Re: This showed up last night... What is it?!

From: Tracker (TheTrackers@attbi.com)
Date: 04/10/02 

From: Tracker <TheTrackers@attbi.com>
Date: Wed, 10 Apr 2002 21:33:49 GMT

It's not the Trojan Horses people need to be concerned with, it's the
"root kits" hackers install so they can forever get back into your
computer. What some of these hackers do is disable your anti-virus
program for you, then install another copy of the firewall program your
running and then hide your files and folders so you can't view your
hacked into system. When you make software changes to your system, the
hacker(s) also has to update their system they installed. This can
cause many problems for you as a user, until the hacker(s) can update
the system.

Tracker

Michael wrote:
>
> I see that I am at least the third person to be hit by this. I too
> have no clue where it came from. I did however, while doing numerous
> things to learn more about this trojan, run Norton Antivirus 2002 with
> the latest Virus Definitions, and found a file "tle<a sequence of
> numbers>.exe" in the windows\temp directory, that was also infected by
> "Backdoor.Trojan" I just thought it might be my virus definitions,
> although they were downloaded from the official site, but they were
> d/led one day after the appearance of this trojan. Follows a short
> story of how I found it.
>
> I've been trying out firewalls recently, namely Zonealarm. Tried out
> Zonealarm 2.6, then it told me there was an update. It wouldn't
> download. So I downloaded the thing manually, also saw this trial
> version of Zonealarm Pro 3 so I thought I'd give that a try. At the
> moment I didn't think there was much use for a firewall and $50 is a
> lot of money and I have never had problems before, always been on
> dial-up so I went back to the free one. It was while I was going
> backwards and forwards I noticed something was wrong.
>
> Zonealarm said "Rundll32.exe wants access to the Internet" I thought
> about it and whenever I use my webcam an entry comes up saying
> "Rundll32.exe" so I thought nothing of it. Especially as I was using a
> newer version of Zonealarm at the time, the 30 day trial, and later
> the update from 2.6, so I figured that the newer versions needed
> somehow to let this file access the Internet. It also wanted to act as
> a server, so I thought, "why not?" I was looking at my alert logfile
> later and saw these connections from an IP address that didn't seem
> familiar. I ran them through VisualRoute5 and it told me they belonged
> to 'proxy.dalnet.com' somewhere in Ontario, Canada. I just thought
> someone was port scanning my machine. It wasn't until I shut down my
> firewall that within a couple of minutes my machine froze.
>
> I found this 'Win32 Rundll Loader' in my startup settings. Deleted it
> from there, restarted. It was still there. Then I tried deleting it
> from the registry. Popped back up again. I did after a while decide to
> block access to RUNDLL32.EXE accessing the Internet and acting as a
> server, when it got weird. But I searched for "RUNDLL32.EXE" found 2,
> one in Windows\system with a file date of the 3rd of april this year.
> So I scanned it with Norton Antivirus and bingo. I haven't had so many
> problems after that persay.
>
> I decided to find out more information. There was a wininit.ini file
> in Windows\start menu\..... that had the entry
>
> [rename]
> c:\windows\explorer.exe c:\windows\explorer.sav
>
> or something similiar.
>
> There also seemed to be an explorer.exe in my windows directory. Maybe
> these things occured because I was trying to purge my system without a
> full reinstall. I've heard too much about these nasty trojans. Copied
> some stuff from my Windows CD back to the windows directory. I thought
> I copied explorer into the right directory but when I restarted
> windows it was trying to load explorer.exe through a dosbox. I ran the
> program under dos, no windows, and it said there was an error with the
> file. I found the copy I had done in the windows\system directory and
> copied it over, and everything worked as before. Yet I was still
> getting this error message. Just a dialog box, looks like something
> someone did using Visual Basic 3. It simply said 'Error' on the bar at
> the top, with a button saying 'OK'. This worried me for a while, I
> then finally removed the entries for my Voodoo2 and LoadPowerProfile,
> as they were giving me gip anyway. No more error message.
>
> I found the Backdoor.Trojan on the tle......exe file, as mentioned
> above, running a system scan in Windows with Norton Antivirus. I have
