Backdoor Beasty

Discussion in 'other anti-trojan software' started by pegasus4711, Nov 17, 2003.

Thread Status:
Not open for further replies.
  1. pegasus4711

    pegasus4711 Registered Member

    Joined:
    Nov 17, 2003
    Posts:
    6
    As a result of not keeping my Norton up to date I have imported the above. It is closely allied with SVC HOST.
    EXE. Its main characteristic is in trying to 'phone home' all the time!

    My question is - which is the best anti-trojan download, will it rid my system of this pest, and will I have to make manual changes to the registry.

    Would appreciate layman's terms. As you can see from the above, I am not a pro. Either eply of this forum or to 'nuttysweet@NOSPAMhotmail.com'

    Thank you.
     
  2. FanJ

    FanJ Guest

  3. Pieter_Arntz

    Pieter_Arntz Spyware Veteran

    Joined:
    Apr 27, 2002
    Posts:
    13,332
    Location:
    Netherlands
    I added a NOSPAM to throw off the bots, but FanJ is very right. It is not wise to post your e-mail adresses on the internet for everyone to see.

    Regards,

    Pieter
     
  4. FanJ

    FanJ Guest

    Hi,

    Maybe it is a good idea to give more info:

    How do you know it is "Backdoor Beasty"?
    Did you update your NAV with the latest definitions and did you do a full scan? What does it tell you?
    Which version of NAV?
    Which OS (98, ME, 2000, XP, ....)?
     
  5. illukka

    illukka Spyware Fighter

    Joined:
    Jun 23, 2003
    Posts:
    633
    Location:
    S.A.V.O
    your nav can handle beasty(probably beast 2xx version). just boot into safe mode and scan and let nav do it's job.. if you're on xp\me disable system restore..if you receive errors saying nav can't delete the file you will have to kill the process first..
    did it say the filename of the beast infection was svchost.exe?
    search your system for files dxdng.dll and ms*.com, these are probably the trojan files(usually)


    deleted / me tags
     
  6. pegasus4711

    pegasus4711 Registered Member

    Joined:
    Nov 17, 2003
    Posts:
    6
    Thank you for all the good advice fellas to a newbie.

    I downloaded the free 30 day Trojanhunter trial, and although it found the Trojans in svchost.exe it could not remove them. I have EMailed the file to the makers for advice.

    I am downloading the TDS3 today for the trial, and will keep you up to date.

    I will also start in safe mode and try Norton.


    John
     
  7. pegasus4711

    pegasus4711 Registered Member

    Joined:
    Nov 17, 2003
    Posts:
    6
    Good morning,

    As recommended, I downloaded the free trial from TDS and ran a full system scan.. It found the following:

    Found possible trojan file: C:\WINDOWS\SYSTEM\svcinit.exe (Suspicious: UPX-packed file in Windows System folder)
    Found possible trojan file: C:\WINDOWS\svchost.exe (Possible trojan downloader)
    Found possible trojan file: C:\best.exe (Possible trojan downloader)

    It also found in HKEY local machine:(Software\Microsoft\Windows\CurrentVersion\Run[System Service=C:\WINDOWS\SYSTEM\MSREXE.EXE]

    With rightclick I am given the options of deleting the file - however, I do not want to wreck the registry.

    Help!
     
  8. Pieter_Arntz

    Pieter_Arntz Spyware Veteran

    Joined:
    Apr 27, 2002
    Posts:
    13,332
    Location:
    Netherlands
    Hi pegasus4711,

    MSREXE.EXE is most certainly not vital for your system and highly likely a trojan, so feel free to delete it.

    For svcinit and svchost could you download, unzip and run: http://www.spywareinfoforum.com/~merijn/files/cwshredder.zip

    Then scan again and let us know if they are gone.

    I have no clue about best.exe yet.

    Regards,

    Pieter
     
  9. That set sounds familiar, and I don't BELIEVE it's the typical dialer/adware/spyware ... can't remember where I've seen that before, but I *do* believe it's a backdoor with that grouping of filenames. SVCHOST is a popular name for trojans, because it "sounds" legit ... the BEST.EXE is the one that clicked with me.

    Could you perhaps send a set of those files along to me to have a look at? support@nsclean.com - we're the folks who make BOClean. You may need to go into MSDOS mode to actually yank the files, but best to see what you have first. A good antitrojan though should be able to deal with those, but I don't want to sound like I'm trying to ring the cash register ... customer or not, be happy to look them over and tell you what to do ...
     
