unknown trojan?

Discussion in 'Trojan Defence Suite' started by jdo, Apr 26, 2005.

Thread Status:
Not open for further replies.
  1. jdo

    jdo Registered Member

    Joined:
    Apr 26, 2005
    Posts:
    4
    Hi,

    I've got a process running on my Windows 2000 machine with a process name of lexbce.exe. This process tries to connect to many IP addresses on port 135. After startup, the first thing it seems to do is contact an IRC server (to ask which IP range to scan?). I've captured this exchange with the IRC server:

    :irc.rshp.org NOTICE AUTH :*** Looking up your hostname...

    :irc.rshp.org NOTICE AUTH :*** Couldn't resolve your hostname; using your IP address instead


    :irc.rshp.org 001 GBR|482176 :Welcome to the server.org IRC Network GBR|482176!pndupuxx@80.187.145.207

    :irc.rshp.org 002 GBR|482176 :Your host is irc.rshp.org, running version Unreal3.2.3

    :irc.rshp.org 003 GBR|482176 :This server was created Mon Apr 18 2005 at 17:44:58 EDT

    :irc.rshp.org 004 GBR|482176 irc.rshp.org Unreal3.2.3 iowghraAsORTVSxNCWqBzvdHtGp lvhopsmntikrRcaqOALQbSeIKVfMCuzNTGj

    :irc.rshp.org 005 GBR|482176 CMDS=KNOCK,MAP,DCCALLOW,USERIP SAFELIST HCN MAXCHANNELS=25 CHANLIMIT=#:25 MAXLIST=b:60,e:60,I:60 NICKLEN=30 CHANNELLEN=32 TOPICLEN=307 KICKLEN=307 AWAYLEN=307 MAXTARGETS=20 WALLCHOPS :are supported by this server

    :irc.rshp.org 005 GBR|482176 WATCH=128 SILENCE=15 MODES=12 CHANTYPES=# PREFIX=(ohv)@%+ CHANMODES=beIqa,kfL,lj,psmntirRcOAQKVGCuzNSMTG NETWORK=server.org CASEMAPPING=ascii EXTBAN=~,cqnr ELIST=MNUCT STATUSMSG=@%+ EXCEPTS INVEX :are supported by this server

    :irc.rshp.org 251 GBR|482176 :There are 1 users and 306 invisible on 2 servers

    :irc.rshp.org 252 GBR|482176 1 :eek:perator(s) onlin
    e

    :irc.rshp.org 254 GBR|482176 4 :channels formed

    :irc.rshp.org 255 GBR|482176 :I have 135 clients and 1 servers

    :irc.rshp.org 265 GBR|482176 :Current Local Users: 135 Max: 282

    :irc.rshp.org 266 GBR|482176 :Current Global Users: 30
    7 Max: 378

    :irc.rshp.org 422 GBR|482176 :MOTD File is missing

    :GBR|482176 MODE GBR|482176 :+ix


    :GBR|482176!pndupuxx@684601C0.9BE6DA9D.AE2E9C70.IP JOIN :#root

    :irc.rshp.org 332 GBR|482176 #root :.ntscan 255 600 80.x.x.x

    :irc.rshp.org 333 GBR|482176 #root duckeiQT 1114528973

    :irc.rshp.org 353 GBR|482176 @ #root :GBR|482176

    :irc.rshp.org 366 GBR|482176 #root :End of /NAMES list.

    :irc.rshp.org 302 GBR|482176 :GBR|482176=+pndupuxx@80.187.145.207

    :irc.rshp.org 404 GBR|482176 #Server :You need voice (+v) (#Server)

    :irc.rshp.org 482 GBR|482176 #root :You're not channel operator

    :irc.rshp.org 302 GBR|482176 :GBR|482176=+pndupuxx@80.187.145.207


    :irc.rshp.org 482 GBR|482176 #root :You're not channel operator


    :irc.rshp.org 302 GBR|482176 :GBR|482176=+pndupuxx@80.187.145.207

    :irc.rshp.org 482 GBR|482176 #root :You're not channel operator


    :irc.rshp.org 404 GBR|482176 #root :You need voice (+v) (#root)


    Anyone knows what this is about?

    Thanks,
    Jan
     
  2. quexx88

    quexx88 Registered Member

    Joined:
    Nov 26, 2004
    Posts:
    235
    Location:
    Radnor, Pennsylvania
    Submit it to DCS, and they will add it.
     
  3. FanJ

    FanJ Guest

    Have you perhaps a Lexmark printer?

    As quexx88 already posted: send it to submit(at)diamondcs.com.au

    In the meanwhile you could also scan it online at Jotti:
    http://virusscan.jotti.org/
     
  4. quexx88

    quexx88 Registered Member

    Joined:
    Nov 26, 2004
    Posts:
    235
    Location:
    Radnor, Pennsylvania
    This has nothing to do with a Lexmark printer...I connected, hassled the op in #root, and quickly got banned from the server. He's going to turn it into a warez net.
     
