New Trojan Found

Discussion in 'Trojan Defence Suite' started by Zach Echlin, Jun 17, 2003.

Thread Status:
Not open for further replies.
  1. Zach Echlin

    Zach Echlin Guest

    I began working on a computer today running Windows 2000 SP3 that had some strange problems. The user companied that ZoneAlarm would not startup on this computer.

    I started looking through his computer. After just a few minutes I found programs that were using funny names to startup like serany.exe task32.exe and server.exe. Norton Antivirus wasn’t checking any of these files so I downloaded TDS. After installing it and scanning it found numerous files that contained the RAT Trojan.

    One of the files it found was in a folder named c:\winnt\system32\dhcp\files. When I went and opened this folder I found a bunch of other files which I have zipped in a folder and uploaded to my website. It can be downloaded at
    Link removed. Available by request to AV and AT vendors only.Pieter

    I've deleted the services that this Trojan creates. I cleaned up the startup entries that it put in the registry. The trouble is that when I startup the computer it still kills the Norton AntiVirus and ZoneAlarm processes.

    Using TCPView and Process Explorer from Systems Internals I’ve removed all the suspicious files accessing the Internet. I don’t think the Trojan is fully removed. Should I just reformat the computer and start over? What do the files in the possible-trojan.zip do? I hope I'm making sense. If not please ask me to clarify. Thanks in advanced for your help.

    --
    Zach Echlin
     
  2. Pieter_Arntz

    Pieter_Arntz Spyware Veteran

    Joined:
    Apr 27, 2002
    Posts:
    13,331
    Location:
    Netherlands
    Hi Zach,

    I removed the download link in your post because it is against our TOS.
    I have made it available to DiamondsCS and Eset.
    Other AV and AT vendors can contact me by IM to get the link.

    Regards,

    Pieter
     
  3. Gavin - DiamondCS

    Gavin - DiamondCS Former DCS Moderator

    Joined:
    Feb 10, 2002
    Posts:
    2,080
    Location:
    Perth, Western Australia
    Thanks, Im not at work and will need a little sleep soon, but I trust I can get a copy tomorrow :) We'll let you know what to do.

    If there is a folder created by a trojan like that then it probably contains only scripts and other trojan files which can all be deleted. For now just kill any running EXE files in there. Then there isnt really a danger since you know what you are doing. You might like Port Explorer :D
     
  4. Gavin - DiamondCS

    Gavin - DiamondCS Former DCS Moderator

    Joined:
    Feb 10, 2002
    Posts:
    2,080
    Location:
    Perth, Western Australia
    Hi,

    Yes this is a trojan, delete the entire folder "files" inside your

    Windows\System32\dhcp\

    It is mIRC based and uses a vulnerability scanner xScan to find more machines. Immediately set a STRONG Admin password on your machine.. well on all accounts, and delete any accounts you dont recognise. This thing uses your machine to scan for more people with no/weak admin password and infect them too :mad:

    Disable the guest account as well if you have it enabled !
     
  5. Gavin - DiamondCS

    Gavin - DiamondCS Former DCS Moderator

    Joined:
    Feb 10, 2002
    Posts:
    2,080
    Location:
    Perth, Western Australia
    This is looking nastier the more I look at it..

    Email me (gavin@diamondcs.com.au) if you need more help, a lot of changes have been effected once your machine was taken. If possible a backup or format would be good, if you can do this easily it might be best :) Then you can secure the machine properly before anything like this happens again.
     
  6. Gavin - DiamondCS

    Gavin - DiamondCS Former DCS Moderator

    Joined:
    Feb 10, 2002
    Posts:
    2,080
    Location:
    Perth, Western Australia
    You had better email me this :rolleyes:

    C:\\winnt\\system32\\server.exe

    And if there is a service called New VDL System Control Verifier then stop and disable it.. if you cant find this then I'll probably be recommending a format when you email me :doubt:
     
  7. Mr.Blaze

    Mr.Blaze The Newbie Welcome Wagon

    Joined:
    Feb 3, 2003
    Posts:
    2,842
    Location:
    on the sofa
    :eek: wow that one major nasty

    ekkkkkkkkkkkkkkkkkkkkkkkkkkkkkkkk

    im scared is this a new nasty or an old one

    cause thats some scary stuff
     
  8. Wayne - DiamondCS

    Wayne - DiamondCS Security Expert

    Joined:
    Jul 19, 2002
    Posts:
    1,533
    Location:
    Perth, Oz
    In case some people are wondering 'why format? why not just try to disinfect?', one problem with a highly compromised machine is that you don't know what other compromises have been made as a result of the initial one. In other words, being infected by one trojan often opens the door for hackers to execute anything on your system so one attack vector can create many others, and as there is no concrete way to determine what other malicious software has been executed, the only way to ensure your system is restored to a clean state is to format and reinstall the operating system. This isn't so much a problem with viruses as they rarely open other attack vectors, their goal is simply to infect and spread, not to give access to hackers as trojans do.
     
