Trojan injected to explorer.exe

Discussion in 'Trojan Defence Suite' started by Shlomi, Feb 8, 2004.

Thread Status:
Not open for further replies.
  1. Shlomi

    Shlomi Guest

    TDS detected a trojan injected in explorer.exe, I chose to close the process and delete the file. Then TDS notified me that it closed the process but did not delete the file, however, I scanned explorer.exe again and TDS doesn't detect anything...
    Did TDS remove the trojan?
    Is it excluding it because it couldn't delete it?
    Or it doesn't detect it because it's not running?
     
  2. Shlomi

    Shlomi Guest

    Ok, i just noticed that a .exe file that my av detected and deleted also has a .dll file with the same name in the same dir (system32), but when i delete the dll, after about 5 seconds it creates the dll again, i'm pretty certain it's the dll of the trojan injected in explorer.exe.
    So what can I do to remove this trojan?
     
  3. Shlomi

    Shlomi Guest

    I'm sorry if i'm breaking any rule by double/tripple posting, but I can't edit my previous posts, what I wanted to say is:
    I restarted TDS and it's set to automaticaly scan the process list when started, and it detected the explorer.exe again, as "RAT. Deep Throat".
    I got very sensitive data here including credit cards and bank accounts, so please help me remove this trojan ASAP, any help will be greatly appreciated!
     
  4. Pilli

    Pilli Registered Member

    Joined:
    Feb 13, 2002
    Posts:
    6,217
    Location:
    Hampshire UK
    Hi Shlomi & welcome. If you are using the TDS trial please make sure you have downloaded the latest radius file from here. Instruction are on the page. Do a FULL system scan with all boxes ticked in scan configuration.
    http://tds.diamondcs.com.au/index.php?page=update
    Here is some info about deepthroat which may help you to eradicate it:

    Note this info' is quite old and there may be other variants

    Since the original dissection was performed, the author has released a new version. Now we have details on all current versions available + their characteristics.

    Latest Version disected (15th March 1999)

    Well a new version has been released & thanks to one of Xploiter.com's visitors (Nick), I have been able to get hold of a copy to dissect.

    Features

    There are several new features as listed here.......

    Msg Box Manager
    Hide\Show Start bar
    FTP Server - Starts a FTP Server.
    Capture Screen
    Turn Monitor On/Off
    Get Cached Passwords
    Spawn Prog (Runs program on the host)
    Reboot (Please use it wisely Don't be a Lamer!!!!).
    Scanner
    Ping Host
    Host System info
    Swap mouse buttons
    Freeze Mouse
    Hide desktop icons.
    Hide start button.
    Hide clock.
    Hide the system tray.
    List windows
    Kill window - (But it does not work on - Internet Explorer or Explorer).
    Password server
    Change server password
    Remove server password
    Send Password to server
    Change Hosts Wallpaper
    Delete file
    Show picture
    Ftp port
    Play sound
    Change time
    Extra Irc Scanner Feature (To let Irc Scanners scan for it DT leaves open port 6670 (Tcp))
    Sweep list scanner - Scans for hosts that are running the server
    Package
    There are three known versions of the same server file & these are distributed as follows:

    dtv2_1.zip - contains just the server - systempatch.exe (300kb dated 23/2/99)
    winsp00fer.zip - A self installing package - winsp00fer.exe (390kb dated 8/2/99)
    backwebserv.zip - A self installing package - winsp00fer.exe (390kb dated 8/2/99)

    Installation

    I will go through the installation routine individually for all three versions. I am using a program called Inctrl 3 (In Control) that basically monitors what files are changed when a particular program is run. A report is then generated & it is this report that I will show here.

    If you cannot understand the report & what has been modified, you may contact me for further information & help.

