader.BO is a Trojan horse that downloads a backdoor Trojan from a predefined Web site.

    NOTE: Virus definitions dated prior to November 12, 2002 may detect this Trojan as Downloader.Trojan.

    Also Known As: TROJ_INOR.A [Trend], TROJ_INOR.B [Trend], Troj/Dloader-BO [Sophos], Downloader-BO [McAfee], Downloader-BO.b [McAfee], TrojanDownloader.Win32.Inor [AVP], Downloader.Trojan
    Type: Trojan Horse
    Infection Length: 4096 bytes
    Systems Affected: Windows 95, Windows 98, Windows NT, Windows 2000, Windows XP, Windows Me
    Systems Not Affected: Macintosh, OS/2, Unix, Linux

    technical details

    When Downloader.BO runs, it does the following:

    It creates the subkey


    under the registry key


    Then, under the .inr subkey, it creates the subkey




    and adds the following value to this subkey:

    Time <the time that the Trojan was executed>

    It then attempts to download a file named Counter.c or Counter from one of these predefined Web sites:


    If the Trojan is successful in downloading the file, it saves the file locally as Output.exe. The Trojan then runs the downloaded file.

    • If the download fails, the Trojan adds the value

      .inr\5Nzg1mOWKzFnuvu6 <the Trojan file name>


      .inr\pzeoMm6erZrondFQ <the Trojan file name>

      to the registry key


      so that the Trojan runs when you restart Windows.
    • If the Trojan is successful in downloading the file, it adds the value

      (Default) Done

      to the registry key




    NOTE: Symantec antivirus products detect the downloaded file as Backdoor.Trojan.

    removal instructions

    NOTE: These instructions are for all current and recent Symantec antivirus products, including the Symantec AntiVirus and Norton AntiVirus product lines.

    1. Update the virus definitions.
    2. Restart the computer in Safe mode.
    3. Run a full system scan, and delete all files that are detected as Downloader.BO or Backdoor.Trojan.
    4. Reverse the changes that the Trojan made to the registry.

    To reverse the changes that the Trojan made to the registry:

    CAUTION: Symantec strongly recommends that you back up the registry before you make any changes to it. Incorrect changes to the registry can result in permanent data loss or corrupted files. Modify only the keys that are specified. Read the document How to make a backup of the Windows registry for instructions.

    1. Click Start, and click Run. The Run dialog box appears.
    2. Type regedit and then click OK. The Registry Editor opens.
    3. Navigate to the following key:


    4. In the right pane, delete any of these values:

    .inr\5Nzg1mOWKzFnuvu6 <the Trojan file name>
    .inr\pzeoMm6erZrondFQ <the Trojan file name>

    5. Navigate to and delete the key,


    6. Exit the Registry Editor.
Thread Status:
Not open for further replies.