Re: A Big trojan problem (irc.flood.??) and rundll32.exe connecting to internet

From: Nick FitzGerald (nick@virus-l.demon.co.uk)
Date: 03/09/03 

From: "Nick FitzGerald" <nick@virus-l.demon.co.uk>
Date: Sun, 9 Mar 2003 14:58:35 +1300

"Marcel F. U." <marcelf3@yahoo.com> wrote:

> Hello, i have win 2k with the latest mcafee virusscan professional
> up-to-date.

Ummmm -- how "up-to-date"??

They added detection of several things yesterday that probably include
what you have...

> One day my antivirus caught a trojan called IRC.FinalBot that came in
> a file that was just created (dont know how). The only option
> available to get rid of the virus was to exclude.

How was quite likely by remote SMB (Windows) networking commands via
port 445 due to weak admin password...

> Since then, many IRC.flood trojans started to appear. This includes
> all kinds, flood.ak, flood.bc, etc.

Once your pants are around your ankles...

> I ran antivirus scan with heuristics turned on and it found two
> viruses (irc.flood.??) in winnt\system32\config . The files were named
> with random numbers with the extension .ins (ex:19020377.ins). Ok,
> deleted those.

These will have been configuration scripts for other things, probably
already running on the machine.

> To make sure there weren´t any other trojans, i ran many other trojan
> detectors, no one found anything.

I just love the faith so many people have in the largely second- and
third-rate "Trojan scanner" software.

> At last, i ran the mcafee firewall, and it kept warning me almost
> every minute that a file rundll32.exe was trying to connect to random
> adresses, see one of the reports.
<<snip>>

Yep -- very common to several variants of these auto-spreading bot-net
installers. As a quick heuristic check, look in \winnt\fonts,
organize the listing by file-type and note every file that does not
have an extension of .EUF, .FON, .TTE, .TTF or that is not called
desktop.ini -- there probably should be none, so anything you have not
matching those conditions is probably (part of) "something bad".

> i checked the rundll32.exe in the system folder and its size was
> smaller than the one on the fonts folder. Another observation is that
> the file under the fonts folder was created today but it was modified
> a year ago. How can it be possible?
>
> Anyway I deleted this file and also found and deleted a weird registry
> under HKLM>...>windows>currentVersion>run. There was a key called
> Taskman and it pointed exactly to rundll32.exe in Fonts. In addition
> to that, in the task manager, a process called rundll32.exe was
> running, i ended it.
>
> So far, there are no more alerts of viruses or others programs trying
> to connect to internet. ...

Hmmmm -- I wonder if whatever it was installed something using the new
"stealth by attaching to IE in memory" tricks that few PFWs detect?
If so, you have no idea whether you got everything and are now "safe"
-- your firewall's silence may just be an indication of its blindness
to this attack, rather than an indication "all is well""...

> ... But could you guys tell me what happened to my
> pc? Which trojan/virus could have done all that?

Several.

However, as it sounds like you may have deleted the evidence so we
will quite likely never know for sure...

> Sorry for all this explanation, i just wanted to make sure you
> understood the whole problem.

I hope our replies are as useful for you... 

--
Nick FitzGerald
Quantcast