mailing list archives
Troj_Trinoo and ZZ
From: thegnome () NMRC ORG (Simple Nomad)
Date: Fri, 25 Feb 2000 20:00:03 -0600
RAZOR has acquired a copy of the Trojan Trinoo. Here is a bit of
information about it. Sorry this isn't in official "advisory" style of
writing, but I really wanted to get this info out quickly.
The trojan is called service.exe, but could be renamed. It is 23145 bytes
in length. To remove it you must kill in in memory, remove its entry at
delete the file from the hard drive. Make sure you delete the correct
file, and not services.exe.
It listens on udp port 34555, and will respond to pings on udp port 35555.
The password is "..Ks" (without the quotes). Therefore the following
will detect it:
Set up a netcat listener:
nc -u -n -l -p 35555 -v -w 100
Send a trinoo ping:
echo 'png ..Ks l44' | nc -u -n -v -w 3 192.168.1.5 34555
The listener will display PONG if a trinoo daemon is listening.
This will kill it:
echo 'd1e ..Ks l44' | nc -u -n -v -w 3 192.168.1.5 34555
After it is killed, the udp port may still be bound until a reboot, at
least on Windows 95/98. Subsequent trinoo pings will return an ICMP
destination unreachable/port unreachable if it is down.
I've updated the unix version of Zombie Zapper to reflect this. You can
download it from http://razor.bindview.com/tools/ZombieZapper_form.shtml,
look for the Unix version 1.1 with Trinoo Trojan support near the bottom
of the page. Hopefully we'll have a Unix version available sometime
Both Seth McGann and Todd Sabin of RAZOR contributed heavily to the info
above after disassembling the trojan. And special thanks to Gary Flynn at
James Madison University for supplying RAZOR with a sample for testing.
- Simple Nomad - No rest for the Wicca'd -
- thegnome () nmrc org - www.nmrc.org -
- thegnome () razor bindview com - razor.bindview.com -
Zonealarm exports sensitive data Andrew Daviel (Feb 25)
Re: Wordpad vulnerability, exploitable also in IE for Win9x Curtis Anderson, CNE, MCSE (Feb 25)
Troj_Trinoo and ZZ Simple Nomad (Feb 26)
DOS in TrendMicro OfficeScan Veille Technologique (Feb 28)
TrendMicro OfficeScan tmlisten.exe DoS Jeff Stevens (Feb 25)
Re: Troj_Trinoo and ZZ Simple Nomad (Feb 27)
Pragma Systems response to USSRLabs report Ussr Labs (Feb 23)
Re: Wordpad vulnerability, exploitable also in IE for Win9x Pauli Ojanpera (Feb 24)