Were these really Trojans?

Discussion in 'Trojan Defence Suite' started by dee, Jul 22, 2004.

Thread Status:
Not open for further replies.
  1. dee

    dee Registered Member

    Joined:
    Jul 1, 2003
    Posts:
    72
    Some odd activity on my machine sent me on a hunt. Began with a d/loaded zipfile, NOD said it was OK, but as it contained a small executable, I scanned this, & again NOD said it was OK. When I clicked on the executable, the file "disappeared" from its folder, and I became suss. Fired up WinPatrol, which told me a new program had been added plus a restart command, whch I of course disallowed, then began my hunt.

    I found ZoneLockup.exe [19KB] in my running processes, its date was 24/7/04, so I ended task. Then I found the same file & date in Program Files in TDS3, also in my temp folder, so I deleted these. When I fired up TDS3, it stalled each time when it got to Memory scan started. AdAware wouldn't start at all.

    Then Windows said that "warpigs.exe" had performed an illegal & was to be shut down. Found 2 of these, one in C:\ which I deleted, & another in C:\Windows\System which I couldn't delete or rename - access denied. TDS3 worked now, & kept saying that it can't read this locked file.

    A full NOD scan then showed -

    Warpigs.exe – Win32/trojanDownloader.Agent.AO trojan
    C:\program files\Defence\xDtnamic\TDS.Unpk\zonelockup.exe –Win32/Hackerarmy.Ztrojan
    And the 2 in the recycle bin are
    C:\Recycled\DC1.exe – Win32/Hackerarmy.Ztrojan

    Dunno why NOD didn't tell me anything amiss in the 1st place, but at least it cleaned them all up after the full scan, apart from the original zipped file in My Docs, which I'll delete.

    Are these trojans seeing as TDS3 didn't find them?
     
  2. Pilli

    Pilli Registered Member

    Joined:
    Feb 13, 2002
    Posts:
    6,217
    Location:
    Hampshire UK
    Hi Dee, Did you scan with TDS3 as well before clicking on an unknown executable?
    TDS has obiously tried to unpack it as it was in the unpack folder, it is possible that the .exe was corrupt and that caused TDS3 to hiccup.

    TDS3 does pick up a lot of downloaders but some ar legitimate or of a minor type that TDS does not detect.

    Also if you have the full version then Execution protection would probably have stopped it, especially if you have the Generic detection set to full

    We will have to await Gavins reply in the morning.

    If you have a copy (possibly in your recycle bin?) of any of the files please send them to submit@diamondcs.com.au for analysis.

    Pilli
     
  3. dee

    dee Registered Member

    Joined:
    Jul 1, 2003
    Posts:
    72
    Yes I do have the reg'd TDS3 & resident protection is installed & generic set highest - but I run it "on demand" & update its database 2 or 3 times a week. It was updated the day before, & again after this happened.

    Actually I was a bit peeved that NOD32 said the files were OK when I scanned before opening the files, then on a full scan, it found these. I've posted in the Opera newsgroup a warning about the link to the zipfile, & I hope they remove it.

    The only thing in my Recycle Bin is the warpigs.exe file that TDS3 couldn't read & I couldn't delete, but NOD did. I also have the original zipfile in My Documents. But would anyone really want to look at it?

    If the executable hadn't "disappeared" from its folder, I'd have been totally unaware of this - until "warpigs.exe" performed an illegal, cos that name was unknown to me until then. Actually I don't feel quite as secure as I used to now!
     
  4. Pilli

    Pilli Registered Member

    Joined:
    Feb 13, 2002
    Posts:
    6,217
    Location:
    Hampshire UK
    Please send the original .zip file to DCS at the email address above, Gavin will reply to you about it's contents.
    BTW it may be an idea to send it to Eset to in case it is a new variant,

    Thanks Pilli.
     
