mailing list archives
RE: [SPAM] RE: interesting trojan found
From: "Todd Towles" <toddtowles () brookshires com>
Date: Thu, 21 Oct 2004 11:40:59 -0500
For some reason, I was thinking he couldn't see it in systemprocess, but
now that I think about it, you are correct. So it was hiding but not
very well, therefore not the true trojan/rootkit hybrid. Thanks Peter.
From: Peter Kruse [mailto:kruse () krusesecurity dk]
Sent: Thursday, October 21, 2004 11:33 AM
To: Todd Towles; full-disclosure () lists netsys com
Subject: SV: [SPAM] RE: [Full-disclosure] interesting trojan found
But if it is a rootkit, does it not hide from normal AV scanning?
Nope, you'll see it in the systemprocess, but since it's
active in memory, you won't be able to end it.
The trojan is a RDBot variant (Spybot). Like other variants,
from this string, it spreads across local and remote
networks. It's uses several exploits to compromise unpactched
MS Windows boxs, as well as searches for shares with weak
passwords. When executed, it creates a mutex "[rxBot v0.6.5
pk + ftpd]". If another instance of this worm is already
running, it will exit. The malware carries a backdoor that
allows a malicious user to control the infected host through
IRC channels. As stated in the first posting, it droppes a
copy of itself to the windows system folder. Nextup it
modifies registry with several runas keys under the value
"update run msword".
This RDbot includes a keylogger, that will log all keyboard
activity and save this to a text file. A remote user can
collect this information through IRC and possibly gain access
to others services.
Med venlig hilsen // Kind regards
Peter Kruse, Voice: (+45) 88136030
Security- and virusanalyst, Cel (+45) 28490532
CSIS ApS Fax (+45) 28176030
http://www.csis.dk E-mail pkr () csis dk
79FD 0648 158E 6B9E 236F CFDA 7C58 64D6 BE83 FA60
Combined Services & Integrated Solutions Gevno Gade 11a 4660
Store Heddinge, Denmark
Full-Disclosure - We believe in it.