Memory Scan Troojan detected

Discussion in 'Trojan Defence Suite' started by suff, Sep 26, 2003.

Thread Status:
Not open for further replies.
  1. suff

    suff Registered Member

    Joined:
    Aug 15, 2003
    Posts:
    9
    Here's a twist, just ran a memory scan from TDS-3 app menu bar item, System testing >> Memory scan and received this message window:

    TDS has located a Trojan running alive in memory!
    Process details
    Alarm: RAT.GIP 1.x
    ProcID: 2256
    Filename: IEXPLORE.exe
    C:program Files\Internet Explorer\IEXPLORE.EXE

    Pressed ignore. Running W2K a nd have been bombarded recently with virus laden emails. Deleted affected email account name and emails started to attack one of two remaining addresses. Is this possibly related or just false alarm? Properties of file and location appear correct.

    Any help greatly appreciated.

    PS Went to pcflank and it showed port 25685 closed, others stealthed. Mentioned "Moonpie" Trojan Rat 1 and "server.exe". Did search on hard drive and registry, not found.
     
  2. Pilli

    Pilli Registered Member

    Joined:
    Feb 13, 2002
    Posts:
    6,217
    Location:
    Hampshire UK
    Might be an idea to send a copy of ieexplore.exe to Gavin for analysis just in case it has been changed.
    submit@diamondcs.com.au
     
  3. suff

    suff Registered Member

    Joined:
    Aug 15, 2003
    Posts:
    9
    Thanks. Just sent gavin copy of IEXPLORE.exe from listed location. Ran TDS-3 agfain from menubar and killed process. Other browser windows still working.

    Thanks for quick reply. Enjoy that fourteenth cup of coffee!
     
  4. suff

    suff Registered Member

    Joined:
    Aug 15, 2003
    Posts:
    9
    While I'm thinking of it, I have TDS-3 set up to run automatically at boot and when it runs at startup it did not catch this potential problem. Only when I manually ran from the menubar did the possible trojan get detected. Maybe I should be asking about setup issues and alarm settings in order to catch these little "********".


    Current config:

    Under TDS on menubar >> Configuration >> Startup shows everything checked with exception of CRC32 Files test. Saved under tds.cfg in custom folder.
     
  5. Jooske

    Jooske Registered Member

    Joined:
    Feb 12, 2002
    Posts:
    9,713
    Location:
    Netherlands, EU near the sea
    Hi Suff and welcome!
    I'd inspect that iexplorer.exe for instance on modification date.
    You might like to temporary rename it for example into iexplorer.exe.bak so it can't be running and doing whatever kind of harm.
    Also check if there are more instances of the file.
    Maybe you can do a repair install via add/remove for internet explorer to try to have a fresh iexplorer.exe. In case you wouldn't succeed you can rename back the possible infected one.

    Didn't the other scanners tell where the moonpie and server.exe are located?

    In the current situation i wouldn't take TDS from the autostart after reboot, have it protecting as soon as possible update daily and scan miles deep all through your system.

    I would activate the CRC32 scan too and add the iexplorer.exe to the list and more sensitive files you want to monitor for changes, like the exe files for scanners, firewall, win.ini, system.ini, tds-3 itself, etc.
    Adding TDS to the autostart shouldn't make any difference in detection of the memory as it looks for malicious code. More because the other scans told you about the other possible infections.

    If you want to see what's going on on your system with connections, get also immediately Port Explorer (free evaluation) showing every connection to internet and which applications are responsible for them.
    With PE you can spy on datapackets, disable or completely kill a connection.

    Find among others here info about MoonPie
    http://www.dark-e.com/archive/trojans/moonpie/13/index.shtml
     
  6. Gavin - DiamondCS

    Gavin - DiamondCS Former DCS Moderator

    Joined:
    Feb 10, 2002
    Posts:
    2,080
    Location:
    Perth, Western Australia
    Perhaps a false alarm, but which memory scanner was it ? See the help file for object memory detection, if it was this then it was most likely a DLL injector, so we need to scan DLLs or a full scan with the latest database.

