Here is what I had on this...

May 1993, RFC1459, http://www.faqs.org/rfcs/rfc1459.html - Internet
Relay Chat Protocol

*        Apr 2001, RFC2810, http://www.faqs.org/rfcs/rfc2810.html -
Internet Relay Chat: Architecture

*        Apr 2001, RFC2811, http://www.faqs.org/rfcs/rfc2811.html -
Internet Relay Chat: Channel Management

*        Apr 2001, RFC2812, http://www.faqs.org/rfcs/rfc2812.html -
Internet Relay Chat: Client Protocol

*        Apr 2001, RFC2813, http://www.faqs.org/rfcs/rfc2813.html -
Internet Relay Chat: Server Protocol

*        At least the trojan WinSatan uses TCP port 6667 by default,
possibly also the trojan ScheduleAgent. And not to forget some other 60
IRC trojans of various kinds. Many of uses IRC to broadcast passwords or
logs captured by keyloggers, but there are also RATs and others as well.

*        May 2001,
http://advice.networkice.com/Advice/Exploits/Ports/groups/streaming/Voca
lTec_Internet_Phone/default.htm VocalTec Internet Phone, an alternate
port other than 6670 used to connect to Vocaltec servers. Also, IRC
clients can connect to IRC servers on this port.

-----Original Message-----
From: Mike Peterson [mailto:slidefxyahoo.com]
Sent: Friday, October 19, 2001 9:02 AM
To: incidentssecurityfocus.com
Subject: Trojan program

Does anyone have information on a IRC Trojan with the
following characteristics.

Opens IRC channels on 6667 and connects to some IRC
channel on 6668.

It sets a registry key

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Default
web browser = "c:\winnt\system32\iexplore.exe"

And changes the shell

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WindowsNT\CurrentVersion\Winlogon\
Shell
changes it from "Explorer.exe" to "Explorer.exe
iexplore.exe"

I found a 9 KB file named iexplore.exe in
c:\winnt\system32 and also found the iexplore.exe
process running.

Norton Antivirus did not catch the Trojan

Here is some of the network traffic

Frame Time Src MAC Addr Dst MAC Addr Protocol
 Description
            Src Other Addr Dst Other Addr Type Other
Addr
110 5.159 G7SUJ NICSRV01 TCP
 .AP..., len: 26, seq: 67030892-67030917,
ack:3550877285, win: G7SUJ 209.116.7.97
IP

+ FRAME: Base frame properties
+ ETHERNET: ETYPE = 0x0800 : Protocol = IP: DOD
Internet Protocol
+ IP: ID = 0x612A; Proto = TCP; Len: 66

page 31


Network Monitor trace Fri 10/19/01 07:47:37
trojan.TXT

+ TCP: .AP..., len: 26, seq: 67030892-67030917,
ack:3550877285, win: 8280, src: 8184 dst: 6668

00000: 00 00 0C 07 AC 47 00 B0 D0 1A 49 5C 08 00 45
00 .....G....I\..E.
00010: 00 42 61 2A 00 00 80 06 AF D9 0A 68 46 75 D1
74 .Ba*.......hFu.t
00020: 07 61 1F F8 1A 0C 03 FE CF 6C D3 A6 16 65 50
18 .a.......l...eP.
00030: 20 58 0F CE 00 00 55 53 45 52 20 63 68 78 76
20 X....USER chxv
00040: 69 78 64 6F 20 70 6E 6A 68 20 3A 61 64 6F 61
0A ixdo pnjh :adoa.

Frame Time Src MAC Addr Dst MAC Addr Protocol
 Description
            Src Other Addr Dst Other Addr Type Other
Addr
113 5.214 0004DD749F42 G7SUJ TCP
 .AP..., len: 68, seq:3550877285-3550877352, ack:
67030892, win 209.116.7.97 G7SUJ IP

+ FRAME: Base frame properties
+ ETHERNET: ETYPE = 0x0800 : Protocol = IP: DOD
Internet Protocol
+ IP: ID = 0x8DED; Proto = TCP; Len: 108
+ TCP: .AP..., len: 68, seq:3550877285-3550877352,
ack: 67030892, win: 4140, src: 6668 dst: 8184

00000: 00 B0 D0 1A 49 5C 00 04 DD 74 9F 42 08 00 45
00 ....I\...t.B..E.
00010: 00 6C 8D ED 40 00 2E 06 94 EC D1 74 07 61 0A
68 .l........t.a.h
00020: 46 75 1A 0C 1F F8 D3 A6 16 65 03 FE CF 6C 50
18 Fu.......e...lP.
00030: 10 2C B2 D6 00 00 3A 64 72 61 67 6F 6E 73 2E
67 .,....:dragons.g
00040: 61 2E 75 73 2E 64 61 6C 2E 6E 65 74 20 4E 4F
54 a.us.dal.net NOT

Frame Time Src MAC Addr Dst MAC Addr Protocol
 Description
            Src Other Addr Dst Other Addr Type Other
Addr
127 5.516 G7SUJ NICSRV01 TCP
 .AP..., len: 32, seq: 67030928-67030959,
ack:3550879444, win: G7SUJ 209.116.7.97
IP

+ FRAME: Base frame properties
+ ETHERNET: ETYPE = 0x0800 : Protocol = IP: DOD
Internet Protocol
+ IP: ID = 0x692A; Proto = TCP; Len: 72
+ TCP: .AP..., len: 32, seq: 67030928-67030959,
ack:3550879444, win: 8280, src: 8184 dst: 6668

00000: 00 00 0C 07 AC 47 00 B0 D0 1A 49 5C 08 00 45
00 .....G....I\..E.
00010: 00 48 69 2A 00 00 80 06 A7 D3 0A 68 46 75 D1
74 .Hi*.......hFu.t
00020: 07 61 1F F8 1A 0C 03 FE CF 90 D3 A6 1E D4 50
18 .a............P.
00030: 20 58 76 C4 00 00 4A 4F 49 4E 20 23 77 68 6F
7A Xv...JOIN #whoz
00040: 79 65 72 64 61 64 64 79 20 72 61 74 70 61 63
6B yerdaddy ratpack

I know that I will need to rebuild the machine, but
does anyone have experience with this one? I looked
at the Run key a number of times before I realized the
Default Web Browser key doesn't fit in.

Mike

__________________________________________________
Do You Yahoo!?
Make a great connection at Yahoo! Personals.
http://personals.yahoo.com

------------------------------------------------------------------------

----
This list is provided by the SecurityFocus ARIS analyzer service.
For more information on this free incident handling, management 
and tracking system please see: http://aris.securityfocus.com
----------------------------------------------------------------------------
This list is provided by the SecurityFocus ARIS analyzer service.
For more information on this free incident handling, management 
and tracking system please see: http://aris.securityfocus.com

• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]