RE: New Trojan

From: Harlan Carvey (keydet89_at_yahoo.com)
Date: 10/27/03

  • Next message: Matt Vaughan: "RE: New Trojan" 
    Date: Mon, 27 Oct 2003 13:06:16 -0800 (PST)
To: incidents@securityfocus.com

    Lucretia,

    Easier said than done on Win2k and above...thanks to
    WFP.

    --- Lucretia <lucretias@shaw.ca> wrote:
    > Correct, you must take steps to remove wscript.exe
    > and cscript.exe otherwise
    > they will remain.
    >
    >
    >
    > > -----Original Message-----
    > > From: lsi [mailto:stuart@cyberdelix.net]
    > > Sent: Monday, October 27, 2003 6:04 AM
    > > To: Harlan Carvey
    > > Cc: incidents@securityfocus.com
    > > Subject: Re: New Trojan
    > >
    > >
    > > Hi there,
    > >
    > > > http://patriot.net/~carvdawg/docs/dark_side.html
    > >
    > > Excellent article on ADS, one point. You say
    > Windows Scripting Host
    > > started shipping with W2K. However, it is
    > apparently installed by
    > > default on Win98SE systems as well (I reinstalled
    > this machine just
    > > last week).
    > >
    > > After reading your article I fired up a command
    > prompt and typed
    > > CSCRIPT - this caused the scripting host to
    > appear. Which was odd,
    > > because I was sure I had told the installer *not*
    > to install Windows
    > > Scripting Host....
    > >
    > > So I click Start.. Settings.. Control Panel.. Add
    > and Remove
    > > Programs.. Windows Setup.. Accessories.. and sure
    > enough Windows
    > > Scripting Host is *NOT* checked. However,
    > CSCRIPT.EXE is in my
    > > C:\WINDOWS\COMMAND directory while WSCRIPT.EXE is
    > in my C:\WINDOWS
    > > directory anyhow.
    > >
    > > So I would like to report to you:
    > >
    > > 1. WSH is shipped with Win98SE as well.
    > > 2. telling the installer not to install it does
    > not work.
    > >
    > > Stuart
    > >
    > > On 25 Oct 2003 at 10:42, Harlan Carvey wrote:
    > >
    > > Date sent: Sat, 25 Oct 2003 10:42:41 -0700
    > (PDT)
    > > From: Harlan Carvey
    > <keydet89@yahoo.com>
    > > Subject: Re: New Trojan
    > > To: incidents@securityfocus.com
    > >
    > > > Jay,
    > > >
    > > > > I don't know if this is a new trojan or
    > anything,
    > > > > but I have tried doing some research on the
    > Internet
    > > > > and couldn't find anything on it. Well it has
    > two
    > > > > registry entries in my Run, and RunOnce. Here
    > is
    > > > > the name of both keys acbdhpd and the values
    > are
    > > > > pointing to a file1129 I can not seem to find
    > > > > rundll32 C:\WINNT\system32:acbdhpd.dll,Init 1.
    > > >
    > > > Given the colon, it looks like you might have a
    > DLL
    > > > hidden in an alternate data stream. Is your
    > file
    > > > system NTFS?
    > > >
    > > > > I
    > > > > tried killing my explorer.exe to see if that
    > is
    > > > > reason I can't find it because I am most
    > likely
    > > > > using a trojanized explorer.exe,
    > > >
    > > > I'm curious about that statement, given that you
    > > > really don't have anything to base it on.
    > > >
    > > > > but I could only
    > > > > find a copy in my temp, I delete through DOS
    > and
    > > > > delete the registry entries to no success, the
    > > > > registry keys appear within 30 seconds and the
    > file
    > > > > pops right back up.
    > > >
    > > > What file? I thought you said you couldn't see
    > > > anything, so what file is popping right back up?
    > > >
    > > > > Anybody seen this or can give
    > > > > me some help to get this out without
    > reloading? It
    > > > > has also opened up two TCP, 3799, and 41225
    > and two
    > > > > UDP ports, 1129, 1241. Thanks
    > > >
    > > > How have you determined this? What tool are
    > you
    > > > using to determine that this particular issue is
    > > > opening those ports, and they're not being
    > opened by
    > > > some other process?
    > > >
    > > > In a nutshell, it looks as if you've got
    > something on
    > > > your system, but it's hidden in an alternate
    > data
    > > > stream.
    > > >
    > > > I'm willing to help, you can get me as
    > "carvdawg" on
    > > > AIM and "keydet89" on Yahoo Messenger.
    > > >
    > > >
    > > >
    > > >
    > >
    >
    ------------------------------------------------------------------
    > > ---------
    > > > Network with over 10,000 of the brightest minds
    > in information security
    > > > at the largest, most highly-anticipated industry
    > event of the year.
    > > > Don't miss RSA Conference 2004! Choose from over
    > 200 class sessions and
    > > > see demos from more than 250 industry vendors.
    > If your job touches
    > > > security, you need to be here. Learn more or
    > register at
    > > >
    >
    http://www.securityfocus.com/sponsor/RSA_incidents_031023
    > > > and use priority code SF4.
    > > >
    > >
    >
    ------------------------------------------------------------------
    > > ----------
    > >
    > >
    > > --
    > > Stuart Udall
    > > stuart at cyberdelix dot net -
    > http://www.cyberdelix.net/
    > > ..revolution through evolution
    > >
    > > want to make some cash? check out
    > http://cyberdelix.net/affiliates.htm
    > >
    > >
    > >
    >
    ------------------------------------------------------------------
    > > ---------
    > > Network with over 10,000 of the brightest minds in
    > information security
    > > at the largest, most highly-anticipated industry
    > event of the year.
    > > Don't miss RSA Conference 2004! Choose from over
    > 200 class sessions and
    > > see demos from more than 250 industry vendors. If
    > your job touches
    > > security, you need to be here. Learn more or
    > register at
    > >
    >
    http://www.securityfocus.com/sponsor/RSA_incidents_031023
    > > and use priority code SF4.
    > >
    >
    ------------------------------------------------------------------
    > > ----------
    > >
    >
    >

