Re: New Trojan

From: Harlan Carvey (keydet89_at_yahoo.com)
Date: 10/25/03

  • Next message: Jerry Heidtke: "RE: New Trojan" 
    Date: Sat, 25 Oct 2003 10:42:41 -0700 (PDT)
To: incidents@securityfocus.com

    Jay,

    > I don't know if this is a new trojan or anything,
    > but I have tried doing some research on the Internet
    > and couldn't find anything on it. Well it has two
    > registry entries in my Run, and RunOnce. Here is
    > the name of both keys acbdhpd and the values are
    > pointing to a file1129 I can not seem to find
    > rundll32 C:\WINNT\system32:acbdhpd.dll,Init 1.

    Given the colon, it looks like you might have a DLL
    hidden in an alternate data stream. Is your file
    system NTFS?

    > I
    > tried killing my explorer.exe to see if that is
    > reason I can't find it because I am most likely
    > using a trojanized explorer.exe,

    I'm curious about that statement, given that you
    really don't have anything to base it on.

    > but I could only
    > find a copy in my temp, I delete through DOS and
    > delete the registry entries to no success, the
    > registry keys appear within 30 seconds and the file
    > pops right back up.

    What file? I thought you said you couldn't see
    anything, so what file is popping right back up?

    > Anybody seen this or can give
    > me some help to get this out without reloading? It
    > has also opened up two TCP, 3799, and 41225 and two
    > UDP ports, 1129, 1241. Thanks

    How have you determined this? What tool are you
    using to determine that this particular issue is
    opening those ports, and they're not being opened by
    some other process?

    In a nutshell, it looks as if you've got something on
    your system, but it's hidden in an alternate data
    stream.

    I'm willing to help, you can get me as "carvdawg" on
    AIM and "keydet89" on Yahoo Messenger.

    ---------------------------------------------------------------------------
    Network with over 10,000 of the brightest minds in information security
    at the largest, most highly-anticipated industry event of the year.
    Don't miss RSA Conference 2004! Choose from over 200 class sessions and
    see demos from more than 250 industry vendors. If your job touches
    security, you need to be here. Learn more or register at
    http://www.securityfocus.com/sponsor/RSA_incidents_031023
    and use priority code SF4.
    ----------------------------------------------------------------------------

  • Next message: Jerry Heidtke: "RE: New Trojan"

    Relevant Pages

    • RE: idsearch.com and GoogleMs.dll
      ... MediaPlayer.exe to trigger set registry entries. ... Network with over 10,000 of the brightest minds in information security at ... most highly-anticipated industry event of the year. ...
      (Incidents)
    • idgsearch.com and googleMS.dll
      ... the MediaPlayer.exe to trigger set registry entries. ... Network with over 10,000 of the brightest minds in information security ... most highly-anticipated industry event of the year. ...
      (Incidents)
    • idsearch.com and GoogleMs.dll
      ... the MediaPlayer.exe to trigger set registry entries. ... Network with over 10,000 of the brightest minds in information security ... most highly-anticipated industry event of the year. ...
      (Incidents)
    • Re: New Trojan
      ... >delete the registry entries to no success, ... -- Charles Babbage ... Network with over 10,000 of the brightest minds in information security ... most highly-anticipated industry event of the year. ...
      (Incidents)