Troj/Amitis.11. ZoneAlarm and Norton Firewall

Discussion in 'malware problems & news' started by Technodrome, Sep 29, 2002.

Thread Status:
Not open for further replies.
  1. Technodrome

    Technodrome Security Expert

    Joined:
    Feb 13, 2002
    Posts:
    2,140
    Location:
    New York
    The main part of this Trojan is server part. After victim executes this file, hacker/intruder is able to control victim’s computer.

    This Trojan can pass Zone Alarm and Norton PF
    It will close firewalls that is not able to pass
    Trojan will make five copies of itself into windows dir
    It will replace itself if the main file gets deleted
    This Trojan will run on windows startup and will connect to NET automatically
    It will disable the ALT+CTRL+DEL for more security
    It does not write any strings to registry so you the victim won’t be able to find it in registry
    Server is able to send email to the controller and tell the victim's IP and other necessary information
    Server is hidden in ALT+CTRL+DEL list
    Works on (9x/Me/2000/XP)

    Size of this file is only 110 KB and 29 KB in ZIP mode!

    Trojan Assembled: September 19, 2002
    Trojan Released: September 24, 2002

    This Trojan is not detected by Trojan Hunter and Trojan Remover


    Technodrome
     

    Attached Files:

  2. Primrose

    Primrose Registered Member

    Joined:
    Sep 21, 2002
    Posts:
    2,743
    Re:Trojan Amitis 1.1 released!

    Tech...smiles to you looks like we were on the same track..do you want me to move mine over to your thread and delete mine.o_O can easily be done.


    John
     
  3. Primrose

    Primrose Registered Member

    Joined:
    Sep 21, 2002
    Posts:
    2,743
    VSantivirus no. 813 - Year 6 - Domingo 29 of September 2002

    Troj/Amitis.11. It eludes to ZoneAlarm and Norton Firewall
    http://www.vsantivirus.com/amitis11.htm


    Name: Troj/Amitis.11
    Type: Trojan horse of remote access
    Alias: W32/Amitis.11, Win32/Amitis.11, Backdoor-AKZ, Backdoor.Trojan Clie, Amitis 1.1
    Date: 27/set/02
    Platform: Windows 32-bits
    Size: 106.496 bytes (server), 29 compressed Kb


    This troyano, written in Visual Microsoft BASIC 6, allows the remote control of the computer infected, after which it is executed in this machine, generally by means of deceits.

    The complete package, consists of the following archives:
    actskin4.ocx
    Amitis.exe
    Edit Server.exe
    MSCOMCTL.OCX
    MSINET.OCX
    MSWINSCK.OCX
    read me.txt
    Server.exe
    TABCTL32.OCX

    Of these, Amitis.exe (389.120 bytes) is the client, used by the attacker to connect itself to the servant ( Server.exe of 106.496 bytes) in the infected machine.

    This last one, whose name (Server.exe) single must be taken like reference, since the attacker can easily renombrar it, is the file that by some method of social engineering (making believe us it is a utility for example), can be sent to our machine for its execution. It is the only file of the package that we needed to receive to become infected.

    This troyano has the characteristic to elude to fire-resistant the ZoneAlarm and Norton Firewall. Although little distributed, this characteristic turns it a potential threat, reason why we always recommended like maintaining to the day the antivirus and not executing anything not asked for.

    When executing itself the troyano, will create up to five copies of if same within the directory of Windows and others.

    If the troyano is erased, is able to replace itself to if same provided still it remains in memory, by which cares are due to follow special to erase it manually.

    The troyano will be executed in each resumption of Windows and it will be connected to the network as soon as it detects an active connection.

    For first, [ modifies file WIN.INI in the label Windows ]:

    [ Windows ]
    load = c:\windows\server.exe

    Remember that "server.exe" single is mentioned like reference, can be any other name.

    Also deshabilita keys CTRL+ALT+SUPR with which the task of the troyano cannot "be killed" while this one is activate.

    Direction IP into the victim is able to send an electronic message to the attacker informing to him. This and other parameters are defined previously by the attacker with the publisher of the troyano (Edit Server.exe) .

    Finally, the attacker can take the control from the infected machine, and make innumerable tasks in clandestine form.


    IMPORTANT:

    If the troyano has been installed in the system, is possible that its computer can be acceded in remote form by an intruder without its authorization. This is more critical in case of having connected it to a network. Therefore it is impossible to guarantee the integrity of the system after the infection. The remote user can have made changes to his system, including the following actions (among other possible ones):

    - Robbery or change of passwords or archives of passwords.

    - Installation of any software that qualifies remote connections, from back doors.

    - Installation of programs that capture all the keying by the victim.

    - Modification of the installed rules of the fire-resistant ones.

    - Robbery of numbers of the credit cards, banking information, personal data.

