I Found A New Trojan!!!!

Discussion in 'malware problems & news' started by zechlin, Apr 3, 2005.

Thread Status:
Not open for further replies.
  1. zechlin

    zechlin Registered Member

    Joined:
    Mar 6, 2005
    Posts:
    9
    Location:
    Vancouver, WA
    :D

    I found a new Trojan. TDS detects nothing. Nor does virusscan.jotti.org.

    IM me if you would like the file!

    Here are the strings from the DLL:

    !This program cannot be run in DOS mode.
    \Microsoft\
    Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders
    %sxtempx.xxx
    SeDebugPrivilege
    Mozilla/5.0
    %windir%\hosts.sam
    %SystemRoot%\system32\drivers\etc\hosts
    ExitThread
    kernel32.dll
    LoadLibraryA
    Process32Next
    Process32First
    CreateToolhelp32Snapshot
    Software\Microsoft\Internet Explorer\Main
    Placeholder_Data
    teenspicy.com
    evo.sexfab.com
    IsUserAdmin
    setupapi.dll
    st_log.dat
    sm_log.dat
    sc_log.dat
    rvd_wfdsfsdffsddas1mhgfdsdk
    RegisterServiceProcess
    Software\Microsoft\Internet Explorer\Main\Helpers
    ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789+/
    %sContent-Disposition: attachment; filename="%s"
    %sContent-Transfer-Encoding: base64
    %sContent-Type: application/octet-stream; name="%s"
    See Attach
    %sContent-Transfer-Encoding: 8bit
    %sContent-Type: text/plain; charset=Windows-1251
    %sMIME-Version: 1.0
    %sSubject: %08X_%08X
    From: <%s>
    Date: %a
    RCPT TO:<%s>
    MAIL FROM:<%s>
    %s::%u::%s:%u->%s:%u
    _except_handler3
    MSVCRT.dll
    _adjust_fdiv
    GetVersion
    DeleteFileA
    CloseHandle
    CreateFileA
    GetSystemDirectoryA
    GetCurrentProcess
    CreateProcessA
    ExpandEnvironmentStringsA
    GetFileSize
    CreateThread
    GetTickCount
    ExitThread
    GetCurrentThreadId
    TerminateThread
    VirtualFreeEx
    WaitForSingleObject
    CreateRemoteThread
    WriteProcessMemory
    GetProcAddress
    GetModuleHandleA
    VirtualAllocEx
    OpenProcess
    GetLastError
    LoadLibraryA
    CreateMutexA
    GetCurrentProcessId
    GetModuleFileNameA
    FreeLibrary
    GetVersionExA
    GetDiskFreeSpaceExA
    GetDriveTypeA
    GetLogicalDriveStringsA
    GlobalMemoryStatus
    KERNEL32.dll
    DispatchMessageA
    TranslateMessage
    GetMessageA
    PostQuitMessage
    DestroyWindow
    DefWindowProcA
    CreateWindowExA
    RegisterClassA
    USER32.dll
    AdjustTokenPrivileges
    LookupPrivilegeValueA
    OpenProcessToken
    RegCloseKey
    RegOpenKeyExA
    RegEnumValueA
    RegDeleteValueA
    RegSetValueExA
    RegCreateKeyExA
    RegQueryValueExA
    ADVAPI32.dll
    WS2_32.dll
    InternetCloseHandle
    FtpPutFileA
    InternetConnectA
    InternetOpenA
    InternetReadFile
    InternetOpenUrlA
    WININET.dll
    Dllcode.dll
    downloads1.kaspersky-labs.com
    downloads2.kaspersky-labs.com
    downloads3.kaspersky-labs.com
    downloads4.kaspersky-labs.com
    download.mcafee.com
    liveupdate.symantecliveupdate.com
    liveupdate.symantec.com
    update.symantec.com
    1+10191W1i1n1
    2.2O2e2q2z2
    :=:D:J:U:\:r:~:
    ? ?(?.?4?@?K?S?Y?_?e?|?
    1T2i2n2s2y2
    :*:3:=:D:Q:\:q:
    :G;M;S;Y;l;
    ;%<L<Z<b<g<m<s<y<
    =-=6=<=A=I=T=\=b=h=n=t=">
    4"4(4-434:4H4P4X4^4r4
    5$5.555_5h5r5
    9"9)90979>9E9L9S9Z9a9h9o9v9
    ;M<S<c<w<G=Y=^=
    =2?C?U?_?f?n?
    0"0*00060G0Z0`0f0l0r0}0
    4/5S5]5c5u5
    8I9P9]9f9y9
    :C:p:W:l:~:
    ;$;
    6 7W7a7s7}7
    8%8D8L8R8X8b8
    = =*=3=F=P=e=s=|=
    =%>B>H>N>T>Z>`>f>l>r>x>~>
     
  2. TylerGred

    TylerGred Registered Member

    Joined:
    Mar 20, 2005
    Posts:
    69
    Location:
    USA
    Did you anti-virus detect it?

    Evey trojan I've ever gotten, NOD32 detected it before TDS3 did...
     
  3. zechlin

    zechlin Registered Member

    Joined:
    Mar 6, 2005
    Posts:
    9
    Location:
    Vancouver, WA
    NOD32 could not detect it. I scanned the file over at virusscan.jotti.org and it found nothing.
     
  4. Try_Norman

    Try_Norman Guest

  5. Jooske

    Jooske Registered Member

    Joined:
    Feb 12, 2002
    Posts:
    9,713
    Location:
    Netherlands, EU near the sea
    Nice one. Could you please be so kind as to zip and submit it to submit@diamondcs.com.au and if you send it to this board webmaster@wilderssecurity.com there will be taken care of forwarding it to all labs. Thanks a lot and please keep us informed.

    Maybe it is not detected for not being malicious enough? :cool:
     
  6. lynchknot

    lynchknot Registered Member

    Joined:
    Jun 26, 2004
    Posts:
    904
    Location:
    SW WA
    Is that "random" text a telltale sign? Because I've got this in Prevx home (which keeps crashing) I edited the regular text out

     
  7. dvk01

    dvk01 Global Moderator

    Joined:
    Oct 9, 2003
    Posts:
    3,131
    Location:
    Loughton, Essex. UK
    upload the file to me here please and I'll make sure it gets distributed to all the antivirus/anti trojan vendors on my list

    please go to http://www.thespykiller.co.uk/forum/index.php and upload these files so I can examine them and distribute them to antivirus companies.
    Just press new topic, fill in the needed details and just give a link to your post here & then press the browse button and then navigate to & select the files on your computer, If there is more than 1 file then press the more attachments button for each extra file and browse and select etc and then when all the files are listed in the windows press send to upload the files ( do not post HJT logs there as they will not get dealt with)
     
Loading...
Thread Status:
Not open for further replies.