OSEC

Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email hr@neohapsis.com
 
Subject: Re: unknown trojan (attached)
From: Doug Kahler (dougakTAMPABAY.RR.COM)
Date: Mon Jun 12 2000 - 10:04:10 CDT

I had this same trojan on my computer a few months ago. i ran a packet
sniffer on it and found out that it joins a random efnet server, then joins
channel "#mikag" with a key of "soup". Just joined the channel today, and
there are 55 people in there with nicks of random letters and numbers. i
assume they are all infected.

----- Original Message -----
From: "Brandon Kittler" <bkittlerEARTHLINK.NET>
To: <INCIDENTSSECURITYFOCUS.COM>
Sent: Sunday, June 11, 2000 1:55 AM
Subject: Re: unknown trojan (attached)

> I had the same problem. The trojan resides in c:\windows\srvcp.exe.
> It is started at run time via the registry, in
> HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run.
> The program is listed as "Service Profiler". I came across it the other
day, and
> wondering what it was,
> pulled all the strings out. It runs an ident daemon, as well as an IRC
> connection which it recives commands
> over (retrieval of FTP files, run cmds, etc). If you telnet to 113 and
issue an
> invalid ident request, the trojan
> crashes immediatly.
>
> Extracted from srvcp.exe:
> ...
> 00529F ftp -s:c:\flog
> 0052B1 quit
> 0052BC c:\flog
> 0052CE CHAN
> 0052D3 REMSERVER
> 0052DD ADDSERVER
> 0052E7 SOUPCHAN
> 0052F0 SETNAME
> ...
> 00548C PRIVMSG %s :ok.. running
> 0054A6 PRIVMSG %s :couldn't spawn file
> 0054C7 PRIVMSG %s :successfully spawned ftp.exe
> 0054F1 PRIVMSG %s :couldn't spawn ftp.exe
> 005515 PRIVMSG %s :no more...
> 00552D PRIVMSG %s :ready and willing...
> ...
>
> Obviously, this isn't supposed to be there :)
>
> Brandon Kittler
> bkittleriname.com