    - Erasure or modification of archives.

    - Shipment of unsuitable or incriminatory material from the account of mail of the victim.

    - Modification of the rights of access to the accounts of user or the archives.

    - Erasure of information that can expose the activities of the attacker (logs, etc.).

    These actions single are indicated like example, but none they must be taken like only the possible ones.

    If you use your PC, or belongs to an organization whom by its nature she demands to be totally safe, she is recommended to erase all the content of the hard disk, to reinstalar of zero the operating system, and to recover its important previous backup copy archives.

    Soon it changes all its passwords, even the one of other users to whom it has access from its computer.

    In the case of a company with corporative networks, it contacts with its administrator to take the actions necessary in order to change all the keys of access, as well as to reinstalar Windows in all the computers.

    This is the only safe way of not jeopardizing its security before the possible changes made by the troyano.

    Of any way, and without forgetting the mentioned forecasts, the following plan of action for an attempt can be suggested to remove the troyano in manual form.
     
  4. Technodrome

    Technodrome Security Expert

    Joined:
    Feb 13, 2002
    Posts:
    2,140
    Location:
    New York
    Re:Trojan Amitis 1.1 released!

    Oh ok! I was going to move mine to yours! :D

    Its all cool now!

    Thank you Primrose
     
  5. Technodrome

    Technodrome Security Expert

    Joined:
    Feb 13, 2002
    Posts:
    2,140
    Location:
    New York
    Re:Trojan Amitis 1.1 released!

    September 29 2002, 9:39 AM EST

    I'll just add that DrWeb( by using heuristics) is able to detect this Trojan!
    KAV is not detecting it yet!


    Technodrome
     
  6. rodzilla

    rodzilla Registered Member

    Joined:
    Jun 15, 2002
    Posts:
    653
    Location:
    australia
    Re:Trojan Amitis 1.1 released!

    NOD32 detects it. Only one report in Australia so far ... on 26 September.
     
  7. Smokey

    Smokey Registered Member

    Joined:
    Apr 1, 2002
    Posts:
    1,513
    Location:
    Annie's Pub
    Re:Trojan Amitis 1.1 released!

    Now it should be very clear for some of us that a good heuristics is the most important part of a virusscanner! :D
     
  8. Technodrome

    Technodrome Security Expert

    Joined:
    Feb 13, 2002
    Posts:
    2,140
    Location:
    New York
    Yes NOD32 detects all 3 components!


    Technodrome
     

    Attached Files:

  9. Primrose

    Primrose Registered Member

    Joined:
    Sep 21, 2002
    Posts:
    2,743
    Re:Trojan Amitis 1.1 released!


    Primrose gives a knowing NOD and a big :D on his cake hole> ;)

    WTG guys. :cool:
     
  10. FanJ

    FanJ Guest

    In the Primary list of TDS-3:
     

    Attached Files:

  11. Vampirefo

    Vampirefo Guest

    Ok, I downloaded and ran this Trojan, please all hype, first of all Nav detected it, True TH didn't detect it, easy enough to make rules, for it though.

    Now let's cut through the misinformation, the Trojan didn't shutdown Kerio, Kerio popped up and asked me to let it out, I said no, Trojan was stopped, the Trojan makes an registry entry here.

    [HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows]
    "load"="e:\\windows\\server.exe
    open=e:\\windows\\server.exe"


    Now the other misinformation , the Trojan doesn't disable Ctrl+Alt+ delete, I have a pic showing running in my task manger.
     

    Attached Files:

  12. Vampirefo

    Vampirefo Guest

    Here is a pic NAV detecting it, The server is easy to kill, TH Guard will kill it with my user defined rules, Or one can just Ctrl+Alt+Delete, and kill the Trojan, I can't find one firewall this Trojan can get by, or one firewall this Trojan disables, I don't use the two firewalls,ZA and Norton, but I would have to see it get by them.I believe these firewalls will flag it just like Kerio does.
     

    Attached Files:

  13. Vampirefo

    Vampirefo Guest

    Last pic, you guys just made it out to be a super Trojan when in fact, it's not much, very easy to detect, and kill. But hey your posts got my curiosity up, and I had to test the Trojan, no harm no foul.

    I guess the good news was that NOD and NAV was already on top of it.
     