> since run a dos scan with Nortons Dos Scanner, plus the latest
> definitions, and a trojan cleaner, downloaded from moosenet.com.
>
> I have no reported problems as such. I still need to run another
> Windows virus scan, as I was getting memory problems last time. I
> still want to check what I was doing on the 2nd or the 3rd, so I can
> find out where this thing originated from.
>
> On the mentions of IRC. I have seen ICQ mentioned as it being related
> to IRC. I do use IRC, on occasion, not dalnet though. I just wish I
> knew where it came from, who wrote it, what it was trying to do to my
> computer, who I can beat up for writing it, etc. Needless to say this
> is the first Trojan I have ever got, I could say 'have been aware of'
> but I am sometimes smarter than I appear.
>
> So thank you for consoling me by not being the only one to have this
> dreadful thing, and not know where they got it. Thank you Zonelabs for
> a wonderful firewall. I also was going to send the file to Norton for
> analysis but I deleted it sometime ago, before I thought about it.
> Why? Simply it was recognised as a trojan (by the way, I had it set to
> the highest detection setting) but it didn't give it a name.
>
> "Tarpan" <tarpan_@REMOVEhotmail.com> wrote in message news:<8D815A7BCD425504.8FF96E780E25CE20.599176F09DCB3D11@lp.airnews.net>...
> > Yesterday, I was bored and decided to reinstall my OS. I do that when
> > bored...
> >
> > Anyways, the comp's your average home PC with DSL using a Cisco router. I'm
> > running Win 98SE on it. Last night I formatted the hard drive and
> > reinstalled the OS. Had no issues doing that, and at first no issues
> > reinstalling my programs. I didn't install my virus and firewall proggies
> > right away though and for approximately 2-3 hours my computer was pretty
> > open there. When it got to the end of the night, I did install previously
> > mentioned proggies, Zone Alarm 3 and AVG, can't recall in which order.
> >
> > At first, all was fine, but half an hour later after updating AVG's virus
> > definitions, I started having problems. ZA started warning me that
> > rundll32.exe was trying to access the internet every few minutes. It seemed
> > odd, but not impossible. Then, when I went to install another proggie, the
> > program froze dead. It didn't respond at all, didn't even come up as "not
> > responding" kinda like it was looping. I had to ctrl-alt-delete to get it
> > to stop. After that, the problems just got worse and worse.
> >
> > Finally, after another thirty minutes of frustration and confusion, I
> > figured I'd check on rundll32.exe and see if there was something odd about
> > it, since it was STILL trying to access the internet, and had started asking
> > for server permissions, and I'd never seen it do that before. Sure enough,
> > I found something. c:\windows\system\rundll32.exe was significantly larger
> > than it ought to be and the creation and modified dates were today. That
> > was an auto alarm to me. Fortunately, c:\windows\rundll32.exe was
> > unaffected.
> >
> > I copied the affected rundll32.exe into a zip file for later analysis,
> > restarted the computer in DOS, and copied the unaffected version over the
> > affected one. Problem solved, everything worked OK after that.
> >
> > Now, my issue is, how DID this thing get on my computer?? Was it a website?
> > Program? Update? This is the code I've managed to salvage from the file.
> > It was at the end of the file:
> >
> > 25172 Char 14 irc.dalnet.com
> > 25248 Char 12 Rundll32.exe
> > 25264 Char 53 Software\Microsoft\Windows\CurrentVersion\RunServices
> > 25328 Char 19 Win32 Rundll Loader
> > 25388 Char 22 command /c c:\r.bat %s
> > 25411 Char 18 cmd /c c:\r.bat %s
> > 25449 Char 29 if not exist ""%1"" goto done
> > 25480 Char 13 del /F ""%1""
> > 25495 Char 10 goto start
> > 25514 Char 15 del /F c:\r.bat
> > 25541 Char 136 cpu: %dMHz. ram: %dKB total %dKB free. os: %s (%d.%d build
> > %d). uptime: %dd %dh %dm. connection type: %s (%s). IP Address: %d.%d.%d.%d
> > 25696 Char 10 Windows XP
> > 25707 Char 12 Windows 2000
> > 25720 Char 10 Windows ME
> > 25731 Char 10 Windows 98
> > 25742 Char 10 Windows 95
> > 25753 Char 22 bad url or dns error.
> > 25776 Char 36 update failed: error executing file.
> > 25813 Char 51 downloaded %.1f kb to %s @ %.1f kb/sec. updating...
> > 25865 Char 22 PRIVMSG %s :opened %s.
> > 25903 Char 40 @downloaded %.1f kb to %s @ %.1f kb/sec.
> > 25944 Char 30 update (%s - %dkb transferred)
> > 25975 Char 37 file download (%s - %dkb transferred)
