[Full-disclosure] New virus - possible rootkit



Virus Alert - Possible Rootkit
--

The files ARE NOT detected by ANY current AV Scanning signature engine.

I do not have the time to write a report on the entire analysys but I wanted
to get the data out to everyone ASAP so that you can detect this running on
your computers. I'm finding that this is pretty widespread here on my
customers' network.

This appears to be an IRC bot that encrypts its traffic to fly beneath the
radar. What makes it more interesting is that the directories it creates
have SYSTEM ownership and only system and creator/owner can access the
files. Changing permissions on the files or directorys will only be changed
back. It also appears that if you remove the file, it will start revoking
permissions on all files and will remove everyones but SYSTEM's permission
to all files.

This is very, very early prelim info. and I am trying to both quarrantine
the damage, investigate the infection on top of trying to get the word out.
(I know what the cygwin files are, but they came with the infection so I
include them here.)

I've uploaded the .zip file with all the programs in their respective
directories recursed to my web site, I'll have it up there by 21 Sep, 2006.
http://www.appiant.net

The files and locations:
c:\windows\system32\cygcrypt-0.dll (linux crypto)
c:\windows\system32\cygwin1.dll (linux command)
c:\windows\system32\dntus26.exe (used for remote admin)
c:\windows\system32\javadebug.dll (actually a text file)
c:\windows\system32\rundl32.exe (ircbot interface)
c:\windows\system32\zonedown.bat (batch file that launches rundl32.exe with
the text from javadebug.dll I dont know what else it does yet)
c:\windows\system32\scardsvrs.exe (the device that appears to launch the
zonedown.bat file... still working)
c:\windows\system32\wbem\svchost.exe (Serv-u ftp service - modified -)
c:\windows\system32\wbem\wbem.exe (workin on what this one does)...

it also placed files in a hidden directory with only system priviledges:
c:\windows\system32\DirectX\Dinput\Others\

The file placed in there was a snippet of a movie, divx encoded... the
filename was Min2 (no extension).

Below is what the AVERT labs reported when I submitted the file.

Joel Helgeson
Appiant, Inc.
952-858-9111

-------------------------------

AVERT Labs - Beaverton
Current Scan Engine Version:4.4.00
Current DAT Version:4855
Thank you for your submission.

Analysis ID: 2533501
NameFindings DetectionType Extra
cygcrypt-0.dll no malware n
cygwin1.dll no malware n
dntus26.exe heuristic detection remadm-dwrc Application n
javadebug.dll inconclusive no
rundl32.exe current detection iroffer Application no
scardsvrs.exe heuristic detection srvany Application no
svchost.exe current detection servu-daemon Application no
wbem.exe heuristic detection srvany Application no
zonedown.batinconclusiveno

current detection [ rundl32.exe svchost.exe ]
Our analysis detected a potentially unwanted program file or joke program
with our current DAT files and engine. It is recommended that you update
your DAT and engine files and scan your computer again. You may not want
this program installed. If you do not want it installed, we recommend that
you use the Add/Remove Program in the Windows Control Panel to completely
uninstall the detected program. You can also contact the Virus Information
Library for information about manually uninstalling potentially unwanted
programs. If you are not seeing this with the product you are using, please
speak with technical support so that they can help you determine the cause
of this discrepancy.
If you use the McAfee VirusScan Online or VirusScan Retail products, and do
not have the Dat File Version specified, please visit
http://www.webimmune.net/extra/getextra.aspx and use the detection name
supplied in this message to receive an extra.dat file for detection.

inconclusive [ javadebug.dll zonedown.bat ]
Upon analysis the file submitted does not appear to contain one of the
100,000 known threats in the AutoImmune database. The file may contain a new
malware threat, or no code capable of being infected. Your submission is
being forwarded to an AVERT Researcher for further analysis. You will be
contacted by AVERT through e-mail with the results of that analysis.

heuristic detection [ dntus26.exe scardsvrs.exe wbem.exe ]
The file received may contain a potentially unwanted program file or joke
program. This potential threat was identified with our most powerful set of
heuristic DAT drivers. Heuristic drivers can make false-positive
identifications, as such, this issue is being escalated to AVERT for a
thorough review. In the meantime, it is recommended that you update your DAT
and engine files and scan your computer again. You will be contacted through
e-mail with the results of our analysis. Warning: McAfee products do not
clean potentially unwanted program files or joke programs. The attached will
only detected the potentially unwanted program. If you do not want it
installed, we recommend that you use the Add/Remove Program in the Windows
Control Panel to completely uninstall the detected program. You can also
contact the Virus Information Library for information about manually
uninstalling potentially unwanted programs.

no malware [ cygcrypt-0.dll cygwin1.dll ]
AVERT has found no indications of malicious code. Upon examining the file,
we observed no malicious behavior. If you still believe the files you sent
contain a virus or trojan, please provide more information on why you feel
these are suspect files.


Regards,



McAfee AVERT tm
A division of McAfee, Inc

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/



Relevant Pages

  • Re: [Full-disclosure] New virus - possible rootkit
    ... Below is what the AVERT labs reported when I submitted the file. ... dntus26.exe heuristic detection remadm-dwrc Application n ... Our analysis detected a potentially unwanted program file or joke program ...
    (Full-Disclosure)
  • 3280277 - ynlg
    ... AVERT Labs - Beaverton ... Current Scan Engine Version:5100.0194 ... Current DAT Version:4982.0000 ... Assistance with detection and cleaning or removal of viruses or trojans ...
    (Linux-Kernel)
  • Re: Check Engine Lamp on 94 Camry V6 Goes On and Off
    ... Alas the poor O2 sensor, the most changed good part on the modern ... within it design parameters and activating the check engine light. ... there is 2-trip detection logic for the check engine ... a condition has to be present during 2 trip ...
    (alt.autos.toyota)
  • Re: Trend Micro OfficeScan Spyware detection program issues
    ... > detection and cleanup feature. ... > It would be easy to write a spyware app that drops a perfectly legit copy ... > I asked Trend if they had a fix for the machines that had had these system ... since they said their engine shouldn't have done what it did. ...
    (microsoft.public.security.virus)
  • McAfee DAT v4664 dat files have been released early due to new variants of Exploit-WMF
    ... The 4664 dat files have been released early due to publicly-released new ... The McAfee Scanning Engine forms the core malware detection and repair component ...
    (microsoft.public.security.virus)