  5. dee

    dee Registered Member

    Joined:
    Jul 1, 2003
    Posts:
    72
    I forgot to say - that ZoneLockup.exe really worried me because of its name, and I wonder if this was gonna disable ZAPro? WinPatrol seemed to give the quickest warning, & I've now set it to run on startup.
     
  6. dee

    dee Registered Member

    Joined:
    Jul 1, 2003
    Posts:
    72
    OK, I sent the zipfile to Gavin.

    The idea of sending it to Eset confuses me [but that's easily done!]
    NOD did detect it on a full scan, so how could it be a variant - or is that why NOD stayed Mum about the "disappearing" executable?

    I found a Trojan name on Symantec's website that sounded rather similar, Backdoor. Hacarmy, at http://securityresponse.symantec.com/avcenter/venc/data/backdoor.hacarmy.html and I mentioned this in the email.

    Still wondering about that zoneLockup.exe though.
     
  7. FanJ

    FanJ Guest

  8. dee

    dee Registered Member

    Joined:
    Jul 1, 2003
    Posts:
    72
    Well fancy that - exactly what I read at Symantec:-

    "zonelockup.exe
    Backdoor.Hacarmy.D is a Backdoor Trojan horse that gives an attacker control over a compromised computer.

    When Backdoor.Hacarmy.D runs, it does the following:
    Copies itself as %System%\ZoneLockup.exe.

    Adds the value: "Winsock32driver"="ZoneLockup.exe"
    to the registry key: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run

    Attempts to connect to an IRC server at port 6667. If successful, it allows the remote attacker to perform some of the following actions:
    - Download and execute files
    - Terminate processes
    - Steal system information, such as operating system information, system uptime, current user name, IP address, and host name"

    That sounds nasty, though it doesn't say for sure that it affects ZAPro, but the file name sorts of says so - I think. I wonder if I should search out that registry key? I wonder if NOD really wamts to know about this. And I wonder whether TDS3 should have been able to do more. Or am I supposed to run TDS3 permanently instead of on-demand?
     
  9. FanJ

    FanJ Guest

    Yes, I think that would be a good idea.
    If I understood you right, you started WinPatrol; did you let WinPatrol maybe take care of that?
    Maybe also a good idea to wait for Gavin's advice !!!

    Sure, let them know ;)

    Yes, most definitely !!!
    You have to run an AT resident, just like your AV.
    And just like you do with your AV: keep your AT updated and run a full system scan with it regularly.
     
  10. dee

    dee Registered Member

    Joined:
    Jul 1, 2003
    Posts:
    72
    No WinPatrol can take care of running tasks, startup info & restart commands & tell you when a new program's been added, plus a few minor things like cookies, but nothing on registry.

    EDIT - Just rec'd email from Gavin -

    "this is a new variant of Hackarmy a trojan bot
    Will be adding detection today"

    Sounds as if TDS3 couldn't have done anything even if it had been running when I clicked that executable. And NOD said that file was OK before I clicked it, then announced Trojans afterwards, fat lotta good that is. Both TDS & NOD had been updated the day before.

    Not real happy.
     
    Last edited: Jul 23, 2004
  11. Jooske

    Jooske Registered Member

    Joined:
    Feb 12, 2002
    Posts:
    9,713
    Location:
    Netherlands, EU near the sea
    You can post a link to this thread in the NOD forum if you like? Spares lot of double posting.

    What kind of file did you think to download and what made you do so? Thinking it to be a new game or such a thing?
    You might like to give the URL in your emails to Gavin and Eset.
     
