New Trojan Found

Discussion in 'Trojan Defence Suite' started by zechlin, Mar 6, 2005.

Thread Status:
Not open for further replies.
  1. zechlin

    zechlin Guest

    I found this on one of my client's computers. Does anyone have any ideas what this is? Once it gets in memory you can't see the file anymorein explorer. Its process doesn't show up in Task Manager, but shows up for a second in Process Explorer. Below is a zip with with the trojan. Please feel free to contact me at if you have any questions.

    Deleted URL & emaill address. Pilli
     
    Last edited by a moderator: Mar 6, 2005
  2. Pilli

    Pilli Registered Member

    Joined:
    Feb 13, 2002
    Posts:
    6,217
    Location:
    Hampshire UK
    Hi Zechlin, I removed your email addy for safety and the URL for Admin review:

    Thanks. Pilli
     
  3. zechlin

    zechlin Guest

    Not a problem. I appreciate the help!
     
  4. zechlin

    zechlin Guest

    I did some reading and I don't think it's the f0r0r trojan. NAV Corp, AVG, and TDS-3 couldn't detect it.

    In all my years this is the strangest little "program" I've ever seen.
     
  5. Pilli

    Pilli Registered Member

    Joined:
    Feb 13, 2002
    Posts:
    6,217
    Location:
    Hampshire UK
    OK, Hopefully someone will report back here about it :)
     
  6. zechlin

    zechlin Guest

    Is the Gavin the Great working on it as we speak? :) I'm all ears!
     
  7. Jooske

    Jooske Registered Member

    Joined:
    Feb 12, 2002
    Posts:
    9,713
    Location:
    Netherlands, EU near the sea
    Hi there Zechlin, welcome to the forum.
    Feel free to register as a member (free) so people can PM you.

    Please never post links to malware in any forum, where less experienced users could get themselves into big trouble.
    Just submit the zip to developers laboratories, like submit@diamondcs.com.au where they will come back with you with proper analysis and advice.

    Pilli beat me :) to removing the link and your addy, and made sure the link is in Gavin's hands indeed :cool:
    Yes, we're all interested to know about the report.

    Was there more on your client's system? As many nasties don't come alone!
     
  8. zechlin

    zechlin Registered Member

    Joined:
    Mar 6, 2005
    Posts:
    9
    Location:
    Vancouver, WA
    Yes, PSW.Briss.D was found on the machine as well as a lot of Spyware. Thanks!
     
  9. Jooske

    Jooske Registered Member

    Joined:
    Feb 12, 2002
    Posts:
    9,713
    Location:
    Netherlands, EU near the sea
    Welcome as a new member and congratulations with your first member posting! :)

    Glad you are cleaning out the system. It can take a few hours for Gavin to get back to us but fortunately they are in Perth half a day ahead of many!
     
  10. Ianb

    Ianb Registered Member

    Joined:
    Nov 26, 2004
    Posts:
    232
    Location:
    UK
    I downloaded that file earlier.

    McAfee, Bitdefender, Escan, A2, Ewido, Virus Total and Jottis all reported nothing. Although jotti did report a long time sandboxing and advised caution.

    Looks suspect though.
     
  11. PaRaNoiD_JaCK

    PaRaNoiD_JaCK Registered Member

    Joined:
    Mar 6, 2005
    Posts:
    5
    Sounds like some sort of rootkit. Perhaps the new generation of spyware is here.
     
  12. Pilli

    Pilli Registered Member

    Joined:
    Feb 13, 2002
    Posts:
    6,217
    Location:
    Hampshire UK
    From DvK01. "It's very possible it's a new varient of BUBE as that tries to infect explorer.exe and some of the strings inside the file look remarkably similar ( but then most malware ones do ) and that hides itself when it has installed as well"

    HTH Pilli
     
  13. zechlin

    zechlin Registered Member

    Joined:
    Mar 6, 2005
    Posts:
    9
    Location:
    Vancouver, WA
    According to Jotti it's been packed with Yoda Protector http://yodap.cjb.net/. That's why you can't find any strings in it.

    Yoda Protection features:
    * Compress Sections.
    * Polymorphism encryption.
    * Import Table encryption/destruction.
    * Anti Debug API's.
    * SoftICE detection.
    * CRC checking.
    * API Redirection.
    * Anti Dumping.
    * Erase PE Header.
    * Anti Debugger.
    * Destroy relocation information.
    * Destroy debug information.
    * Eliminate DOS header.
    * Optimize DOS header.
    * Support OCX, DLL, and SCR files.
     
  14. Happy Bytes

    Happy Bytes Guest

    it is packed with yodaprotector. just checked it with a disassembler. beside of this the file shows "yP" as section name, that is the default section name for this protector. I'll take a look at it tomorrow.
     
  15. zechlin

    zechlin Registered Member

    Joined:
    Mar 6, 2005
    Posts:
    9
    Location:
    Vancouver, WA
    Anyone have any ideas what this trojan does? Let me know what you think. Thanks!
     
  16. dvk01

    dvk01 Global Moderator

    Joined:
    Oct 9, 2003
    Posts:
    3,131
    Location:
    Loughton, Essex. UK
  17. Pilli

    Pilli Registered Member

    Joined:
    Feb 13, 2002
    Posts:
    6,217
    Location:
    Hampshire UK
    Nice can o' worms Dvk :) It's a bank holidy in Western australia today so Gavin might not respond until tomorrow (Tuesday)
     
  18. dvk01

    dvk01 Global Moderator

    Joined:
    Oct 9, 2003
    Posts:
    3,131
    Location:
    Loughton, Essex. UK
    They seem to have more Public Holidays in Western Australia than I have hot dinners :D
    I suppose that is where the laid back happy approach we see in all the Aussie visitors to the UK comes from. Perhaps we should have a few more Public Holidays here as well :D *puppy* *puppy* *puppy* *puppy*

    http://www.smilies.our-local.co.uk/index_files/haphol.gif
     
  19. zechlin

    zechlin Registered Member

    Joined:
    Mar 6, 2005
    Posts:
    9
    Location:
    Vancouver, WA
    Anyone else hear those crickets?
     
  20. Pilli

    Pilli Registered Member

    Joined:
    Feb 13, 2002
    Posts:
    6,217
    Location:
    Hampshire UK
    Ah cricket, Now that is a serious game that the Aussies pinched from us Brits and now think they own it ;)

    Off topic Pilli :eek:
     
  21. zechlin

    zechlin Registered Member

    Joined:
    Mar 6, 2005
    Posts:
    9
    Location:
    Vancouver, WA
    Just recieved the following email from Gavin:

    Hi,

    Definitely malicious, some sort of spyware or adware
    Nuke it, I'll have to unpack it and analyse it much more before being able to add detection

    Best regards,
    Gavin
     
  22. Ianb

    Ianb Registered Member

    Joined:
    Nov 26, 2004
    Posts:
    232
    Location:
    UK
    I recieved a reply from McAfee today.

    ------------------------------------------------------------
    Potentially Unwanted Program added: Adware-StripPlayer
    AVERT(tm) Labs, Aylesbury


    Synopsis -

    The thread is related to a backdoor but the sample sumbitted doesn't seem to
    be related to that.
    However, we found a dialer embedded into the encrypted body so we added
    detection as Adware.

    Please note that Adware are not viruses. This detection requires either the
    command-line scanner (with /PROGRAM) or VirusScan 7 or later. Users running
    VirusScan 7 or later can enable application or joke detection via the
    configuration option "Find potentially unwanted programs" within the
    VirusScan GUI.
     
Thread Status:
Not open for further replies.