RE: New Trojan

From: Tran, John (John.Tran_at_unisys.com)
Date: 10/27/03

  • Next message: Chris Fussell: "RE: New Trojan" 
    To: 'Damian Gerow' <damian@sentex.net>, incidents@securityfocus.com
Date: Mon, 27 Oct 2003 13:30:07 -0500

    Was this trojan discuss in Microsoft Security Bulletins? If so what number
    or KB?

    -----Original Message-----
    From: Damian Gerow [mailto:damian@sentex.net]
    Sent: Monday, October 27, 2003 10:06 AM
    To: incidents@securityfocus.com
    Subject: Re: New Trojan

    Thus spake Jay Castaldo (fupayme2003@hotmail.com) [25/10/03 13:28]:
    > I don't know if this is a new trojan or anything, but I have tried doing
    > some research on the Internet and couldn't find anything on it. Well it
    > has two registry entries in my Run, and RunOnce. Here is the name of
    > both keys acbdhpd and the values are pointing to a file1129 I can not
    > seem to find rundll32 C:\WINNT\system32:acbdhpd.dll,Init 1. I tried
    > killing my explorer.exe to see if that is reason I can't find it because
    > I am most likely using a trojanized explorer.exe, but I could only find
    > a copy in my temp, I delete through DOS and delete the registry entries
    > to no success, the registry keys appear within 30 seconds and the file
    > pops right back up. Anybody seen this or can give me some help to get
    > this out without reloading? It has also opened up two TCP, 3799, and
    > 41225 and two UDP ports, 1129, 1241. Thanks

    I, as well as a handful of other people, have been chasing this down for
    some time. Here's a brief rundown...

    The trojan is apparently similar to Coreflood (and may even share some
    code), but is not.

    On startup, the Trojan is started via registry entries. Since it is a DLL,
    it needs rundll32.exe to start. When it starts, it hooks itself into (I
    think) *every* running process on the system, so you can't actually kill it
    without shutting down the system.

    It checks the registry keys periodically (configurable, I believe), and if
    they are missing, it adds them back in again.

    When the trojan starts, it starts up two proxies -- one HTTP, and one
    SOCKS5. I haven't looked at the UDP ports yet, but that's interesting.
    Watching packet dumps of an infected machine didn't even show these UDP
    ports being used.

    Once the proxies are started, it connects to a remote machine (name
    withheld) and tells it where it is, and what ports the proxies are running
    on. This machine then seemingly disseminates this information to a rather
    large network of 'clients', that proceed to spam through the infected
    machine.

    AFAIK, there is *no* method of removal for this trojan, due to its way of
    infection. Some have speculated that there is an option for removal within
    the trojan, but I have no confirmation of this -- try running strings on the
    DLL, and see if you can find anything in there (i.e. grep for 'remov',
    'instal').

    We have a number of infected customers; as of right now, I am making them
    reformat and reinstall when we find one that's infected.

    ---------------------------------------------------------------------------
    Network with over 10,000 of the brightest minds in information security
    at the largest, most highly-anticipated industry event of the year.
    Don't miss RSA Conference 2004! Choose from over 200 class sessions and
    see demos from more than 250 industry vendors. If your job touches
    security, you need to be here. Learn more or register at
    http://www.securityfocus.com/sponsor/RSA_incidents_031023
    and use priority code SF4.
    ----------------------------------------------------------------------------

    ---------------------------------------------------------------------------
    Network with over 10,000 of the brightest minds in information security
    at the largest, most highly-anticipated industry event of the year.
    Don't miss RSA Conference 2004! Choose from over 200 class sessions and
    see demos from more than 250 industry vendors. If your job touches
    security, you need to be here. Learn more or register at
    http://www.securityfocus.com/sponsor/RSA_incidents_031023
    and use priority code SF4.
    ----------------------------------------------------------------------------

  • Next message: Chris Fussell: "RE: New Trojan"

    Relevant Pages

    • Re: Solution to mIRC and Secedit Virus Networking Problems
      ... have determined that it was a Trojan, ... restored the security policy by running "secedit.exe ... passwords), and firewall, and possibly a backdoor. ...
      (microsoft.public.security)
    • Re: Solution to mIRC and Secedit Virus Networking Problems
      ... have determined that it was a Trojan, ... restored the security policy by running "secedit.exe ... passwords), and firewall, and possibly a backdoor. ...
      (microsoft.public.win2000.security)
    • Re: Is complete home security possible?
      ... > You appear to be doing almost everything that can be done to make a Windows ... > software runs at the same privilege level as the malware. ... Security software is often written ... trojan where the software firewall failed. ...
      (comp.security.firewalls)
    • Re: Is complete home security possible?
      ... My security before this occurred was ... >> firewall and virus program stopped loading with Windows. ... >> if the trojan somehow disabled them, but I know I didn't take them out ...
      (comp.security.firewalls)
    • Re: New Trojan?
      ... You have probably been infected with a trojan via spyware. ... Now to prevent further infection through this hole in IE and its security ... Computer zone disable Active scripting. ...
      (Security-Basics)