  9. Mr.Blaze

    Mr.Blaze The Newbie Welcome Wagon

    Joined:
    Feb 3, 2003
    Posts:
    2,842
    Location:
    on the sofa
    :'( so basicly your pc has aids or cancer it spread all over that sux

    :(im so sorry for any one that gets this

    :doubt: but Wayne my pc with my fully upgraded tds and updated data base with excution protection enabled would protect me from that nasty right?
     
  10. Gavin - DiamondCS

    Gavin - DiamondCS Former DCS Moderator

    Joined:
    Feb 10, 2002
    Posts:
    2,080
    Location:
    Perth, Western Australia
    This trojan has about 100 files. I can tell exactly what it is, a growing threat facing NT/2000/XP users these days. Its setting the victim machine up as a fileserver for XDCC bots on IRC channels. This one also uses a vulnerability scanner to find more machines with no ADMIN password, or a weak password, or a guest account enabled.

    If you haven't deleted the files yet, or are going to format anyway Zach.. try running

    Windows\System32\dhcp\files\copy\remall.bat

    This is included by the hackers to enable removing of services they added, users, turn off the terminal server and more. Im not yet sure of the extent of removal from this, but there will surely be some things left over or not right.

    This analysis will take a great deal of time, so Zach best to email me and we will keep up to date on your status. If you dont want to format perhaps you wont NEED to, although its recommended for reasons mentioned by Wayne above.

    STRONG ADMIN passwords please NT/2000/XP people! Especially you .EDU's which are the prime target of XDCC hackers :doubt:
     
  11. Dan Perez

    Dan Perez Retired Moderator

    Joined:
    May 18, 2003
    Posts:
    1,495
    Location:
    Sunny San Diego
    I had occasion once to support a department of an edu (in this case a Class C net) and it was policy to forbid the use of firewalls (or even NAT) in order to preserve some right or another (I never did understand the rationale, I was too busy being horrified by the implications!)
     
  12. Pilli

    Pilli Registered Member

    Joined:
    Feb 13, 2002
    Posts:
    6,217
    Location:
    Hampshire UK
    Gavin or Wayne, As XP has a system restore capability, will using it to a time prior to infection (if known) get rid of the problem? Or can these Trojans still reactivate?

    Personally I make regular disk images after doing full virus, trojan, spyware scans & a disk clean up. This is useful when system restore won't work especially when beta testing :D
     
  13. Gavin - DiamondCS

    Gavin - DiamondCS Former DCS Moderator

    Joined:
    Feb 10, 2002
    Posts:
    2,080
    Location:
    Perth, Western Australia
    I think that would remove it, since the registry at that time wouldn't have all the services installed. The files could be deleted and a strong Admin password set, then we could carefully check if any components were left behind..

    Zach, if you still have the machine in that state, I found reference to a few more files it has installed, so I would love a copy if possible :)
     
  14. wizardavc

    wizardavc Registered Member

    Joined:
    Jun 22, 2003
    Posts:
    31
    Isn't "attackers" a better word than hackers? Most people who use trojans on others are script kiddies, not hackers.
     
  15. Wayne - DiamondCS

    Wayne - DiamondCS Security Expert

    Joined:
    Jul 19, 2002
    Posts:
    1,533
    Location:
    Perth, Oz
    Ahh I wish I had as much spare time as you ... :)
     
  16. Gavin - DiamondCS

    Gavin - DiamondCS Former DCS Moderator

    Joined:
    Feb 10, 2002
    Posts:
    2,080
    Location:
    Perth, Western Australia
    This "trojan" is effectively a HACK kit, so not in this case :)

    The trojan in question is simply an automation of what could be done manually, and surely would be best called a hack - isn't that what you would call connecting to port 445 for a null password or dictionary attack on the Administrator account ?

    This takes it further, being automated and becoming somewhat like a worm, but it is simply an automated hack, sorry :D
     
Thread Status:
Not open for further replies.