TROJANS SETUP TO SEND OTHER TROJANS

TROJANS SETUP TO SEND OTHER TROJANS

Hey FanJ what is going on here Looks like these guys are coming in an Army supporting one another.
Any thought?

____________________
New form of massive attacks through troyanos
http://www.vsantivirus.com/13-11-02.htm

By VSAntivirus Writing
vsantivirus@videosoft.net.uy

The MessageLabs company, informed yesterday, to have intercepted a great amount of messages with the massive shipment of a troyano, known like W32/Maz.A, Tr/Mastaz, Troj/Inor.A, Downloader-BO, etc.

The extension of this threat, suggests them infected machines can be used in some class of attacks coordinated in great scale (the description of this troyano, as well as the one of a second that is unloaded and executed soon by first, in the connections at the end of the article).

The details (to the date) contributed by MessageLabs are the following ones:
Number of intercepted copies (to 12/nov/02): 615 First intercepted message: 10/nov/02, 14:58 GMT Origin of the first message: United Kingdom Amount of countries in which it has been reported like assets: 32 Percentage by countries (the 5 with more incidences) the United States...... 60.7 % Canada.............. 9.3% Korea South del....... 5.0% Great Britain........ 3.2% Mexico.............. 2,1%
This troyano is connected to an Internet address, from where unloading and executes another troyano. Although until the moment a single type of troyano unloaded has been seen by first (Jeem.A), nothing guarantees that the same one cannot be updated by another version, perhaps more destructive.

At the moment, the unloaded troyano turns to the infected computer a servant of mail smtp, allowing him the attacker to send mail through him, and what is more worrisome, it can be used to send as well to the first troyano in massive form, with the multiplying effect that it means.

The analysis of MessageLabs, would indicate that the first big wave of troyanos was used to create new airdrop platforms to send after all the process, new messages infected with the first troyano.

The original troyano does not have routines of propagation, single unloading and executes to the second troyano, which can become servant smtp to send as well, the messages infected to other users. The process is controlled by one or several attackers in remote form.

The possibility does not discard that also has been sent hundreds of messages with the first troyano through servants who accept to give mail of other dominions (they open relay).

The alert of MessageLabs comes by the fact that or the attackers, would be creating a species of army of troyanos, which could use for another class of attacks (single it is necessary to change the second unloaded troyano to modify the type of attack).

In first intercepted copies the message presented/displayed some deficiencies surely due to the program used for the first massive shipment. There am an example here:

Subject: mail %Space% %Space%
Attached data: masteraz.exe (version A)
jimkre.exe (version B)

Text:
%Space% Hello! %Space% check %Space% out %Space%
%Space%, the best %Space% FREE %Space% site! %Space%
Message YOU GO: [ variable number ] %Space%
MessageNumber: [ variable number ] %Space%

Notice that variable %Space% would not have to be visible, supplanting itself by spaces. But this failed for some reason.


_______________________________


Troj/Backdoor.Jeem.A. It installs the troyano "Inor.A"
http://www.vsantivirus.com/back-jeem-a.htm

Name: Troj/Backdoor.Jeem.A
Type: Trojan horse of remote access
Alias: BKDR_JEEM.A, Backdoor-AML, Trojan.PSW.Jeem, Troj/Bdoor-AML
Related: Troj/Inor.A, TROJ_INOR.A, Downloader.BO
Date: 12/nov/02
Platform: Windows 32-bits
Sizes: 30.831 bytes (UPX), 69.743 bytes


This troyano, tablet with tool UPX, is unloaded by the troyano " Inor.A " of a site of Internet, and copied in the computer infected with the name of OUTPUT.EXE .

This file soon is executed by the same troyano that unloaded it (Inor).

When it happens, the troyano with backdoor characteristics, copy to if same in the directory System of Windows with the name of MSREXE.EXE :
C:\Windows\System\Msrexe.exe

' C:\Windows\System' can vary according to the installed operating system (with that name by defect in Windows 9x/ME, like ' C:\WinNT\System32 ' in Windows NT/2000 and ' C:\Windows\System32 ' in Windows XP).

The troyano remains then in memory, and opens ports 4668, 5262 and 6079 .

Using port TCP 4668 , it forms to the equipment infected like a servant smtp. This allows the attacker to send electronic mail to the infected computer, and to use it to reenviar its own mail (like a servant smtp of a supplier anyone).

In order to make sure that file MSREXE.EXE is executed in each resumption of Windows, the following entrance in the registry is created:

HKLM\Software\Microsoft\Windows\CurrentVersion\Run
Service System = C:\Windows\System\Msrexe.exe

Also it adds the following entrance:

HKLM\Software\Microsoft\Windows\CurrentVersion\Welcome
[ characters at random ] = [ characters at random ]

This entrance can contain any amount of these characters at random, for example an entrance in the mentioned registry, could see asi ':

ç3943 = zn€rn‡;u†}rzn;{r


_____________________________________________



Troj/Inor.A. Unloading and executes to the troyano "Jeem.A"
http://www.vsantivirus.com/inor-a.htm

Name: Troj/Inor.A
Variant: Troj/Inor.B (single it changes the unloading site)
Type: Trojan horse
Alias: TROJ_INOR.A, INOR.A, TrojanDownloader.Win32.Inor, Downloader-BO, Downloader.BO, Troj/Dloader-BO, Downloader.Trojan, W32/Maz.A, Tr/Mastaz
Related: Troj/Backdoor.Jeem.A, BKDR_JEEM.A, Troj/Jeem.A
Date: 12/nov/02
Platform: Windows 32-bits
Sizes: 4.096 bytes (UPX), 16.384 bytes

This troyano, tablet with utility UPX, propagates as attached to a sent electronic message in intentional form. Once executed, the troyano remains in memory and tries to connect itself to a certain site to unload and to execute another troyano.

