Troj/Amitis.11. ZoneAlarm and Norton Firewall

The main part of this Trojan is server part. After victim executes this file, hacker/intruder is able to control victim’s computer.

This Trojan can pass Zone Alarm and Norton PF
It will close firewalls that is not able to pass
Trojan will make five copies of itself into windows dir
It will replace itself if the main file gets deleted
This Trojan will run on windows startup and will connect to NET automatically
It will disable the ALT+CTRL+DEL for more security
It does not write any strings to registry so you the victim won’t be able to find it in registry
Server is able to send email to the controller and tell the victim's IP and other necessary information
Server is hidden in ALT+CTRL+DEL list
Works on (9x/Me/2000/XP)

Size of this file is only 110 KB and 29 KB in ZIP mode!

Trojan Assembled: September 19, 2002
Trojan Released: September 24, 2002

This Trojan is not detected by Trojan Hunter and Trojan Remover


Technodrome

 

Re:Trojan Amitis 1.1 released!

Tech...smiles to you looks like we were on the same track..do you want me to move mine over to your thread and delete mine. can easily be done.


John

 

VSantivirus no. 813 - Year 6 - Domingo 29 of September 2002

Troj/Amitis.11. It eludes to ZoneAlarm and Norton Firewall
http://www.vsantivirus.com/amitis11.htm


Name: Troj/Amitis.11
Type: Trojan horse of remote access
Alias: W32/Amitis.11, Win32/Amitis.11, Backdoor-AKZ, Backdoor.Trojan Clie, Amitis 1.1
Date: 27/set/02
Platform: Windows 32-bits
Size: 106.496 bytes (server), 29 compressed Kb


This troyano, written in Visual Microsoft BASIC 6, allows the remote control of the computer infected, after which it is executed in this machine, generally by means of deceits.

The complete package, consists of the following archives:
actskin4.ocx
Amitis.exe
Edit Server.exe
MSCOMCTL.OCX
MSINET.OCX
MSWINSCK.OCX
read me.txt
Server.exe
TABCTL32.OCX

Of these, Amitis.exe (389.120 bytes) is the client, used by the attacker to connect itself to the servant ( Server.exe of 106.496 bytes) in the infected machine.

This last one, whose name (Server.exe) single must be taken like reference, since the attacker can easily renombrar it, is the file that by some method of social engineering (making believe us it is a utility for example), can be sent to our machine for its execution. It is the only file of the package that we needed to receive to become infected.

This troyano has the characteristic to elude to fire-resistant the ZoneAlarm and Norton Firewall. Although little distributed, this characteristic turns it a potential threat, reason why we always recommended like maintaining to the day the antivirus and not executing anything not asked for.

When executing itself the troyano, will create up to five copies of if same within the directory of Windows and others.

If the troyano is erased, is able to replace itself to if same provided still it remains in memory, by which cares are due to follow special to erase it manually.

The troyano will be executed in each resumption of Windows and it will be connected to the network as soon as it detects an active connection.

For first, [ modifies file WIN.INI in the label Windows ]:

[ Windows ]
load = c:\windows\server.exe

Remember that "server.exe" single is mentioned like reference, can be any other name.

Also deshabilita keys CTRL+ALT+SUPR with which the task of the troyano cannot "be killed" while this one is activate.

Direction IP into the victim is able to send an electronic message to the attacker informing to him. This and other parameters are defined previously by the attacker with the publisher of the troyano (Edit Server.exe) .

Finally, the attacker can take the control from the infected machine, and make innumerable tasks in clandestine form.


IMPORTANT:

If the troyano has been installed in the system, is possible that its computer can be acceded in remote form by an intruder without its authorization. This is more critical in case of having connected it to a network. Therefore it is impossible to guarantee the integrity of the system after the infection. The remote user can have made changes to his system, including the following actions (among other possible ones):

- Robbery or change of passwords or archives of passwords.

- Installation of any software that qualifies remote connections, from back doors.

- Installation of programs that capture all the keying by the victim.

- Modification of the installed rules of the fire-resistant ones.

- Robbery of numbers of the credit cards, banking information, personal data.

- Erasure or modification of archives.

- Shipment of unsuitable or incriminatory material from the account of mail of the victim.

- Modification of the rights of access to the accounts of user or the archives.

- Erasure of information that can expose the activities of the attacker (logs, etc.).

These actions single are indicated like example, but none they must be taken like only the possible ones.

If you use your PC, or belongs to an organization whom by its nature she demands to be totally safe, she is recommended to erase all the content of the hard disk, to reinstalar of zero the operating system, and to recover its important previous backup copy archives.

Soon it changes all its passwords, even the one of other users to whom it has access from its computer.

In the case of a company with corporative networks, it contacts with its administrator to take the actions necessary in order to change all the keys of access, as well as to reinstalar Windows in all the computers.

This is the only safe way of not jeopardizing its security before the possible changes made by the troyano.

Of any way, and without forgetting the mentioned forecasts, the following plan of action for an attempt can be suggested to remove the troyano in manual form.

 

Re:Trojan Amitis 1.1 released!

Oh ok! I was going to move mine to yours!

Its all cool now!

Thank you Primrose

 

Re:Trojan Amitis 1.1 released!

