New/old Trojan?

From: nixsec (nixsec_at_AREA66.ORG)
Date: 11/21/04

  • Next message: Liu Die Yu: "Address Bar Spoofing on Double Byte Character Set Locale Vulnerability (CAN-2004-0844) Patched in MS04-038"
    Date:         Sun, 21 Nov 2004 14:11:28 -0600

    -------- Original Message --------
    Subject: New/old Trojan?
    Date: Sun, 21 Nov 2004 14:03:36 -0600
    From: nixsec <>

    I usually use linux as operating system but for games i go with windows,
    i used this installation of windows 2000 SP4 around 6 times(Did not do
    windows update cause didn't really care about the system since it was
    gaming only), and sygate firewall detected this weird application trying
    to connect to remote site, tried looking on google for
    Mmnkijia.exe and could not find anything on it, this application hides
    itself in the folder when using windows explorer to view the folder
    C:\WINNT\system32\ the file would not show up, using tcpview from
    sysinternals i found several ports open:
    <Non-existant Process>:976 TCP xfiles:247 xfiles:0
    LISTENING (searched on google and said this was a service called
    <Non-existant Process>:976 TCP xfiles:18855 xfiles:0
    <Non-existant Process>:976 TCP xfiles:21134 xfiles:0
    <Non-existant Process>:976 TCP xfiles:38493 xfiles:0

    (Tcpview.exe would crash when i attempted to kill the process, when i
    reopened it those ports would still be open i think i managed to kill
    the process one time or crashed it somehow and few minutes later got
    back up and running)

    I loaded up windows in safe mode with command prompt and from there the
    file would be visible, i found also a DLL file which the exe uses called
    Mngepfne.dll (maybe loaded to hide processes and files?) , i backed
    these up for further examination and removed them from the system32
    folder, this seemed to fix the problem for now and all the ports are
    closed, but i got no idea where it came from! Later i checked the page and the index page says page not found, so my only guess is
    it accesses that web site and the owners of it can check the web server
    log files to find infected IPs i did a whois on that server name and its
    a few months old only created: 2004.06.26. If anyone has info or would
    like a copy of the binary files to examine them let me know.

    Sygate firewall log:
    Parent Version :
    Parent Description :
    Parent Process ID : 0x394 (Heximal) 916 (Decimal)

    File Version : 5.0.2920.0
    File Description : Internet Explorer (IEXPLORE.EXE)
    File Path : C:\Program Files\Internet Explorer\IEXPLORE.EXE
    Process ID : 0x3D4 (Heximal) 980 (Decimal)

    Connection origin : local initiated
    Protocol : TCP
    Local Address :
    Local Port : 1046
    Remote Name :
    Remote Address :
    Remote Port : 80 (HTTP - World Wide Web)

    Ethernet packet details:
    Ethernet II (Packet Length: 76)
           Destination: 00-06-25-63-64-64
           Source: 00-00-21-ff-8a-0d
    Type: IP (0x0800)
    Internet Protocol
           Version: 4
           Header Length: 20 bytes
                   .1.. = Don't fragment: Set
                   ..0. = More fragments: Not set
           Fragment offset:0
           Time to live: 128
           Protocol: 0x6 (TCP - Transmission Control Protocol)
           Header checksum: 0x9209 (Correct)
    Transmission Control Protocol (TCP) Acknowledgment number: 0
           Header length: 28
                   0... .... = Congestion Window Reduce (CWR): Not set
                   .0.. .... = ECN-Echo: Not set
                   ..0. .... = Urgent: Not set
                   ...0 .... = Acknowledgment: Not set
                   .... 0... = Push: Not set
                   .... .0.. = Reset: Not set
                   .... ..1. = Syn: Set
                   .... ...0 = Fin: Not set
           Checksum: 0x7128 (Correct)
           Data (0 Bytes)

    Binary dump of the packet:
    0000: 00 06 25 63 64 64 00 00 : 21 FF 8A 0D 08 00 45 00 | ..%cdd..!.....E.
    0010: 00 30 00 77 40 00 80 06 : 09 92 C0 A8 01 66 42 84 | .0.w@........fB.
    0020: EC 2C 04 16 00 50 A7 95 : 7D F3 00 00 00 00 70 02 | .,...P..}.....p.
    0030: 40 00 28 71 00 00 02 04 : 05 B4 01 01 04 02 6B 02 | @.(q..........k.
    0040: 72 75 00 00 01 00 01 39 : 2E 32 35 35 | ru.....9.255

           Source port: 1046
           Destination port: 80
           Sequence number: 2811592179

    Im thinking of maybe installing snort on the windows system and
    reactivate the trojan to see what happens, would like to learn more on
    computer forensics, any tips or other software good to be used to
    gather/examine data?

    Paulo Ferreira.

    Editor's Note: The 43rd Most Powerful Person in Networking says...
    Register today to take the TruSecure ICSA exam by 12/31/04  at
    <> ,  use promo code "CT1204" and you will pay just
    $221.25 US Dollars for domestic exam delivery and  $296.25 US Dollars
    for international delivery.
    Visit <>  for complete details regarding the
    TICSA credential and to take the free sample exam.

  • Next message: Liu Die Yu: "Address Bar Spoofing on Double Byte Character Set Locale Vulnerability (CAN-2004-0844) Patched in MS04-038"

    Relevant Pages

    • Re: Deleting "Previous Windows Operating System on C:"
      ... Previous Windows Operating System on C: ... If I let the system boot to Microsoft Windows XP Professional (this ... good installation, Click Start, click Run, type or paste next line ... insert the Setup CD into your CD-ROM drive. ...
    • Re: Windows 7
      ... YES upgrading Vista to Windows 7 ... need to reinstall it by performing a custom installation. ... Download and run the free Windows 7 Upgrade Advisor. ...
    • Re: Grafikkartenempfehlung... mal wieder ;-)
      ... Daher wartet die GPU auch nicht unbedingt auf Daten von der CPU, sondern eher darauf, dass die CPU ihre Aufgaben erledigt hat. ... Das hat aber genauso wenig mit dem Thema zu tun wie die Weiterverwendung Deines alten Windowsxp, denn die Diskussion geht darum, ob man bei einem Neukauf von Windows 7 noch zur 32bit- oder besser gleich zur 64bit-Version greift. ... Installation zu Installation, ... Die Mehrzahl der Probleme liegt entweder am Anwender, an schrottiger Hardware, fehlerhaften Treibern, schrottigen "Profitools" oder schlichtweg an einem Hardwaredefekt. ...
    • Re: Windows 7
      ... Windows 7 ca ba thang roi, ma khong co truc trac voi drivers gi ca. ... mua Upgrade version ne^'u ma'y ddang du`ng XP or Vista ... need to reinstall it by performing a custom installation. ... Download and run the free Windows 7 Upgrade Advisor. ...
    • RE: Open Source Supported Graphics Cards
      ... I thought the niche Debian was trying to fill was rock solid ... small part of the battle for a typical Windows user moving to Linux. ... Though if you were read the HTML installation manual, ... They refer to all manner of things of which the casual user ...