Impossible Trojan Horse

Discussion in 'Trojan Defence Suite' started by dcdon, Oct 23, 2003.

Thread Status:
Not open for further replies.
  1. dcdon

    dcdon Guest

    Unbeknownst to me...(don't they always start out that way) a very large system hidden(of course) file shows up. Redirects Current User through it's load bundle. And the only way it was discovered was bottle arsing through files, and discovers this 3 gig file. And I'll bet your'e saying under your breathe, "how could anyone not know that was there. Someone, a gamer, setup and running that type muscle throughput is undetected and the box gives not a clue?" Well, the short answer is, paranoid as it may seem(yeah,yeah), I have had great suspicions, but couldn't pin it down. Didn't say, I am not naive. At times the cable modem activity light stays solid more than breathes. So, me calls the provider, and I get an IQ of about 69, "Well, Mr. XYZ, every function is okay here, Do want to reset the modem". To which, I bark, "No, I am running a firewall in full stealth mode, AVP current, Ad-aware, and SpyBot-S&Daggressive, and it's not on this end". If they only knew what was found on this end. After discovering this mojo file, I'm seriouly looking for the greatest Trojan Horse kungFu kickarse program out there. And do my homework. Find this trick rad program name TD(touchdown) - 3 (my Sprint Car number). "I'ts an oman", says id to alter. Not... And then, I think, It's gotta be me. Please find that it's me.

    Can anyone tell me how I can double check to make sure this great looking program does not smell that stank air. Here are the files found only by a command prompt doing a "find" command. Here are the files.


