From Privacy Software Corporation Security Advisory Sunday, February 16, 2003: KAZAAKRYPTON TROJAN HORSE PROGRAM SYNOPSIS: KAZAAKRYPTON (and similar programs such as IGLOO KAZAA) are the beginning of a new trend in trojan horse backdoors which take advantage of people downloading "cracked" or "free" software, music, or pornography from Kazaa and Kazaa-like file sharing servers on the internet. KAZAAKRYPTON, IGLOO and a few others we have seen in the last few days all share a commonality. These backdoors depend on people downloading an executable file or archive of interest and then end up opening up a hidden backdoor server on their machine which then joins the file sharing networks, serving up more copies of the trojan among whatever files "innocent" users add to the "collection." Analysis of these new trojans has determined that once initiated, they begin making multiple copies of themselves into a subfolder of the main "Windows" folder on the affected machines. The files produced tend towards 6 new copies of the original trojan per minute, rapidly filling up the hard disk of the victim with deliberately named filenames of differing size. The resizing of the copies and the filenames, often containing names shown above in order to entice downloading, makes it extremely difficult for a Kazaa or similar file sharing host to be able to determine which files are legitimate and which are backdoors. Because of the manner in which antiviruses function, it would also be difficult for a pattern match of files to succeed as the sizings and spacings of the contents of the files containing the backdoor can be unpredictable, and therefore potentially elusive. On machines which contain KAZAA, the backdoor trojan adds an entry to the registry as follows: HKEY_CURRENT_USER\Software\Kazaa\LocalContent "Dir6" which points to a folder called: C:\WINDOWS\User32 which contains the multiple copies of the trojan under numerous "interesting names" in order to entice parties visiting the Kazaa server to download the trojan. In our testing, an average of 6 new files were created every minute. On machines that do NOT contain Kazaa, these backdoors will open port 113 and 30201 and behave LIKE a Kazaa server, setting up shop in the same location in the registry and broadcasting their availability irrespective of whether the "victim" is running a file sharing server or not. When running, the KAZAAKRYPTON and similar tools utilize tremendous amounts of CPU time, resulting in an obvious slowdown of the victim's computer with rest periods of ten seconds or longer between file creation salvos. Slowing of internet access on broadband systems is also noticeable, especially when the victim is not running Kazaa or similar "file-sharing" software. Proliferation of this backdoor depends on people with less than the most honest intentions "reaching for the low-hanging fruit" of obtaining paid licensed software for free, the warning signs of suspicious content being "cracked registration keys," "full version downloads of commercial software," "cracked music CD's," and popular gamingware. The filenames of the infected files (as evidenced by the screenshot of a victim machine above) are designed to entrap casual software/music consumers looking for a "freebie." The KAZAAKRYPTON backdoor creates a process named "CMD32" which is visible in the task manager (Ctrl+Alt+Del) keys and can be stopped, whereupon the copying of more files to the C:\WINDOWS\User32 ceases. However, all files in such folder must be considered suspect and should be destroyed in total, especially if the "User32" folder exists on a machine that doesn't have Kazaa installed. The IGLOO KAZAA trojan behaves in a similar fashion, but sets up shop in a folder called C:\WINDOWS\Sys32. Same situation, less prolific. Privacy Software Corporation's BOClean 4.10 software, designed to detect and defeat trojan horse programs, is fully effective in removing these servers regardless of the filename or manner of delivery and, as is the case with other trojans, can also disable this program instantly upon detection. BOClean will also remove the files and registry hooks without the need to disconnect from the internet or reboot the victim's machine. COPYRIGHTED MATERIAL: Copyright (c) 2003 by Privacy Software Corporation.