September 29 2002, 9:39 AM EST

I'll just add that DrWeb( by using heuristics) is able to detect this Trojan!
KAV is not detecting it yet!


Technodrome

 

Re:Trojan Amitis 1.1 released!

NOD32 detects it. Only one report in Australia so far ... on 26 September.

 

Re:Trojan Amitis 1.1 released!

Now it should be very clear for some of us that a good heuristics is the most important part of a virusscanner!

 

Yes NOD32 detects all 3 components!


Technodrome

 

Re:Trojan Amitis 1.1 released!

Primrose gives a knowing NOD and a big on his cake hole>

WTG guys.

 

In the Primary list of TDS-3:

 

Ok, I downloaded and ran this Trojan, please all hype, first of all Nav detected it, True TH didn't detect it, easy enough to make rules, for it though.

Now let's cut through the misinformation, the Trojan didn't shutdown Kerio, Kerio popped up and asked me to let it out, I said no, Trojan was stopped, the Trojan makes an registry entry here.

[HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows]
"load"="e:\\windows\\server.exe
open=e:\\windows\\server.exe"


Now the other misinformation , the Trojan doesn't disable Ctrl+Alt+ delete, I have a pic showing running in my task manger.

 

Here is a pic NAV detecting it, The server is easy to kill, TH Guard will kill it with my user defined rules, Or one can just Ctrl+Alt+Delete, and kill the Trojan, I can't find one firewall this Trojan can get by, or one firewall this Trojan disables, I don't use the two firewalls,ZA and Norton, but I would have to see it get by them.I believe these firewalls will flag it just like Kerio does.

 

Last pic, you guys just made it out to be a super Trojan when in fact, it's not much, very easy to detect, and kill. But hey your posts got my curiosity up, and I had to test the Trojan, no harm no foul.

I guess the good news was that NOD and NAV was already on top of it.

 

Was actually hoping you would come up with the Zone Alarm and Norton Firewall to defrock this one..but never doubted Kerio could handle the load. I do not even think anyone mentioned that firewall to date. Super trojan ?...no just one of many..right now you..I..tech..could pull up 20 others that are not even here...but VSAntvirus did have a nice write up ;-)

 

Thanks Vamp for the info !

 

Please read Technodrome post again

This Trojan can pass Zone Alarm and Norton PF
It will close firewalls that is not able to pass
Trojan will make five copies of itself into windows dir
It will replace itself if the main file gets deleted
This Trojan will run on windows startup and will connect to NET automatically
It will disable the ALT+CTRL+DEL for more security
It does not write any strings to registry so you the victim won’t be able to find it in registry
Server is hidden in ALT+CTRL+DEL list

It will close firewalls that is not able to pass, No it wont.

Trojan will make five copies of itself into windows dir, No it doesn't.

It will replace itself if the main file gets deleted, No it doesn't.


It will disable the ALT+CTRL+DEL for more security, again no it doesn't do this either

It does not write any strings to registry so you the victim wont be able to find it in registry, Yes it does HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows

Server is hidden in ALT+CTRL+DEL list, It's clearly visible nothing hidden.

If this Trojan did all of what was posted above it would fall under the category of a super Trojan.

But it doesn't do any of them, where o where did this information come from.

 

Well it is going to be an interesting one that is for sure..thanks again Vamp..maybe we can find the source of the analysis...VSantvirus...I gave you the link here..is usually pretty accurate for Rico and othersusually pull the thing apart.. just like you have..also, his site is very big on ZA..I mean real big..so he would not be out to publish that if he did not have some concern....those are my only thoughts on it at this point..let's see what transpires.

 

Vamp please:

These are not my claims! This was information that the original author of this Trojan Claimed!

If you got the original info file you will be able to read notes from him/her! He or She claims that this Trojan is a bug free!

I never said that this was a “Super Trojan” and there is no need for hype!


Thank you for Info


Technodrome

 

To put the final nail in this Trojan, I download ZA, I hate this firewall, but couldn't sleep until, I knew for sure if it got by ZA or not, the pic says it all.

 

As you can see the Trojan calls itself Yahoo! Messenger, So people just let it out, it doesn't get through the firewall people simply grant it permission to get out.

Right click on the server>properties>version tab>product name and you will see it's calling itself Yahoo! Messenger

 

Thanks Vamp,
I owe you a friendly worm now to clean that ZA off your box Not going to ask you to do the Norton Firewall.

Hope you can sleep now..

Regards,
John

 

A very average.. make that less than average VB trojan. I am sure it was created with a well known trojan creation toolkit, which outputs your choice of VB4, VB5 or VB6 source. It was then slighty beefed up with a very simple Editor

Hiding in the task list refers to Hide from CTRL ALT DEL in Win9x, not even a "feature" as such as it requires no more programming skill than referencing one simple API call

 

to block cntrl+alt+del it adds to
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\TaskMon

 

Thats to look realistic like it belongs there

Calling RegisterServiceProcess will hide it from CTRL ALT DEL, hardly a programming feat

Vampirefo, you might want to be careful what you execute. Some trojans are rather nasty to remove, some which inject / load a DLL into Explorer.exe or some will load as a service on NT/2K/XP - or even replace a service (speaking of DKAngel here)