    ---------- C:WINNT\SOB\3000
    c:\adlog.txt
    c:\blocklog.txt
    c:\recv_bp.txt
    c:\send_bp.txt
    c:\documents and settings\jwang\desktop\htlogs\%d.txt
    c:\documents and settings\jwang\desktop\htlogs\%d.txt
    c:\recv_ap.txt
    c:\send_ap.txt
    pec=C:\WINNT\system32\cmd.exe
    Os2LibPath=C:\WINNT\system32\os2\dll;
    Path=C:\WINNT\system32;C:\WINNT;C:\WINNT\System32\Wbem;C:\PROGRA~1\MBTRAD~1\MBTNAV~1
    SystemRoot=C:\WINNT
    TEMP=C:\WINNT\TEMP
    TMP=C:\WINNT\TEMP
    windir=C:\WINNT
    ComSpec=C:\WINNT\system32\cmd.exe
    Os2LibPath=C:\WINNT\system32\os2\dll;
    Path=C:\WINNT\system32;C:\WINNT;C:\WINNT\System32\Wbem;C:\PROGRA~1\MBTRAD~1\MBTNAV~1
    SystemRoot=C:\WINNT
    TEMP=C:\WINNT\TEMP
    TMP=C:\WINNT\TEMP
    windir=C:\WINNT
    \??\C:\WINNT\system32\winlogon.exe
    NTREM c:\config.sys.
    NTREM visible to an OS/2 program that opens c:\config.sys, however they are
    NTREM modify NT OS/2 config.sys configuration by editing c:\config.sys with
    REM OS/2 Apps that access c:\config.sys actually manipulate this information.
    PROTSHELL=c:\os2\pmshell.exe c:\os2\os2.ini c:\os2\os2sys.ini \cmd.exe
    c:\builds\battlestar\lroot\english\buildroot\src\common\openssl\crypto\x509\x509_vfy.c
    c:\builds\battlestar\lroot\english\buildroot\src\common\openssl\crypto\rsa\rsa_eay.c
    c:\builds\battlestar\lroot\english\buildroot\src\common\openssl\crypto\rsa\rsa_lib.c
    c:\builds\battlestar\lroot\english\buildroot\src\common\openssl\crypto\rsa\rsa_oaep.c
    c:\builds\battlestar\lroot\english\buildroot\src\common\openssl\crypto\rsa\rsa_sign.c
    c:\builds\battlestar\lroot\english\buildroot\src\common\openssl\crypto\dsa\dsa_asn1.c
    c:\builds\battlestar\lroot\english\buildroot\src\common\openssl\crypto\dsa\dsa_lib.c
    c:\builds\battlestar\lroot\english\buildroot\src\common\openssl\crypto\dh\dh_lib.c
    c:\builds\battlestar\lroot\english\buildroot\src\common\openssl\crypto\err\err.c
    c:\builds\battlestar\lroot\english\buildroot\src\common\openssl\crypto\stack\stack.c
    4@c:\builds\battlestar\lroot\english\buildroot\src\common\openssl\crypto\rand\md_rand.c
    c:\builds\battlestar\lroot\english\buildroot\src\common\openssl\crypto\pkcs12\p12_decr.c
    c:\builds\battlestar\lroot\english\buildroot\src\common\openssl\crypto\lhash\lhash.c
    c:\builds\battlestar\lroot\english\buildroot\src\common\openssl\crypto\objects\o_names.c
    c:\builds\battlestar\lroot\english\buildroot\src\common\openssl\ssl\s3_enc.c
    c:\builds\battlestar\lroot\english\buildroot\src\common\openssl\ssl\s3_lib.c
    c:\builds\battlestar\lroot\english\buildroot\src\common\openssl\ssl\s3_srvr.c
    c:\builds\battlestar\lroot\english\buildroot\src\common\openssl\ssl\ssl_asn1.c
    c:\builds\battlestar\lroot\english\buildroot\src\common\openssl\ssl\ssl_cert.c
    c:\builds\battlestar\lroot\english\buildroot\src\common\openssl\ssl\ssl_ciph.c
    c:\builds\battlestar\lroot\english\buildroot\src\common\openssl\ssl\ssl_lib.c
    c:\builds\battlestar\lroot\english\buildroot\src\common\openssl\ssl\ssl_rsa.c
    c:\builds\battlestar\lroot\english\buildroot\src\common\openssl\ssl\ssl_sess.c
    c:\builds\battlestar\lroot\english\buildroot\src\common\openssl\ssl\t1_enc.c
    c:\builds\battlestar\lroot\english\buildroot\src\common\openssl\crypto\bio\b_print.c
    c:\builds\battlestar\lroot\english\buildroot\src\common\openssl\crypto\bio\b_sock.c