  12. Pilli

    Pilli Registered Member

    Joined:
    Feb 13, 2002
    Posts:
    6,217
    Location:
    Hampshire UK
    Hi again Dee, If you are running XP I would start TDS3 manually or on a delayed start schedule after boot up.
    For execution protection to be active TDS3 must be running but can be minimised to the systray.
    Execution protection uses very little resources as it only hooks programs as they start.
    :eek:
    Just point them to this thread or copy and paste! :)

    HTH Pilli
     
  13. Jooske

    Jooske Registered Member

    Joined:
    Feb 12, 2002
    Posts:
    9,713
    Location:
    Netherlands, EU near the sea
    You got a quick reply from Gavin! and the update for it in today's radius.
    Look, there are several thousands of new nasties created every day somewhere in the world, ald you see Gavin and Eset add many to their detection on a daily basis, so submitting anything suspicious is important.
    You have still one more place to test files, like www.kaspersky.com/remoteviruschk.html where you have in a few seconds another opinion. You might like to try with thiw file if you still have it.
    In fact i suppose TDS Exec Protection if TDS was running would have blocked the file from executing at all, it would certainly do after today's update.
    Glad you found and submitted it, thanks in name of the internet community as a whole!
    Is TDS running and scanning ok now again or still hanging in a certain place?
     
  14. dee

    dee Registered Member

    Joined:
    Jul 1, 2003
    Posts:
    72
    You both read my mind - I was gonna ask if it'd be cool to post a link about this on NOD forum!

    No Jooske, I don't go for games, This was a link posted in 2 Opera n/groups,
    "Osama Bin Ladin was found hanged by two CNN journalists early
    > Wedensday evening. As evidence they took several photos, some of
    > which i have included here. As yet, this information has not hit the
    > headlines due to Bush wanting confirmation of his identity but the
    > journalists have released some early photos over the internet"

    Those posts & links are being removed from Opera n'groups as I type.

    Atthe moment I'm running win98.
    Also if I minimise TDS3, how will I know when some warning is displayed in its interface?
     
  15. dee

    dee Registered Member

    Joined:
    Jul 1, 2003
    Posts:
    72
    Yes, TDS3 behaved normally again as soon as the full system scan with NOD had removed the offending files. I doubt that TDS3 could have done anything before this Trojan was added to its database.

    The original zipped file is still in My Documents & I don't wawnt to try it again anywhere, sorry! But I'll ask NOD if they want it before I delete it forever.

    No worries, I'll recover from the shock! You see, I'm ultra ultra careful,
    I don't use IE or Outlook or OE, keep my system & my security s/ware religiously updated. And this has been the very first malware I've ever had on my machine, & that's the truth [apart from the rare instances of spyware AdAware finds.]
     
  16. Gavin - DiamondCS

    Gavin - DiamondCS Former DCS Moderator

    Joined:
    Feb 10, 2002
    Posts:
    2,080
    Location:
    Perth, Western Australia
    Hackarmy is actually just a variant of SDBot
    With TDS running, a Process Memory scan would be likely to reveal it

    You definitely should send a copy to NOD32 as this one was posted on a newsgroup very recently and is obviously catching a few people. samples @ nod32.com should do fine ;)

    Be careful out there! no scanner can detect everything, the more you click...
     
  17. dee

    dee Registered Member

    Joined:
    Jul 1, 2003
    Posts:
    72
    I've posted about this on the NOD32 forum, with a link to here. But OK. I'll send the file to them with a covering email.

    Gavin, I seem to be in some sort of trouble & I don't know what to do - this is my 1st personal experience of virus/trojan infection - plus I'm totally confused by TDS3 AND Nod32's messages now.

    First of all, I asked TDS3 [which I've kept running all day[] to do Radius update so that it would have the update for ths pesky thing. Lo & behold, it said that it was already updated. [??] Then I got TDS3 to perform a scan of C drive, I have exec. protecton installed & everything set to high, incl generic, & all relevant fields checked.

    And once again, TDS3 says it can't read the same file as before, it's locked. And then AMON appeared with a virus warning, but it didn't help either, instead it said -

    "NOD32 A/V System warning:AMON – A/V monitor.
    Virus detected.