    Installation report: systempatch.exe - (generated by INCTRL 3, version 3.01)

    Monday, March 15, 1999 10:54 AM
    Windows 95, version 4.00

    FILES AND DIRECTORIES ADDED: (4)
    c:\WINDOWS\SYSTEM\acdt.dat
    c:\WINDOWS\SYSTEM\pddt.dat
    c:\WINDOWS\SYSTEM\systemio.exe
    c:\WINDOWS\systray.exe

    REGISTRY KEYS ADDED: (1)
    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\General\Settings

    REGISTRY KEY VALUES CHANGED: (2)
    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
    Value "SystemTray": from "SysTray.Exe" to "c:\windows\systray.exe"

    REGISTRY KEY VALUES ADDED: (2)
    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\General\Settings\ol="0"
    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\General\Settings\pass="0"

    Installation report: WinSp00fer.exe - (generated by INCTRL 3, version 3.01)

    Monday, March 15, 1999 12:16 PM
    Windows 95, version 4.00

    FILES AND DIRECTORIES ADDED: (2)
    c:\WINDOWS\SYSTEM\acde.dat
    c:\WINDOWS\systray.exe

    FILES CHANGED: (2)
    c:\WINDOWS\SYSTEM\acdt.dat
    c:\WINDOWS\SYSTEM\pddt.dat

    REGISTRY KEY VALUES CHANGED: (2)
    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
    Value "Systemtray": from "c:\systray.exe" to "c:\windows\systray.exe"

    REGISTRY KEY VALUES ADDED: (2)
    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\General\Settings\ol="0"
    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\General\Settings\pass="0"

    Installation report: BackWebServ.EXE - (generated by INCTRL 3, version 3.01)

    Monday, March 15, 1999 12:39 PM
    Windows 95, version 4.00

    FILES AND DIRECTORIES ADDED: (2)
    c:\WINDOWS\SYSTEM\systemio.exe
    c:\WINDOWS\systray.exe

    FILES CHANGED: (3)
    c:\WINDOWS\SYSTEM\acde.dat
    c:\WINDOWS\SYSTEM\acdt.dat
    c:\WINDOWS\SYSTEM\pddt.dat

    REGISTRY KEY VALUES CHANGED: (:cool:
    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\
    Applets\Popup
    Value "AlwaysOnTop": from "12320768" to "12255232"
    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\
    Applets\Popup
    Value "MaxOnMsgRcv": from "12255233" to "12320769"
    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\
    Applets\Popup
    Value "Sound": from "12320768" to "12255232"
    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
    Value "Systemtray": from "c:\systray.exe" to "c:\windows\systray.exe"

    REGISTRY KEY VALUES ADDED: (2)
    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\General\Settings\ol="0"
    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\General\Settings\pass="0"
    Detection

    The following listing was taken on my machine using TotoStat after I installed the trojan & clearly shows the ports that is listens on.

    Proto Local IP Port Remote IP Port State

    TCP 0.0.0.0 :6670 0.0.0.0 :0 LISTEN
    TCP 0.0.0.0 :3150 0.0.0.0 :0 LISTEN
    TCP 0.0.0.0 :2140 0.0.0.0 :0 LISTEN
    UDP 0.0.0.0 :3150 0.0.0.0 :0 LISTEN
    UDP 0.0.0.0 :2140 0.0.0.0 :0 LISTEN

    If you have these ports open, then you probably have Deep Throat installed.

    Removal

    Backup your registry.
    Using Regedit, drill down to the keys shown in the relevant reports & remove the values that were created.
    Reboot your computer, enter pure DOS mode (press F8 at the "Starting Windows 95" message & select command prompt only) & delete the file called systray.exe in c:\windows (300kb).
    Delete the file called systemio.exe in your c:\windows\system directory - this one gets all the passwords.
    Restart your computer & enter Windows.
    Run TotoStat & ensure that the ports are no longer listening. They should be gone!
    You should now be clean.
    Old Version

    Deep Throat is one of the newer trojans that have sprouted. I found this one on 29/11/98 & promptly decided to take it apart. This is what I found: -

    Introduction


    This trojan is very similar to Netbus although it uses the UDP Protocol. I have tested it on Win95/98 which it does work on but on my NT4 machine, it did not. The author is however trying his hardest to get it woking on NT as well so be warned.
    The trojan will not show up via the vulcan nerve pinch (Ctrl-Alt-Delete) & no icon is displayed in the task bar.
    The program has been written in Delphi with the resulting executables compressed with the Neolite Exe Compressor. This makes it near impossible to check it's default strings.
    Package
    By default the server & client arrive in a zip file called 'dtv1.zip' (506kb). Two other zip files are also available namely 'fonts.zip' (61kb) & 'installer.zip' (264kb). These other zips contain the extra fonts that the client needs with the installer package containing the trojan wrapped in 'Saran Wrap' making it look like a genuine installer program - Run the installer & you install the trojan.