    SIMPLE way to look for DLL injection in IE, if injected into iexplore.exe then this process will be there even though you havent started IE yet. So check that as soon as you reboot. If injected into explorer.exe then you can see it using sockets with Port Explorer of course.

    If possible, use APM to unload the module from IEXPLORE.EXE
     
  7. Gavin - DiamondCS

    Gavin - DiamondCS Former DCS Moderator

    Joined:
    Feb 10, 2002
    Posts:
    2,080
    Location:
    Perth, Western Australia
    A new or patched trojan possibly we do need to find what DLLs are loaded and then send us the file to analyse. PM me for a private address to email me directly
     
  8. Jooske

    Jooske Registered Member

    Joined:
    Feb 12, 2002
    Posts:
    9,713
    Location:
    Netherlands, EU near the sea
    For known Moonpie i have this other description
    Name: Moonpie
    Aliases: N/A
    Ports: 25685, 25686, 25982 (ports can not be changed)
    Files: Moonpiebeta3.zip - Moonpie10.zip - 482,228 bytes Moonpie1.1.zip - Moonpie1.2.zip - Moonpie.exe - 273,408 bytes Server.exe - 224,408 bytes Winsys.exe -
    Created: Dec 2000
    Requires: N/A
    Actions: Remote Access / Keylogger
    Telnet can be used as client to port 25982 and record anything typed on the infetced computer.
    Versions: beta3, 1.0, 1.1, 1.2,
    Registers: HLM\Software\Microsoft\Windows\CurrentVersion\Run\
    Notes: Works on Windows 95, 98 and ME. Telnet can be used as client.
    Country: written in Germany
    Program: N/A
     
  9. suff

    suff Registered Member

    Joined:
    Aug 15, 2003
    Posts:
    9
    Performed search on computer, all drives for files monpie*.*, moon*.* and nothing was found. Performed search for server.exe and found one in Microsoft office and Microsoft Visual Studio folders but neither matches size as stated in post. Found nothing in performing search on winsys.exe as well.

    As stated earlier, when doing a test on pcflank.com this port 25685 showed closed but not stealthed. Performed a manual scan utilizing TDS-3 and trojan dialog window appeared stating IEXPLORE.EXE was a trojan. After rebooting and getting the same results from both pcflank and TDS-3, I opened Port Explorer app and killed process. Subsequent tests utilizing TDS-3, pcflank, and Port Explorer have shown nothing.

    IEXPLORE was in C:\Program Files\Interent Explorer folder.

    Thanks for any and all advice!
     
  10. Gavin - DiamondCS

    Gavin - DiamondCS Former DCS Moderator

    Joined:
    Feb 10, 2002
    Posts:
    2,080
    Location:
    Perth, Western Australia
    No.. I know Moonpie very well. It stopped over a year ago too, but the source was available then. So maybe a DLL version someone has gone on to make.. If there is a suspicious DLL I will look at it though. Just waiting more info in private so no need to worry about this thread anymore, and thanks! :)
     
  11. Gavin - DiamondCS

    Gavin - DiamondCS Former DCS Moderator

    Joined:
    Feb 10, 2002
    Posts:
    2,080
    Location:
    Perth, Western Australia
    Hi suff,

    Be sure to get back to me by email about what I asked, its not IEXPLORE.EXE that was the problem. The fact that it was there would mean possibly a DLL INSIDE IT which is the problem, have you actually run a Full System Scan with TDS yet ? The object memory scan gives the alarm and you can press Kill Process to kill the trojan for now if you need to get online
     
  12. Jooske

    Jooske Registered Member

    Joined:
    Feb 12, 2002
    Posts:
    9,713
    Location:
    Netherlands, EU near the sea
    Gavin, could it be an idea to rename or zip the current iexplorer.exe (not delete) anyway and do a repair internet explorer from the Add/remove? (hoping a clean iexplorer.exe will be put back to surf with?)
    I would if it was my system to be very sure.
    Hoped so much the sent sample would have told you more.

    Yes. saw you know the Gip and Moonpie very well with the many references in the primaries list!

    And keep watching Port Explorer when connected to internet for everything happening.
     
Thread Status:
Not open for further replies.