> > 26013 Char 29 PRIVMSG %s :couldn't open %s.
> > 26045 Char 29 ping.exe -l %d -n %d -w %d %s
> > 26075 Char 43 PRIVMSG %s :finished sending packets to %s.
> > 26121 Char 40 PRIVMSG %s :error sending packets to %s.
> > 26176 Char 14 PRIVMSG %s :%s
> > 26198 Char 13 [%s]: <%s> %s
> > 26214 Char 13 [%s]: * %s %s
> > 26243 Char 28 [%s]: %s is now known as %s.
> > 26272 Char 22 [%s]: %s has quit(%s).
> > 26305 Char 21 [%s]: %s has left %s.
> > 26327 Char 23 [%s]: %s has joined %s.
> > 26356 Char 29 [%s]: nick %s already in use.
> > 26390 Char 21 [%s]: Users in %s: %s
> > 26412 Char 36 spy created on %s:%d in channel %s.
> > 26467 Char 12 [%s] * %s %s
> > 26493 Char 12 [%s] <%s> %s
> > 26521 Char 56 sending %d pings to %s. packet size: %d timeout: %d[ms]
> > 26597 Char 62 sending %d udp packets to: %s. packet size: %d delay: %d[ms].
> > 26677 Char 17 downloading %s...
> > 26697 Char 13 download (%s)
> > 26723 Char 38 clone created on %s:%d in channel %s.
> > 26764 Char 10 clone (%s)
> > 26793 Char 29 downloading update from %s...
> > 26825 Char 11 update (%s)
> > 26857 Char 37 redirect created on port %d to %s:%d.
> > 26897 Char 20 redirect (%d->%s:%d)
> > 26949 Char 10 JOIN %s %s
> > 27019 Char 12 %s %s %s :%s
> > 27112 Char 12 file opened.
> > 27153 Char 17 thread(s) killed.
> > 27173 Function 10 killthread
> > 27220 Char 15 removing bot...
> > 27264 Char 11 %d. %s = %s
> > 27276 Char 14 -[alias list]-
> > 27309 Char 15 -[thread list]-
> > 27335 Char 74 sdbot version 0.4b by [sd] (sdbot@mail.ru). homepage:
> > http://sdbot.n3.net/
> > 27424 Char 33 sdbot 0.4b ready. Up %dd %dh %dm.
> > 27478 Char 11 QUIT :later
> > 27499 Char 11 QUIT :later
> > 27511 Char 10 disconnect
> > 27522 Char 18 QUIT :reconnecting
> > 27627 Char 22 user %s(%s) logged in.
> > 27652 Char 18 password accepted.
> > 27679 Char 11 NOTICE %s :
> > 27708 Char 11 NOTICE %s :
> > 27720 Char 27 VERSION sdbot v0.4b by [sd]
> > 27782 Char 18 joined channel %s.
> > 27820 Char 13 screw you %s!
> > 27838 Char 19 user %s logged out.
> > 27873 Char 10 JOIN %s %s
> > 27905 Char 27 %d %d : USERID : UNIX : %s
> > 27935 Char 16 connected to %s.
> > 27961 Char 21 USER %s NULL NULL :%s
> > 28005 Char 12 bot started.
> > 28018 Char 16 mode $chan +h $1
> > 28042 Char 18 udp $1 10000 $2 50
> > 28064 Char 20 udp $1 10000 2048 50
> > 28088 Char 22 action $chan smacks $1
> > 28117 Char 19 mode $chan +o $user
> > 28142 Char 11 main thread
> > 28158 Char 22 RegisterServiceProcess
> > 28181 DLL 12 kernel32.dll
> > 28194 Char 27 Microsoft Internet Explorer
> > 29582 Function 14 WSAAsyncSelect
> > 29602 Function 10 WSACleanup
> > 29618 Function 10 WSAStartup
> > 29654 Function 11 closesocket
> > 29682 Function 13 gethostbyaddr
> > 29698 Function 13 gethostbyname
> > 29714 Function 11 getsockname
> > 29810 Function 19 InternetCloseHandle
> > 29834 Function 25 InternetGetConnectedState
> > 29862 Function 28 InternetGetConnectedStateExA
> > 29894 Function 13 InternetOpenA
> > 29910 Function 16 InternetOpenUrlA
> > 29930 Function 16 InternetReadFile
> > 29950 Function 13 ShellExecuteA
> > 29966 Function 11 FreeLibrary
> > 29982 Function 15 GetCommandLineA
> > 30002 Function 18 GetExitCodeProcess
> > 30026 Function 17 GetExitCodeThread
> > 30046 Function 18 GetModuleFileNameA
> > 30070 Function 16 GetModuleHandleA
> > 30090 Function 11 CloseHandle
> > 30106 Function 14 GetProcAddress
> > 30126 Function 19 GetSystemDirectoryA
> > 30150 Function 12 GetTickCount
> > 30166 Function 13 GetVersionExA
> > 30182 Function 18 GlobalMemoryStatus
> > 30218 Function 12 LoadLibraryA
> > 30234 Function 11 CreateFileA
> > 30270 Function 15 TerminateThread
> > 30290 Function 14 CreateProcessA
> > 30310 Function 19 WaitForSingleObject
> > 30346 Function 12 CreateThread
> > 30362 Function 11 RegCloseKey
> > 30378 Function 15 RegCreateKeyExA
> > 30398 Function 15 RegDeleteValueA
> > 30418 Function 14 RegSetValueExA
> > 30438 Function 13 __GetMainArgs
> > 30684 DLL 11 wsock32.dll
> > 30768 DLL 11 WININET.DLL
> > 30804 DLL 11 SHELL32.DLL
> > 30820 DLL 12 KERNEL32.DLL
> > 30836 Unichar 44 <A<A<A<A<A<A<A<A<A<A<A<A<A<A<A<A<A<A<A<A<A<A
> > 30924 DLL 12 ADVAPI32.DLL
> > 30956 DLL 10 CRTDLL.DLL
> > 30968 Unichar 46 dAdAdAdAdAdAdAdAdAdAdAdAdAdAdAdAdAdAdAdAdAdAdA
> >
> > Heh... Looks like a simple script to log my computer onto irc using a bot
> > and send some various bits of info. I know I don't have IRC installed on my
> > computer (yet) so it's not related to something gotten off of IRC. Anyone
> > have any idea where this might have come from? Or exactly what it does?
> > I'd appreciate any help!

Quantcast