  10. illukka

    illukka Spyware Fighter

    Joined:
    Jun 23, 2003
    Posts:
    633
    Location:
    S.A.V.O
    msrexe is backdoor.jeemp.C( KAV name,i have 1 example in my collection), sub7 modification or similar.. delete it, search your registry for anything related to it( back up first) and delete the entries

    edit: btw did you update your tds?

    svchost is default name for beast server, you did not find the .dll's and .com files?
    http://securityresponse.symantec.com/avcenter/venc/data/backdoor.jeem.html
    http://securityresponse.symantec.com/avcenter/venc/data/irc.trojan.html
     
  11. While that's true, a filename is no particular indication of a particular trojan, any more than activity on a particular port number is any indication of a specific trojan. I always get a chuckle when I get a warning from something we're playing with, "activity on 27374 - SUB SEVEN DETECTED!" :)

    No ... They can be named anything the person using the edit server wants to call them, and typically they prefer slight misspellings of known system files since these tend to "look proper" to those who aren't professional paranoids. And each also comes with a "what port shall we set up on function" as well.

    Chances are you're right, but it's not necessarily an indication of Beast ... for all the noise about "Beast" it's an unwieldy and BUGGY trojan. There's MUCH "better" out there in common use, especially when you're cooking up a nasty to elude file scanning. Find a packer nobody else is using and you're home free. Add a polymorpher or other file diddler, and security programs that depend on MD5 hashes of swaths of a file will no longer detect it. Makes it a BRAND new trojan. Heh.

    Believe it or not, we're STILL seeing reports from our customers of routine installs of SubSeven, NETBUS and amazingly, Back Orifice with some wrinkles added to make file scanners ignore them getting nailed by BOClean once they try to start. :(

    Those well could be something else though.
     
  12. illukka

    illukka Spyware Fighter

    Joined:
    Jun 23, 2003
    Posts:
    633
    Location:
    S.A.V.O
    yeah the file name is configurable, question is how many of the script kiddies bother to actually change it from the default....i'd say 90% of 'em won't.. and the remaining 10% do something more than just changing the filename, they're the really dangerous people

    yeah sub7 is still pop and coz mobman is back in business, new stuff is anticipated.. i've seen recently some modded netbuses too

    edit: beast really is buggy, but it's headline stuff, like netbus once. that's why it's much used, while a lot better tools exizt.. if i were to trojanize someone i'd choose optix pro anytime, or a rootkit, or a small dl'er+ some commercial remote control software.. with meltserver enabled that is the ultimate undetectable option..
    i got some upcoming betas too that look really baaaaad
     
  13. subratam

    subratam Registered Member

    Joined:
    Nov 14, 2003
    Posts:
    1,310
    Location:
    Issaquah, WA
    wud like to add one thing here... dont know whether its already known.. the other day Mike(LowWaterMark) informed.. dont update any softwares for next week... as subseven release week is near... update TDS and check for services :)
     
  14. Gavin - DiamondCS

    Gavin - DiamondCS Former DCS Moderator

    Joined:
    Feb 10, 2002
    Posts:
    2,080
    Location:
    Perth, Western Australia
    Please send all those files ASAP to submitviruses@yahoo.com.au and I will look at them (im not at work :D)
     
  15. Gavin - DiamondCS

    Gavin - DiamondCS Former DCS Moderator

    Joined:
    Feb 10, 2002
    Posts:
    2,080
    Location:
    Perth, Western Australia
    Actually, SAVE a copy of todays radius.td3 to replace in case we update it before you do your testing. That SubSeven thing is old and easy to detect, a lot of trojans are :) Rootkits are the real danger.
     
  16. Wow! THANKS, GUYS! You don't KNOW how much you've tickled me by the last couple of posts! I'm so used to dealing with folks all twisted because their ISP cut them off "until you USE SOAP on that festering boil on your Billyware." Heh. Hope you'll indulge me, but it's time for an outbreak of "Da story monster" here. Thanks for the inspiration! :p

    Of *ALL* the nasties that have been released over oh so many years, the one I *still* admire (the one "BO"Clean was named after when it was just one of FOUR trojans out there) is Back Orifice 2000 (and the original as well years earlier) ... and amusingly, there have been four NEW releases of it in the past few months. Only reason why we're not jumping up and down over it in our little BOClean shack out of the woods is that, as far as we're concerned, it's BO2K ... just ANOTHER variant as far as BOClean goes, so we didn't need to ADD it to our (ahem) "definitions."