An example of message with the troyano associate is shown aqui ':
Subject: mail %Space% %Space% attached Data: masteraz.exe (version A) jimkre.exe (version B) Text: %Space% Hello! %Space% check %Space% out %Space% %Space%, the best %Space% FREE %Space% site! %Space% Message YOU GO: [ variable number ] %Space% MessageNumber: [ variable number ] %Space%
Notice that variable %Space% would not have to be visible, supplanting itself by spaces. But this failed for some reason.

This single one is an example, since the message can be modified by its sender.

When the troyano is executed (when opening and executing the user the associate), the same one tries to unload a file COUNTER.C of a site provided with accomodations in "hypermart.net".

Once unloaded, COUNTER.C is recorded in the present folder with name OUTPUT.EXE .

OUTPUT.EXE is detected by most of the antivirus like " Jeem.A ".

If it fails the unloading, the troyano "Inor.A" modifies the registry, creating the following entrance, which will allow its execution in automatic form in each resumption of the system, reintentando the COUNTER.C unloading.

HKLM\Software\Microsoft\Windows\CurrentVersion\Run
inr\5Nzg1mOWKzFnuvu6 = [ name and way of the troyano ]

When the COUNTER.C unloading is made successfully, the troyano creates the following entrance in the registry:

HKLM\Software\CLASSES\.inr\5Nzg1mOWKzFnuvu6
(Predetermined) = "Donates"

And when executing itself the unloaded troyano (Jeem.A), is created the following entrance:

HKLM\Software\CLASSES\.inr\5Nzg1mOWKzFnuvu6
Time = [ hour of execution of the troyano ]

In the body of the troyano "Inor.A" east text can be ***reflxed mng:

Hello, world Inor

 

Symantec Security Response - Downloader.BO

Downloader.BO is a Trojan horse that downloads a backdoor Trojan from a predefined Web site.

NOTE: Virus definitions dated prior to November 12, 2002 may detect this Trojan as Downloader.Trojan.

Also Known As: TROJ_INOR.A [Trend], TROJ_INOR.B [Trend], Troj/Dloader-BO [Sophos], Downloader-BO [McAfee], Downloader-BO.b [McAfee], TrojanDownloader.Win32.Inor [AVP], Downloader.Trojan
Type: Trojan Horse
Infection Length: 4096 bytes
Systems Affected: Windows 95, Windows 98, Windows NT, Windows 2000, Windows XP, Windows Me
Systems Not Affected: Macintosh, OS/2, Unix, Linux

technical details

When Downloader.BO runs, it does the following:

It creates the subkey

.inr

under the registry key

HKEY_LOCAL_MACHINE\Software\CLASSES

Then, under the .inr subkey, it creates the subkey

5Nzg1mOWKzFnuvu6

or

pzeoMm6erZrondFQ

and adds the following value to this subkey:

Time <the time that the Trojan was executed>

It then attempts to download a file named Counter.c or Counter from one of these predefined Web sites:

[*]masteraz.hypermart.net
[*]wind.prohosting.com/jimkre

If the Trojan is successful in downloading the file, it saves the file locally as Output.exe. The Trojan then runs the downloaded file.

• If the download fails, the Trojan adds the value
  
  .inr\5Nzg1mOWKzFnuvu6 <the Trojan file name>
  
  or
  
  .inr\pzeoMm6erZrondFQ <the Trojan file name>
  
  to the registry key
  
  HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run
  
  so that the Trojan runs when you restart Windows.
  
• If the Trojan is successful in downloading the file, it adds the value
  
  (Default) Done
  
  to the registry key
  
  HKEY_LOCAL_MACHINE\Software\CLASSES\.inr\5Nzg1mOWKzFnuvu6
  
  or
  
  HKEY_LOCAL_MACHINE\Software\CLASSES\.inr\pzeoMm6erZrondFQ

NOTE: Symantec antivirus products detect the downloaded file as Backdoor.Trojan.

removal instructions

NOTE: These instructions are for all current and recent Symantec antivirus products, including the Symantec AntiVirus and Norton AntiVirus product lines.

1. Update the virus definitions.
2. Restart the computer in Safe mode.
3. Run a full system scan, and delete all files that are detected as Downloader.BO or Backdoor.Trojan.
4. Reverse the changes that the Trojan made to the registry.

To reverse the changes that the Trojan made to the registry:

CAUTION: Symantec strongly recommends that you back up the registry before you make any changes to it. Incorrect changes to the registry can result in permanent data loss or corrupted files. Modify only the keys that are specified. Read the document How to make a backup of the Windows registry for instructions.

1. Click Start, and click Run. The Run dialog box appears.
2. Type regedit and then click OK. The Registry Editor opens.
3. Navigate to the following key:

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run

4. In the right pane, delete any of these values:

.inr\5Nzg1mOWKzFnuvu6 <the Trojan file name>
.inr\pzeoMm6erZrondFQ <the Trojan file name>

5. Navigate to and delete the key,

HKEY_LOCAL_MACHINE\Software\CLASSES\.inr

6. Exit the Registry Editor.