    ---------------------------------------------------------------------------
    Network with over 10,000 of the brightest minds in information security
    at the largest, most highly-anticipated industry event of the year.
    Don't miss RSA Conference 2004! Choose from over 200 class sessions and
    see demos from more than 250 industry vendors. If your job touches
    security, you need to be here. Learn more or register at
    http://www.securityfocus.com/sponsor/RSA_incidents_031023
    and use priority code SF4.
    ----------------------------------------------------------------------------

  • Next message: Matt Vaughan: "RE: New Trojan"

    Relevant Pages

    • RE: New Trojan
      ... > in information security ... > If your job touches ... > register at ... most highly-anticipated industry event of the year. ...
      (Incidents)
    • Re: New Trojan
      ... >> in information security ... >> If your job touches ... >> register at ... most highly-anticipated industry event of the year. ...
      (Incidents)
    • Re: [Full-disclosure] Brazilian Bank (Caixa Economica Federal) vuln
      ... some brazilian banks has implementing a system based in computer ... identification (like a PC register). ... account, the attacker can log in on the bank account without identify ... Igor Marcel - Information Security Consultant ...
      (Full-Disclosure)
    • [Full-disclosure] Brazilian Bank (Caixa Economica Federal) vuln
      ... some brazilian banks has implementing a system based in computer ... identification (like a PC register). ... account, the attacker can log in on the bank account without identify ... Igor Marcel - Information Security Consultant ...
      (Full-Disclosure)
    • Re: Nmap output
      ... most highly-anticipated industry event of the year. ... Choose from over 200 class sessions and ... Network with over 10,000 of the brightest minds in information security ...
      (Pen-Test)