    Netbus was a close second in its "Pro" version, but they *SUED* us for detecting them once Carl-Fredrick Neikter REALIZED what he'd built and went COMMERCIAL, selling it as "A legitimate administration tool," and SELL it he DID ... well, sorry chuckles ... you let that puppy out into THE WILD ... tell ya what, boobie ... we'll satisfy getting sued *THIS* way ... we'll put a "DO NOT DETECT NETBUS TROJAN" on our configuration screen, and anybody who actually BOUGHT it can check the box and we'll leave it alone. Gotta LOVE "attorneys" ... they BOUGHT this concept! But Netbus was actually pretty good and stable too. Can't BELIEVE BOClean is still bound by that legal agreement of so many years ago, but there it IS, still on our configuration screen.

    But *MAN* ... the number of times I have to reach for my "airsick bag" when I see the cut and paste QWAP the kiddies are peddling as "nasty du jour" and it's REAL for "file scanners." Aggggh. For the first time in my LIFE, had to do 112 submitted/located trojans the other night. THIRTY-THREE of them were UNIQUE! A record!

    The kiddies working for the spammers these days (there's been a SIGNIFICANT dropoff in backdoors lately as the kids get hired up to put in popup ad generators, porn dialers and IE cache emptiers, broadband victim SMTP post offices so some poor putz on a DSL line gets blamed for sending out those 66 million emails overnight on a machine they DISTINCTLY remembering turning off, but NOT unplugging ... just blows my mind.

    Mobman's a character ... how he hasn't gotten into his own Austrian funk ("You Americans ... like your coffee, your signatures are so weak") he's actually an Englishman, but I wanted a comedic break ... met him back in the days when there was an economy and I'd attend and lecture at "security shows" and things like DEFCON conferences. I had buddies at @stake and other former "dumpster divers" from whom I'd learned the "early social engineering" and Mobman found *me* ... heh. The guy NEEDS some counseling. No offense. Yeah, what's COMING has the de rigeur "inject a CONTROL PANEL APPLICATION HERE" as well as the SOCKS5 driver built right in. WHAT firewall? I talk to the UART, go away ... ummm ... Beast doesn't do that. BOClean's ready :)

    But when it comes to the trojan authors that I am MOST "awestruck" by, it REMAINS the same old, same old. I never met DILDOG ... I've ALWAYS wanted to because his code, the tightness, and in particular his EMBARASSMENT with his "udderly hideous kluges, moo" the code he wrote for the FIRST "injector" and the FIRST "table mangler of the kernel no matter WHAT VERSION of Windows you're running - his stuff was TIGHT for NT, 2000 (and XP as well, years later) but he was embarassed by the horrible hack he had to do to 95, 98 and MiniME ... well ... IT WORKED! And RELIABLY! Dildog was too humble for himself.

    Then there was "Deth Vegetable" ... heh. The "Cult of the Dead Cow" folks only wanted to rub Microsoft's denials on their noses when they released the ORIGINAL "BO" (Back Orifice) ... but Microsoft denied all and INSISTED that their upcoming "Windows 2000" would eliminate any POSSIBILITY of "hackers getting past security" with all the new "security features" in Win2000. So of COURSE, they had to rub Microsoft's noses in it again publicly, they TOLD them where the problems were after all, such are the morals of 19 year olds.

    WHERE I came to respect Dildog and Deth and the others of the Cult of the Dead Cow is that when they first released the original Back Orifice, as well as SOURCE CODE, they realized the monster that they'd created - that "ring zero is just a magic number away" and finding so MANY undocumenteds (OFFICIAL meaning of "back door") that were OBVIOUSLY lost to those who REVIEW Windows code before release ... that they pulled the TRUE source code for Back Orifice and Back Orifice 2000 that leave them in a weakened state. Detectable *IF* you know how. Best of all though, I *got* copies of the original code and that which WASN'T released ...

    Thought you might find this amusing though - once upon a time when there was money flowing around here, I'd get out and get what *I* get off on, doing the Sherlock Holmes thing and actually sitting down with these folks and figuring out not only how they code, but their philosophy ... that's what I've always meant by "behavior matching" in what we do. There's only about 60 "real" trojan CREATORS around the planet, the REST of them just cut and paste the same old qwap. :)

    You might get a kick out of this ... BOClean is not only listed but recommended by Cult of the Dead Cow (origin of 95% of ALL trojan code there is, ported or straight C like the original) ... I wear that as a badge of honor, not only getting to know them and figuring them (AND their code) out ... but actually parting company as "friends who respected one another" ... at my age, that felt great. Learning from the ground floor all the things that have come and still having my intuition as to these things as sharp as ever.