    c:\builds\battlestar\lroot\english\buildroot\src\common\openssl\crypto\bio\bf_buff.c
    c:\builds\battlestar\lroot\english\buildroot\src\common\openssl\crypto\bio\bf_nbio.c
    c:\builds\battlestar\lroot\english\buildroot\src\common\openssl\crypto\bio\bio_lib.c
    c:\builds\battlestar\lroot\english\buildroot\src\common\openssl\crypto\bio\bss_acpt.c
    c:\builds\battlestar\lroot\english\buildroot\src\common\openssl\crypto\bio\bss_bio.c
    c:\builds\battlestar\lroot\english\buildroot\src\common\openssl\crypto\bio\bss_conn.c
    c:\builds\battlestar\lroot\english\buildroot\src\common\openssl\crypto\asn1\a_bitstr.c
    c:\builds\battlestar\lroot\english\buildroot\src\common\openssl\crypto\asn1\a_bytes.c
    c:\builds\battlestar\lroot\english\buildroot\src\common\openssl\crypto\asn1\a_digest.c
    c:\builds\battlestar\lroot\english\buildroot\src\common\openssl\crypto\asn1\a_dup.c
    c:\builds\battlestar\lroot\english\buildroot\src\common\openssl\crypto\asn1\a_gentm.c
    c:\builds\battlestar\lroot\english\buildroot\src\common\openssl\crypto\asn1\a_int.c
    c:\builds\battlestar\lroot\english\buildroot\src\common\openssl\crypto\asn1\a_object.c
    c:\builds\battlestar\lroot\english\buildroot\src\common\openssl\crypto\asn1\a_set.c
    c:\builds\battlestar\lroot\english\buildroot\src\common\openssl\crypto\asn1\a_type.c
    c:\builds\battlestar\lroot\english\buildroot\src\common\openssl\crypto\asn1\a_utctm.c
    c:\builds\battlestar\lroot\english\buildroot\src\common\openssl\crypto\asn1\a_verify.c
    c:\builds\battlestar\lroot\english\buildroot\src\common\openssl\crypto\asn1\asn1_lib.c
    c:\builds\battlestar\lroot\english\buildroot\src\common\openssl\crypto\asn1\i2d_dhp.c
    c:\builds\battlestar\lroot\english\buildroot\src\common\openssl\crypto\asn1\i2d_r_pr.c
    c:\builds\battlestar\lroot\english\buildroot\src\common\openssl\crypto\asn1\p8_pkey.c
    c:\builds\battlestar\lroot\english\buildroot\src\common\openssl\crypto\asn1\x_algor.c
    c:\builds\battlestar\lroot\english\buildroot\src\common\openssl\crypto\asn1\x_attrib.c
    c:\builds\battlestar\lroot\english\buildroot\src\common\openssl\crypto\asn1\x_cinf.c
    c:\builds\battlestar\lroot\english\buildroot\src\common\openssl\crypto\asn1\x_crl.c
    c:\builds\battlestar\lroot\english\buildroot\src\common\openssl\crypto\asn1\e
    C:\WINNT\CSC
    C:\WINNT\system32\
    \??\C:\WINNT\system32\winlogon.exe
    SERSPROFILE=C:\Documents and Settings\All Users
    CommonProgramFiles=C:\Program Files\Common Files
    ComSpec=C:\WINNT\system32\cmd.exe
    Os2LibPath=C:\WINNT\system32\os2\dll;
    Path=C:\WINNT\system32;C:\WINNT;C:\WINNT\System32\Wbem;C:\PROGRA~1\MBTRAD~1\MBTNAV~1
    ALLUSERSPROFILE=C:\Documents and Settings\All Users
    CommonProgramFiles=C:\Program Files\Common Files
    ComSpec=C:\WINNT\system32\cmd.exe
    Os2LibPath=C:\WINNT\system32\os2\dll;
    Path=C:\WINNT\system32;C:\WINNT;C:\WINNT\System32\Wbem;C:\PROGRA~1\MBTRAD~1\MBTNAV~1
    ProgramFiles=C:\Program Files
    SystemRoot=C:\WINNT
    TEMP=C:\WINNT\TEMP
    TMP=C:\WINNT\TEMP
    USERPROFILE=C:\Documents and Settings\don
    windir=C:\WINNT
    ProgramFiles=C:\Program Files
    SystemRoot=C:\WINNT
    TEMP=C:\WINNT\TEMP
    TMP=C:\WINNT\TEMP
    USERPROFILE=C:\Documents and Settings\don
    windir=C:\WINNT
    ÿÿÿÿ’Mu’Muÿÿÿÿ7’Mu;’MuC:\perfco_O.dat
    C:\MSHLOCAL.LOG
    C:\DEBUG.LOG
    c:\
    X±ÿÿÿÿÀÿ*\G{00020430-0000-0000-C000-000000000046}#1.0#0#C:\WINNT\System32\stdole32.tlb#