    Virus Information
    File: C:\program files\defence\xDynamic\TDS.Unpk\Osama Dead.exe
    Virus: Win32/Hackarmy .Z trojan
    Comment: AMON cannot clean this infiltration. Error while deleting. Error while renaming. Event occurred on a newly created file"

    Told AMON to quarantine the file & it didn’t say anything. But when I closed the Virus warning, I got another popup with “Error occurred when quarantining file"

    I've also posted this bit in the NOD forum. I'm getting a bit upset now, because although both TDS3 & NOD32 are fully updated & running, I seem to be stuck with an infected file, and short of trying to delete it in Safe Mode, I just don't know what to do. I've very little MS-DOS know-how, & rely on my security s/ware to do this.
     
  18. Jason_DiamondCS

    Jason_DiamondCS Former DCS Moderator

    Joined:
    Nov 11, 2002
    Posts:
    1,046
    Location:
    Perth, Western Australia
    Try closing down TDS-3 then trying to quarantine or deleting the file in question.
     
  19. dee

    dee Registered Member

    Joined:
    Jul 1, 2003
    Posts:
    72
    Jason, I just did what you said, & was then able to delete the file. So I then scanned my system with NOD, & the file was no longer detected - the only one that was tagged was the original zipped file in My Documents, the one I'm going to submit to NOD.

    But it didn't end there. I fired up TDS3 again, it did a radius update this time - & had it scan C drive. It immediately made a positive ID of AdWare Cydoor, file c:\windows\rundll32.exe. then a little later gave the same dialogue as before, and AMON did the same thing as last time. I'm attaching a screen capture this time.

    Am I in an endless loop or something? I think it may be something to do with that registry key which I haven't deleted, cos although I have some idea of how to back up the whole registry to a folder, restoring's another matter, and backup/restore of a single key I don't know how to do.

    Sorry I'm such a lamer & being stressed out about this.

    And I'm not a "clicker", 3 years without a single virus or worm should attest to my care & paranoia! but when a file has to be opened, I scan it first. Damn this file, I wish I'd never seen it.
     

    Attached Files:

    • NOD.jpg
      NOD.jpg
      File size:
      52.2 KB
      Views:
      520
  20. FanJ

    FanJ Guest

    Hi Dee,

    I'm really sorry for all the troubles !

    May I ask you, did you let TDS-3 do that full system scan while Amon was resident?
    It is a good idea to let TDS-3 do its full system scan with your other scanners (like in your case NOD32) temporarily disabled (and your internet connection closed)!
    Don't forget to enable your AV afterwards !

    Do you still have that original file zipped on your system?
    Maybe a good idea to put it for the moment on a floppy (just in case one of the AV/AT people might ask you for it), then completely remove that zip-file from your system, clean temporary files etc, reboot, let TDS-3 do its scan again (with NOD32 disabled), then do a full scan with NOD32 (with TDS-3 temporarily disabled), then run Ad-aware.
    Is then everything clean?
     
  21. Pilli

    Pilli Registered Member

    Joined:
    Feb 13, 2002
    Posts:
    6,217
    Location:
    Hampshire UK
    Hi dee, Switch off NOD32 completely including Imon, this should allow TDS3 to handle it properly, what appears to be happening is that as TDS3 looks at it Nod32 jumps in ans prevents TDS3 from completing it's tas.

    When doing a full scan with TDS3 it is better ro disable your AV.
    Remember to re-enable NOD32 after the TDS3 scan

    HTH Pilli
     
  22. dee

    dee Registered Member

    Joined:
    Jul 1, 2003
    Posts:
    72
    Thanks so much for that very necessary advice - I was near out of my mind just then when the very same thing happened when I scanned with AdAware!

    OK. I'll definitely not let this happen again, I would never have realised this.I've submitted the file to NOD32, & will now move it off my computer. I'll let the rotten thing live on a floppy for a limited time.

    Am quite demoralised by all this. To be on the safe side, what should I do about the AdWare Cydoor, file c:\windows\rundll32.exe that TDS3 discovered today? It's in c:\windows all right, 24KB, last modified 23/4/99.
     
