Infected windows boxes with IRC controlled trojans on them

Huba Leidenfrost huba at
Wed Apr 10 08:21:00 GMT 2002

Hash: SHA1

Some forensics work by one of our system administrators came up with
the following on the latest win2k box that was found dishing out DoS
traffic (huge number of small sized flows).  I've enclosed the
gates.txt file found which appears to be a huge list open proxies? 
Other infected systems?  If you notice something in common about all
those systems please let me know.  I would suggest adding a rule to
your NIDS boxes to watch for outgoing connections from your
network(s) to  If you
use SNORT here's what works for me:
alert ip $HOME_NET any -> 80 (msg:"DarkIRC trojan
retrieval"; classtype:bad-unknown; uricontent:"/dll32nos.exe";
nocase; sid 536; rev:1;)


	temp.exe (looks like MIRC icon, etc.)
	oxcu.ini  (Backdoor.IRC.Flood.h)
	2xvll.ocx (Backdoor.IRC.Cloner) 
I am unable to find the drop... bummer.
Located in \winnt\system32, complete scripts available... 


	32dll.ocx (Backdoor.IRC.Flood.a)
	32dllxp.ocx (Backdoor.IRC.Flood.a)
Also in /winnt/system32, complete nonsense script available


	r32.exe (exact copy of below, name change)
	rudl32.exe (our dropper friend for the darkIRC services)

Also in /winnt/system32


	vmn32.exe (the complete package, w/ web server, irc server, ftp
server, etc...)

Also in /winnt/system32, this is where sua.bat of virii past executes
after decompression


Check this out, something keeps trying to connect to ->

and a file  gets created, but it is the error
page of 'service overload' from Earthlink, so a bogus
32dllnos.exe get created in /winnt/system32/ ->
it contains the html returned from Earthlink


Another failed attempt to connect to the above link


Success, LOL...  dll32nos.exe is acquired and its
setup is executed, a new month of bandwidth provides ->

	2xvll.ocx (Backdoor.IRC.Cloner) 
	32dll.ocx (Backdoor.IRC.Flood.a)
	32dllxp.ocx (Backdoor.IRC.Flood.a)
	fsearch.ini (scripts, finds all *.mpg, *.avi, etc. on host ->)
	gates.txt (a huge list of names, attached)
	oxcu.ini  (Backdoor.IRC.Flood.h)
	temp.exe (looks like MIRC icon, etc.)
	temp.scr (huge list of IRC user names?)
	temp2.exe (which F-Secure identifies as 'Destructive Code')	


	svchost.exe (from vmn32.exe) is invoked

After the firewall

I bring the ethernet online, and svchost.ext immediately
tries to connect out to:

Also, unknown packets tcp are attempting to leave
the client station....  LOL, rules created, I'll
make a list of IPs in the morning...

- From the verbage on the error message at it would appear that
this has been a popular website this month. 

- ---------------
"Sorry...Page Temporarily Unavailable

The Web page or file that you requested is temporarily unavailable.
It has been so popular this month that it exceeded its free monthly
traffic allotment. Access to this Web site will be restored on the
first of next month. Please come back then.

Thank you for your visit!"
- -------------------------,,,,, & are the .edu sites
I noticed from the attached gates.txt.  I'll call around in the
morning and try to find out what these have in common. 

BTW if anyone has any good advice on how to sniff IRC channels and
passwords from IRC bound traffic please let me know. Ideally when I
spot one of these I'd like to be able to watch more carefully before
turning a system off.  Any tools for snarfing just IRC commands sort
of like Dug Songs urlsnarf?

      H  u  b  a
 - - - - --
    ---   O      HUBA LEIDENFROST         Systems Security Analyst
    --   <^-     huba at   Information Technology Services
   --  -\/\
   ---     \     TEL: 208.885.2126               FAX: 208.885.7539

Version: PGPfreeware 6.5.8 for non-commercial use <>

-------------- next part --------------

More information about the unisog mailing list