    Back to the 'dtv1.zip' file, it contains two files, the GUI client 'RemoteControl.exe' (265kb dated 24th October 199:cool: & the server 'Systempatch.exe' (254kb dated 24th October 199:cool:.

    Installation

    Once the server is run, it creates a registry key under
    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
    with the file name of the server file name and a description field of "SystemDLL32".

    The file will not delete itself like BO although you will not be able to delete the file as the server is now in it's 'run' state. The file could be installed anywhere on your system.

    The server will now restart every time the machine is rebooted. By default it listens on port 2140 UDP but interestingly also hooks port 3150 UDP as well. Once the client has connected, port 60000 is also hooked!
     
  5. Shlomi

    Shlomi Guest

    Thanks, I replaced the explorer.exe with one from dllcache in safe mode and TDS doesn't detect it anymore, but considering it could have infected other files as well, i'll update the definitions now and do a full system scan, thanks for your help.
     
  6. controler

    controler Guest

    You should also change all your passwords to be safe.
    if it was me I would change all passwords and reformat to be sure ;)
     
  7. Jooske

    Jooske Registered Member

    Joined:
    Feb 12, 2002
    Posts:
    9,713
    Location:
    Netherlands, EU near the sea
    How about getting the HijackThis and scan all the autostarts, that would be good to see if anything is wrong or suspicious in any way.
    Did you look in the autostart Explorer in TDS and in the running processes if there is anything suspicious?
    Do you also use Port Explorer (grab a trial if you're not!) and look if there are any suspicious connections and the applications used by them.
    In the autostarts forum here are a download link and instructions for using and posting it's log.
    Would certainly change the most urgent passwords then do all the checks (the autostart log) and scans to make susre you're really clean and when all that is really clear change all passwords again.
    Are you on XP?
    After being cleansed out completely, disable system restore, reboot, enable system restore again and make manually a new restore point so you can't get infected again.

    Looking forward to your next step, please keep us updated, trying to save your system.
    In the meantime while scanning you might like to check your passwordfile(s) and find out which to change everywhere.
     
  8. Gavin - DiamondCS

    Gavin - DiamondCS Former DCS Moderator

    Joined:
    Feb 10, 2002
    Posts:
    2,080
    Location:
    Perth, Western Australia
    I would ask you to also send the results of ASViewer to gavin@diamondcs.com.au so I can look for suspicious startups

    http://www.diamondcs.com.au/index.php?page=asviewer

    Please turn on the 3 SHOW options at the top of the menu, then choose SAVE and send the text file
     
  9. Shlomi

    Shlomi Guest

    Thank you all, I followed all your advices and my PC now seems to be trojan free. I just hope it stays that way ;)
     
  10. Jooske

    Jooske Registered Member

    Joined:
    Feb 12, 2002
    Posts:
    9,713
    Location:
    Netherlands, EU near the sea
    That sounds like good news Shlomi, did that include sending the ASViewer log to Gavin to have a proper look just to be really really really sure? Don't hesitate to do so, as we all want to be very sure your sensitive info is all well cared for and no surprises to be expected.
    Keep TDS updated and scan more frequently a few days.
     
  11. Shlomi

    Shlomi Guest

    Yes Jooske, I did.
    And a little unrelated question, can I submit UPX scramblers to that submit@diamondcs.com.au E-Mail? Or is it only for trojans?
     
  12. Jooske

    Jooske Registered Member

    Joined:
    Feb 12, 2002
    Posts:
    9,713
    Location:
    Netherlands, EU near the sea
    If it would not be OK Gavin can always tell us or just delete what is not usefull, so don't hesitate to send them in!
     
Thread Status:
Not open for further replies.