  23. Jooske

    Jooske Registered Member

    Joined:
    Feb 12, 2002
    Posts:
    9,713
    Location:
    Netherlands, EU near the sea
    Contains a backdoor trojan. Installs ipconfigS.exe and ZoneLockout.exe
    in your windows system folder/system32, and 3 registry entries.
    Did you find the ipconfigS.exe too?

    Submit the rundll32.exe file to submit@diamondcs.com.au too to be tested please and that one you'll love to try on the kaspersky site i posted above.
    I use that online file scan so often!

    For some reason the scanned files have not been deleted from the Unpk folder; normally they are deleted after being scanned, those are copies of originals elsewhere on your system.
    So just go to that folder in your TDS\xDynamic\TDS.Unpk folder and delete all files tehre and clean your recyclebin. Of course NOD was reacting on those copies. Once you deleted them it's ok.
    For a scan with NOD32 it is not really necessary to close TDS as it's not doing a thing and the Exec Protection hook is not blockingor doing anything either unless an exe wants to be executed. But don't let TDS do a scan at the same time.
    It's a good idea to try to give any scanner as much space as possible so close all unnecessary programs and browser windows and go drink some coffee or green tea if you prefer calmness :)

    On the contrary, when doing a scan with TDS, have all other scanners and their default protection closed (like advised above) to give TDS full access to every file in your system.
    It might have been NOD running or having the file protected from any access to it that it could not be found and scanned with TDS.

    There are about 1200 hits in google for this nasty in the newsgroups since yesterday, many including the URL, none for the general info nor trojan description sites.

    Hope you did not run the nasty, as i'm not sure about which registry keys yet to check for what exactly.

    You should feel proud to be among the first to submit the nasty, and more damage has been avoided most probably.
     
    Last edited: Jul 23, 2004
  24. dee

    dee Registered Member

    Joined:
    Jul 1, 2003
    Posts:
    72
    This is some sort of bad dream innit? No I don't have either of those files, Jooske & I used wildcards in my search too. I googled for this backdoor thingo, & got a list of files associated with this, did a search, nada. In the file's Properties, it says Microsoft & stuff like that.

    I don't have very may proggies installed, & those that are, are purchased or the "safe" freeware like IrfanView & Totl Uninstall. No games, demos or any of that rubbish. Supposing I rename it & left it a coupla weeks before deleting it?

    It's never been tagged defore - could it be a false positive.
     
  25. Jooske

    Jooske Registered Member

    Joined:
    Feb 12, 2002
    Posts:
    9,713
    Location:
    Netherlands, EU near the sea
    http://securityresponse.symantec.com/avcenter/venc/data/backdoor.hacarmy.d.html (for the zonelockdown part)
    http://securityresponse.symantec.com/avcenter/venc/data/backdoor.hacarmy.c.html (for the ipconfigS part)

    Click Start > Run.
    Type regedit
    Then click OK.
    Navigate to the key:

    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunServices
    In the right pane, delete the value:
    "IPConfig"="ipconfigs.exe"

    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run

    In the right pane, delete the value:
    "Winsock32driver"="ZoneLockup.exe"
    Exit the Registry Editor.
    Restart the computer in Normal mode.


    Here is a description, you might like to print it out and walk step by step through your system as described.
    No it was no false positive, depending if you clicked to look at the file it might have been running and would have done some baddies, if you only got the file and kept it zipped and did nothiong else with it all the other stuff is not there, nor the registry keys etc.

    The rundl32.exe is just to ask, could be, could be not, as there is indeed an infection using the rundll32.exe which could have come from the download site, for instance. But as your's was not modified......... not 100% sure.
    Did you configure your folder settings to show all hidden files and file extensions, so nothing can be hidden nowhere at all?

    When you rightclick in the TDS alerts window and look at that rundll32.exe file, does it still look the same as the original?

    Did you get the latest radius update [36097 references - 14238 primaries/10056 traces/11803 variants/other]
    in the meantime?
     
    Last edited: Jul 23, 2004
Thread Status:
Not open for further replies.