    Attached Files:

  14. Primrose

    Primrose Registered Member

    Joined:
    Sep 21, 2002
    Posts:
    2,743
    Was actually hoping you would come up with the Zone Alarm and Norton Firewall to defrock this one..but never doubted Kerio could handle the load. I do not even think anyone mentioned that firewall to date. Super trojan o_O?...no just one of many..right now you..I..tech..could pull up 20 others that are not even here...but VSAntvirus did have a nice write up ;-)
     
  15. FanJ

    FanJ Guest

    Thanks Vamp for the info ! ;)
     
  16. Vampirefo

    Vampirefo Guest

    Please read Technodrome post again

    This Trojan can pass Zone Alarm and Norton PF
    It will close firewalls that is not able to pass
    Trojan will make five copies of itself into windows dir
    It will replace itself if the main file gets deleted
    This Trojan will run on windows startup and will connect to NET automatically
    It will disable the ALT+CTRL+DEL for more security
    It does not write any strings to registry so you the victim won’t be able to find it in registry
    Server is hidden in ALT+CTRL+DEL list

    It will close firewalls that is not able to pass, No it wont.

    Trojan will make five copies of itself into windows dir, No it doesn't.

    It will replace itself if the main file gets deleted, No it doesn't.


    It will disable the ALT+CTRL+DEL for more security, again no it doesn't do this either

    It does not write any strings to registry so you the victim wont be able to find it in registry, Yes it does HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows

    Server is hidden in ALT+CTRL+DEL list, It's clearly visible nothing hidden.

    If this Trojan did all of what was posted above it would fall under the category of a super Trojan.

    But it doesn't do any of them, where o where did this information come from.
     
  17. Primrose

    Primrose Registered Member

    Joined:
    Sep 21, 2002
    Posts:
    2,743
    Well it is going to be an interesting one that is for sure..thanks again Vamp..maybe we can find the source of the analysis...VSantvirus...I gave you the link here..is usually pretty accurate for Rico and othersusually pull the thing apart.. just like you have..also, his site is very big on ZA..I mean real big..so he would not be out to publish that if he did not have some concern....those are my only thoughts on it at this point..let's see what transpires.
     
  18. Technodrome

    Technodrome Security Expert

    Joined:
    Feb 13, 2002
    Posts:
    2,140
    Location:
    New York
    Vamp please:

    These are not my claims! This was information that the original author of this Trojan Claimed!

    If you got the original info file you will be able to read notes from him/her! He or She claims that this Trojan is a bug free!

    I never said that this was a “Super Trojan” and there is no need for hype!


    Thank you for Info


    Technodrome
     
  19. Vampirefo

    Vampirefo Guest

    To put the final nail in this Trojan, I download ZA, I hate this firewall, but couldn't sleep until, I knew for sure if it got by ZA or not, the pic says it all.
     

    Attached Files:

  20. Vampirefo

    Vampirefo Guest

    As you can see the Trojan calls itself Yahoo! Messenger, So people just let it out, it doesn't get through the firewall people simply grant it permission to get out.

    Right click on the server>properties>version tab>product name and you will see it's calling itself Yahoo! Messenger
     

    Attached Files:

    • Y.gif
      Y.gif
      File size:
      15.3 KB
      Views:
      1,560
  21. Paul Wilders

    Paul Wilders Administrator

    Joined:
    Jul 1, 2001
    Posts:
    12,472
    Location:
    The Netherlands
    Waiting for that - knew you couldn't resist ;).

    Job well done, Vamp - as ever. Kuddos :cool:.

    regards.

    paul
     
  22. Primrose

    Primrose Registered Member

    Joined:
    Sep 21, 2002
    Posts:
    2,743
    Thanks Vamp,
    I owe you a friendly worm now to clean that ZA off your box :D Not going to ask you to do the Norton Firewall.

    Hope you can sleep now..

    Regards,
    John
     
  23. Gavin - DiamondCS

    Gavin - DiamondCS Former DCS Moderator

    Joined:
    Feb 10, 2002
    Posts:
    2,080
    Location:
    Perth, Western Australia
    A very average.. make that less than average VB trojan. I am sure it was created with a well known trojan creation toolkit, which outputs your choice of VB4, VB5 or VB6 source. It was then slighty beefed up with a very simple Editor :)

    Hiding in the task list refers to Hide from CTRL ALT DEL in Win9x, not even a "feature" as such as it requires no more programming skill than referencing one simple API call
     
  24. exotix

    exotix Registered Member

    Joined:
    Dec 4, 2002
    Posts:
    1
    to block cntrl+alt+del it adds to
    HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\TaskMon
     
  25. Gavin - DiamondCS

    Gavin - DiamondCS Former DCS Moderator

    Joined:
    Feb 10, 2002
    Posts:
    2,080
    Location:
    Perth, Western Australia
    Thats to look realistic like it belongs there ;)

    Calling RegisterServiceProcess will hide it from CTRL ALT DEL, hardly a programming feat :)

    Vampirefo, you might want to be careful what you execute. Some trojans are rather nasty to remove, some which inject / load a DLL into Explorer.exe or some will load as a service on NT/2K/XP - or even replace a service (speaking of DKAngel here)
     
Loading...
Thread Status:
Not open for further replies.