[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
RE: [Full-Disclosure] new trojan
- To: Hummer Marchand <HMarchand@xxxxxxxxxxxxxx>, full-disclosure@xxxxxxxxxxxxxxxx
- Subject: RE: [Full-Disclosure] new trojan
- From: Stephen Blass <Stephen.Blass@xxxxxxx>
- Date: Fri, 26 Sep 2003 14:13:11 -0700
We've been fighting with a trojan named wms.exe for a while now and this is the
first I've heard of an AV product catching it. That's good news. The version
I've found pulls ServU-FTP along with it and sets it self up as a service named
WinIP. The one we have been wrestling with uses a svcinst.exe to process a
rtl386.sys containing instructions to install as the service WinIP "IP Helper
API" and then connect outbound to
irc.elite-irc.net 6667
crystal.elite-irc.net 7000
darwin.elite-irc.net 6667
killer.elite-irc.net 6667
It also tries to connect outbound to fuel.pyroshells.com, dnsix.com and
192.168.0.1.
It comes with MySQLdb.dll and appears to report the IP address(es) of the
compromised host(s) back to some central database. There's even a credits line
that reads iSoZoNE WAS H3R3. It installs files named 1MB.Test and 5MB.Test in
%sysdir%\pk32 and sets up an admin password entry. The pk32 directory is setup
as home in the ServuDaemon config file.
To clean it out - we remove the WMS.exe from %sysdir% (we've seen it on win2k
and XP) and remove the install kit from %sysdir%\system32\nt, the Servu* files
and Serv-UID from %sysdir%, and delete the %sysdir%\pk32 directory. On the
compromised machines we have found you can see WMS.exe in the task manager
process list and the WinIP service in the services list. I've not seen the
BUNDLER_WMS.EXE filename yet so maybe you have something different or perhaps
this is evolution.
-
Steve Blass
sblass@xxxxxxx
-----Original Message-----
From: Hummer Marchand [mailto:HMarchand@xxxxxxxxxxxxxx]
Sent: Friday, September 26, 2003 1:17 PM
To: full-disclosure@xxxxxxxxxxxxxxxx
Subject: [Full-Disclosure] new trojan
Has anyone seen or know of the Win32/Toolber.c.Trojan, what it does. My av
found it in \WINNT\BUNDLER_WMS.EXE. I searched TrendMicro,Sophos,CA,
Symantic, Mcafee and could not find a reference.
thanks,
Hummer Marchand
Cyber Security Administrator
Routt County Government
970-870-5305
FX 970-879-3669
970-870-5305 office
FX 970-879-3669
email: hmarchand@xxxxxxxxxxxxxx <mailto:hmarchand@xxxxxxxxxxxxxx>
_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html
_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html