    nested in WINNT hidden System file.

    I know that could run a Repair install routine, but I would like to know is this seemingly great program is going to work. BTW, I have already placed a folder around the file to keep it warm, but where "jwang" gets a "no one's home, when he wants to come play.

    Honestly, I'd like to catch "jwang" and change the octice on his choir.

    Thanks for your input,
    And I apologize for the novel.

    don
    ---------------
     
  2. Pilli

    Pilli Registered Member

    Joined:
    Feb 13, 2002
    Posts:
    6,217
    Location:
    Hampshire UK
    Welcome Don, Your prose is leaving me wondering exactly what you want? :D
    If you download the trial version of TDS3 and the latest radius database & run a full scan, it is very unlikely that if TDS3 does not find a Trojan that you have one, You may also like to try Autostart Viewer available for free also from DCS.

    Pilli
     
  3. dcdon

    dcdon Guest

    Philli,

    For starters, thank you very much for your very timely response. Very impressive. The prose is just to add a 'touch of class'.

    The straight of it is, I have already run TDS-3, w/ latest update file, on the "jwang" Trojan, and didn't get anything. This program is the reason I left the file on the system. Is there anyway that the programmer can escape your scan?

    I know that I can run an installation repair, after nuken the files, after an ERD and full +system state backup, of course. I just wanted a kick arse Trojan scanner, and thought I had found "the one". What else can be done, before I bite the bullet, and is there an altenative way of removing this particular Trojan?

    Appreciate you answer at you conveience.

    Best regards,
    don

    BTW, kudos to whoever compiled the little forum proggie. Unique.
    ------------
     
  4. Primrose

    Primrose Registered Member

    Joined:
    Sep 21, 2002
    Posts:
    2,743
    Hi don..like your stuff and have been following it for a while know like 4 and twenty black birds baked in the pie :D

    **************************************

    You sure have a mystery there...you have been injected and i guess it is on the Win2K and not the 98...cant be a token rings but this might help...


    OpenSSL Security Advisory [17 March 2003]

    Timing-based attacks on RSA keys
    ================================

    OpenSSL v0.9.7a and 0.9.6i vulnerability
    ----------------------------------------

    Researchers have discovered a timing attack on RSA keys, to which
    OpenSSL is generally vulnerable, unless RSA blinding has been turned
    on.

    Typically, it will not have been, because it is not easily possible to
    do so when using OpenSSL to provide SSL or TLS.


    http://www.openssl.org/news/secadv_20030317.txt
     
  5. Primrose

    Primrose Registered Member

    Joined:
    Sep 21, 2002
    Posts:
    2,743
  6. Wayne - DiamondCS

    Wayne - DiamondCS Security Expert

    Joined:
    Jul 19, 2002
    Posts:
    1,533
    Location:
    Perth, Oz
    Hi there dcdon,
    If TDS didnt detect it or alert you to anything suspicious but you suspect the file is/might be a trojan, please send it to submit@diamondcs.com.au for analysis, requesting in the email information on disinfection :)

    Best regards,
    Wayne
     
  7. Primrose

    Primrose Registered Member

    Joined:
    Sep 21, 2002
    Posts:
    2,743
    I also think that the advice Pegasus gave you to run the the text find thingie was a good idea for the 3000...but I would have taken a different approach to start.

    Wayne will sort it all out for you since there are certainly some things missing in that captured file you now have compiled.

    3 meg is a lot of junk..and if it really is a compromise to your system. The answer is yes..you can track it.

    Be Well,
    John
     
  8. Pilli

    Pilli Registered Member

    Joined:
    Feb 13, 2002
    Posts:
    6,217
    Location:
    Hampshire UK
    DCDon Wrote:
    A leading question but I can say that a new DCS tool will be out early next week which will certainly increase your PC's security by a large margin - prevention is better than cure ;)
     
  9. Gavin - DiamondCS

    Gavin - DiamondCS Former DCS Moderator

    Joined:
    Feb 10, 2002
    Posts:
    2,080
    Location:
    Perth, Western Australia
    I'm still waiting to see the results of ASViewer, but in short there is no such thing as a text file trojan. There is no scripting in the file and from what has been provided we have no idea what created that text file. Will gladly take a close look at autostarts and running processes via ASViewer / Hijack This
     
Thread Status:
Not open for further replies.