  5. FanJ

    FanJ Guest

    Apologies if I was wrong !!!
    I admit that I was "surprised" to see those connections....

    Sorry :oops:
     
  6. quexx88

    quexx88 Registered Member

    Joined:
    Nov 26, 2004
    Posts:
    235
    Location:
    Radnor, Pennsylvania
    No, no need to be sorry at all! Sorry if I came off as sounding a bit blunt...been under a lot of pressure this week as a lowly high school student, I'm sure you understand :)

    I bet the trojan file was deliberately named to cause confusion with users who do have Lexmark printers...it would certainly not be the first time that a good old "masquerade" has been attempted :ninja:

    We are all in this together, to learn as much as we can!
     
  7. FanJ

    FanJ Guest

    Thanks quexx88 !!!!! :D

    I bet you're right about that deliberately naming that file !
    You're so right that it isn't the first time...
    Well, I hope that the original poster will send it to DCS so Gavin can have a look at it !!!

    Hey quexx88,
    I wish you ALL the best at school !!!!! :D

    Warm regards, Jan.
     
  8. jdo

    jdo Registered Member

    Joined:
    Apr 26, 2005
    Posts:
    4
    Thanks guys for the responses. I did the online virus scan, and it reports:

    lexbce.exe
    Status:
    INFECTED/MALWARE (Note: this file has been scanned before. Therefore, this file's scan results will not be stored in the database)
    MD5 6982ea6764ab9392132e150ad5e67e99
    Packers detected:
    PE_PATCH.MORPHINE, MORPHINE
    Scanner results
    AntiVir
    Found nothing
    Avast
    Found nothing
    AVG Antivirus
    Found nothing
    BitDefender
    Found nothing
    ClamAV
    Found nothing
    Dr.Web
    Found BackDoor.IRC.Sdbot
    F-Prot Antivirus
    Found nothing
    Fortinet
    Found W32/Banker.OQ-tr
    Kaspersky Anti-Virus
    Found Trojan-Spy.Win32.Banker.oq
    mks_vir
    Found Win32.4 (probable variant)
    NOD32
    Found probably unknown NewHeur_PE (probable variant)
    Norman Virus Control
    Found Sandbox: W32/Spybot.gen1; [ General information ]

    * File length: 78848 bytes.

    [ Changes to filesystem ]
    * Creates file C:\WINDOWS\SYSTEM\lexbce.exe.

    [ Process/window information ]
    * Creates a mutex unDectedver1.
    VBA32
    Found nothing

    So, it seems to be a known trojan, but my virus scanner (Symantec) doesn't know about it.

    Also, initially I didn't use the right scan method in TDS, but now that I do it reports that it found a 'Live Trojan'.

    I've also got another process running (with a random name) which tries to email spam out from my machine. Perhaps it's connected.

    So, time to clean up...

    Thanks again for your help!

    Jan
     
  9. Jooske

    Jooske Registered Member

    Joined:
    Feb 12, 2002
    Posts:
    9,713
    Location:
    Netherlands, EU near the sea
  10. jdo

    jdo Registered Member

    Joined:
    Apr 26, 2005
    Posts:
    4
    Hi Jooske,

    I suddenly noticed that there was lots of network traffic on my machine when I wasn't doing anything. So, with Tcpview (Windows sysinternals) I saw that a process called lcebxe.exe was generating lots of connection attempts.

    Then, with Ethereal I captured the IRC conversation (I knew what to look for and used Follow TCP stream).

    Subsequently, I installed Kerio Personal Firewall with a rule to block and log anything coming from lexbce.exe. It shows that lexbe.exe tries to connect to the IRC server every few seconds.

    And I don't have a Lexmark printer :)

    Thanks,
    Jan
     
  11. jdo

    jdo Registered Member

    Joined:
    Apr 26, 2005
    Posts:
    4
    lexbce.exe, of course (spelling)
     
  12. Jooske

    Jooske Registered Member

    Joined:
    Feb 12, 2002
    Posts:
    9,713
    Location:
    Netherlands, EU near the sea
    Port Explorer is a very nice tool with some more tools included.
    With the Sysinternals Process Explorer and TCPView i think you can expand the process and see the related dll files etc, right?
    Did you try Strings to see if your lex* file is original bad?
    In TDS are some nice plugins and other tools for that purpose too, btw.
     
  13. Jooske

    Jooske Registered Member

    Joined:
    Feb 12, 2002
    Posts:
    9,713
    Location:
    Netherlands, EU near the sea
    That Banker thing is in the TDS primaries list in several variants so it should deal with it.
     
Thread Status:
Not open for further replies.