OSEC

Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email hr@neohapsis.com
 
Re: strange windows behaviour.

From: J Mike Rollins (rollinswfu.edu)
Date: Fri Oct 10 2003 - 10:49:33 CDT

The rundll32 path\to\the\trojan.dll,Uninstall does seem to remove the
entries from the registry. However, the stream is still on the system.
Something like, "echo A > C:\path\to:trojan.dll" will clobber it.

A comment on how to un-install this is in the comments of the program.
Along with a bunch of other interesting text.
I have posted the strings from the trojan on a web page:

        http://www.wfu.edu/~rollins/trojan.txt

However, I am not sure that I feel safe after un-installing it this way.
If this is a backdoor program, who knows what else might have been done to
the system.

On Fri, 10 Oct 2003, Fabio Panigatti wrote:

> > On September 25, 2003, I posted an article "Analysis of a Spam Trojan"
> > to the full-disclosure and focus-virus Listservs. It details one
> > particular spam trojan we found at the University of Minnesota. The
> > full-disclosure archive can be viewed at:
> > http://lists.netsys.com/pipermail/full-disclosure/2003-September/010914.html
>
> I went through the same analysis a couple of weeks ago and I can confirm
> a lot of your findings about this trojan, formerly known as AFlooder.
>
> The infection way was a VBScript script embedded in the html code of
> a spamvertized web page with mime type application/hta. The vbscript
> exploits the Scripting.FileSystemObject vulnerability of IE to write
> the file audio.exe in the local filesystem, and then runs it whith a
> Shell.Run. Audio.exe creates two files, one exe and one dll, in the
> system folder, with casual names. The exe is then referenced in one
> or more "autorun" keys of the registry. When the exe is fired up, it
> loads the dll in the execution space of explorer process and then it
> dies. The actual trojan is the dll, which is invisible in the task
> list because is running like an explorer.exe subprocess, eluding some
> personal firewall or a cursory analisys of the system.
>
> For the ones who are in trouble in removing the trojan, seems that the
> trojan can be uninstalled with "rundll32 path\to\the\trojan.dll,Uninstall",
> but I suggest to eradicate it with plain old manual methods, swithcing to
> DOS mode and deleting the involved files and registry keys. Where a DOS
> mode isn't available, the [rename] section in wininit.ini may helps a lot.
> In winnt/2k use InUse.exe, from the reskit, as administrator.
>
>
> Fabio
>

Mike

    Network Operations and Security, Wake Forest University
======================================================================
          J. Mike Rollins rollinswfu.edu
     Wake Forest University http://www.wfu.edu/~rollins
        Winston-Salem, NC work: (336) 758-1938
======================================================================

---------------------------------------------------------------------------
----------------------------------------------------------------------------