New Coreflood-based Spam Trojan on the loose - Using ADS Again...
eckman at umn.edu
Mon Dec 15 22:38:09 GMT 2003
I just sent in the newest version of the Coreflood Spam Trojans to
Symantec for processing. Those of you who don't use Symantec would be
wise to send in the following to your AV company of choice for immediate
(remove the "1" from the above URL. It is there for liability reasons.)
(NOTE: I am not associated with that Web site. Use all of this
information at your own risk. That is at least one "official"
distribution point of this proxy trojan. Coreflood-based proxy trojans
have a good history of being abused as spam proxies. That Web site has
distributed previous Coreflood trojans as well. If anyone beats me to
trying to get that site taken off of the Web, please feel free to do so.
I am doing other very important work right now.)
Running that EXE (linked to above) will infect the Windows computer with
a variant of Coreflood that infects the computer by injecting itself
into an Alternate Data Stream of the System32 directory (this is not the
first Coreflood variant to do so). It then puts itself in startup in the
registry. If you delete that key, it puts itself back immediately. With
the last ADS variant I messed with, I deleted it from the registry and
pulled the power cable to the computer instantly afterward, and that
still did not remove it from the registry.
(copied and pasted from an e-mail I sent to someone months ago)
The quick way to resolve it that I learned about after dealing with one
myself is to unregister the DLL. You'll have to change the name of the
DLL to match that of your infection, but try this from a command prompt:
Then, delete it from starting in the registry, and it shouldn't be able
to put itself back because the Uninstall above should remove it from memory.
Another quick way is to go to C:\WINNT\SYSTEM32\RUNDLL32.EXE, right
click on it, go into properties. Click the Security tab, and take away
everyone's rights to Execute it. Reboot, and the spam trojan should not
be able to load. Then delete the registry entry, and you can set
RUNDLL32.EXE back to being executable again.
A more dangerous way that I first used before hearing about the first
two was to make a copy of rundll32.exe and rename it temporarily, then
delete rundll32.exe in all three locations it is in (C:\WINNT\System32\,
C:\WINNT\ServicePackFiles\i386\ and C:\WINNT\System32\dllcache\).
Alternately I believe you can turn off System File Protection and just
rename rundll32.exe in System32 directory, but I don't recall offhand
how to turn off System File Protection.
One way to discover it is that infected machines send a POST to
126.96.36.199 (potentially other IP addresses are used). An example POST
would begin with:
The next bytes immediately after the "?" for today are:
Mon%20Dec%2015%20 (.... continuting with other info, such as the port
the SOCKS and HTTP proxies are listening on. Change the date to
Tue%20Dec%2016%20 for tomorrow, etc.)
OIT Security and Assurance
University of Minnesota
"There are 10 types of people in this world. Those who
understand binary and those who don't."
More information about the unisog