    Ah, life was *SO* much simpler. :)

    (story monster no longer hired, fare please, heh)
     
  17. Apologies for the additional ... just thought you'd find this amusing ... after the first night in weeks of semi-sanity on this end, I'm waxing nostalgic as well for the days of yore. So after checking out this page where Cult of the Dead Cow actually had nice things to say about us:

    http://www.org/fools/colinks5.htm

    (can't BELIEVE the antique SITE is still lit after WAY so many years, but's THAT'S them. :)

    And of course, our "antique alert" on it, fresh from our "wayback machine" ...

    http://www.nsclean.com/psc-bo2k.html

    Once again, my apologies ... you guys made me shed a tear ... "for history" ... (grin)

    first link disabled (TOS) - sorry Kevin, grin
     
  18. Acadia

    Acadia Registered Member

    Joined:
    Sep 8, 2002
    Posts:
    4,048
    Location:
    SouthCentral PA
    >some poor putz on a DSL line gets blamed for sending out those 66 million emails overnight on a machine they DISTINCTLY remembering turning off, but NOT unplugging

    I just learned something. You mean to tell me that now they can actually turn your machine on? Wow, sure glad I got BoClean (And I'm keeping Netbus UNCHECKED!)

    Acadia
     
  19. Ain't that a HOOT, ... "mon!" :)

    Yeah, imagine that! But yes, in most recent machine BIOS' there is a "wakeup ON" function ... check out your motherboard's manual "BIO SETTINGS" and you WILL see "wake up on MODEM Off-hook" or similar in there if your machine is less than 3 or so years old ... Ring a modem, click a NETBIOS, and you're OWNED ... :(

    I've never SEEN such clever malware as I've seen in the past few weeks. I don't know WHAT the cause, been too busy FIGHTING it for BOClean, but MY guess upon nearly 30 years of experience with Billy is that one of the recent "Microsoft band-aid (TM) version SP2-1/8" REALLY soiled the bed ... SOMETHING'S up though. But YES, the word "zombies" when applied to Billyware DOES have its own meaning. Quite unfortunate, really ...
     
  20. FanJ

    FanJ Guest

    [​IMG]

    Hi Kevin,

    BIG thanks for your postings !!!
    They are always very much appreciated !!!


    Cheers, Jan.
     
  21. Unca Paul said, "first link disabled (TOS) - sorry Kevin, grin
    « Last Edit: November 21, 2003, 08:41:28 AM by Paul Wilders »" ...

    My apologies for causing you to need to do that, certainly no offense taken - I have this unfortunate mindset of expecting to be doubted, so offering as much independent proof of anything I say is one of my weak points. Prevents a lot of unnecessary back and forth and "so's your old man" type stuff. :)

    To everyone else, thanks for the kind words. For those of us who have been at this since the "dawn" of "trojans" it's all so amusing and so "ho-hum" ... things like remote threads, DLL's and such are truly old hat. While we've seen some interesting diversions over the years with all the malware that's passed under the bridge, it's still all based on the "classics" even if the original source has become plug-in libraries that require as much brain power to implement as ordering kippers. Heh.

    Glad it was an enjoyable diversion.
     
  22. Paul Wilders

    Paul Wilders Administrator

    Joined:
    Jul 1, 2001
    Posts:
    12,472
    Location:
    The Netherlands
    No prob, Kevin - and nice to see you posting in your unique and personal way :D

    On a side note: do you ever get 8+ hours sleep a week? :rolleyes:

    regards.

    paul
     
  23. I have indeed put in a requisition for "sleep, quantity one" ... am waiting to see how the various wrigglers and howlers feel with respect to authorizing same. But like any good Noo Yawkah, I do my sleeping in the daytime. :)
     
  24. optigrab

    optigrab Registered Member

    Joined:
    Nov 6, 2002
    Posts:
    624
    Location:
    Brooklyn/NYC USA
    Right-on, Kevin ;)

    Optigrab
    Brooklyn
     
  25. pegasus4711

    pegasus4711 Registered Member

    Joined:
    Nov 17, 2003
    Posts:
    6
    Thanks to kevin for the link to ASViewer.

    You mentioned removing the autostarts for these files and dumping them.

    Presumably - you wish me to right click any svchost.exe entry and delete it.

    Sorry for the dumb questions, but as you can appreciate, I am rather new to all this alnd am just a little worried about screwing up the registry.

    Regards,

    John
     
Thread Status:
Not open for further replies.