[unisog] Anyone recognize what this one is?

Sean Lanham slanham at uta.edu
Wed Aug 6 17:42:17 GMT 2003


A new Backdoor Trojan Horse, "Backdorr.IRC.Flood.F" was discovered Monday.
Information regarding the trojan:
http://securityresponse.symantec.com/avcenter/venc/data/backdoor.irc.flood
.f.html.

-----Original Message-----
From: Peter Van Epp [mailto:vanepp at sfu.ca]
Sent: Wednesday, August 06, 2003 11:53 AM
To: unisog at sans.org
Subject: [unisog] Anyone recognize what this one is?


	Anyone recognize what this may be? It was attempting to contact an

IRC server on 208.185.81.233:6667 (unsuccessfully from here) when detected
on someone's laptop. Our Windows folks haven't been able to identify it
with
antivirus software or the various web sites to see if it may be cleanable
and
apparantly the owner isn't thrilled with the suggestion that they format
and
reinstall (what do you mean "backup"? ...). Looks to have been caught last

Saturday or Sunday although it may not be new. Any pointers appreciated.

Peter Van Epp / Operations and Technical Support
Simon Fraser University, Burnaby, B.C. Canada

> 	While this doesn't look like yours, the MO is similar enough that
> yours may be a varient.
>

Yes, there is a TFTP application there, but that's about all that looks
similar.  For your unisog pals ...


The "services" that are installed are named

  Microsoft Critical System Processor

and

  Microsoft DHCP Routing Client

and are run out of the directory listed below.


The root directory is stored in the Recycle bin, as in

  C:\Recycler\Some-long-SID\SYSTEM32

Contained in the root directory are 5 subdirectories and a bunch of files.

In the root (system32) directory, here are the files ...

The DLLs are

fuck.dll
fuckaducker.dll
fuckaduckerfuck.dll
masters.dll
servers.dll

There are also several SYS files

file.sys
modules.sys
windll.sys

And the executables

dc.exe
destroy.exe
ftp.exe
grab.exe
id.exe
MSSVC.exe	( which is the "services" file )
nc.exe
pack.exe
sd.exe
services.exe
start.exe
svchost.exe
systray.exe

There is also a text file, in the sort of a banner.  The first line reads

  Welcome to the #WaReZFoReVeR File Serving System


And finally an ini file, with one interesting line in it

n38=%installurl http://12.168.164.99/~powellt/install.exe


The subdirectories (and their files) are as follows

DCOMUP

	install.exe

FSYS

	{empty}

LOGS

	{empty}

MODULES

	7a69.dll
	bnc.dll
	drivenfo.dll
	fservcontrol.dll
	modules.dll
	nickserv.dll
	processes.dll
	pubcom.dll
	raw.dll
	scan.dll
	system.dll
	uptime.dll

SOUNDS

	{empty}
-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/x-pkcs7-signature
Size: 4282 bytes
Desc: not available
Url : http://www.dshield.org/pipermail/unisog/attachments/20030806/9eeed2fb/smime-0003.bin


More information about the unisog mailing list