lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
From: ph1 at cogeco.ca (David)
Subject: new trojan

Stephen Blass wrote:
> We've been fighting with a trojan named wms.exe for a while now and this is the first I've heard of an AV product catching it.  That's good news.  The version I've found pulls ServU-FTP along with it and sets it self up as a service named WinIP.  The one we have been wrestling with uses a svcinst.exe to process a rtl386.sys containing instructions to install as the service WinIP "IP Helper API" and then connect outbound to
> irc.elite-irc.net  6667
> crystal.elite-irc.net 7000
> darwin.elite-irc.net 6667
> killer.elite-irc.net 6667
> It also tries to connect outbound to fuel.pyroshells.com, dnsix.com and 192.168.0.1.

irc.elite-irc.net lists the IP of fuel.pyroshells.com in their 
round-robin setup. I know the admin of pyroshells and just contacted him 
regarding this matter. The IRC server on pyroshells is most likely not 
their users fault, non-the-less it has been suspended until it is 
investigated.

//david

> It comes with MySQLdb.dll and appears to report the IP address(es) of the compromised host(s) back to some central database. There's even a credits line that reads iSoZoNE WAS H3R3.  It installs files named 1MB.Test and 5MB.Test in %sysdir%\pk32 and sets up an admin password entry.  The pk32 directory is setup as home in the ServuDaemon config file.
> 
> To clean it out - we remove the WMS.exe from %sysdir% (we've seen it on win2k and XP) and remove the install kit from %sysdir%\system32\nt, the Servu* files and Serv-UID from %sysdir%, and delete the %sysdir%\pk32 directory.  On the compromised machines we have found you can see WMS.exe in the task manager process list and the WinIP service in the services list. I've not seen the BUNDLER_WMS.EXE filename yet so maybe you have something different or perhaps this is evolution.  
> 
> -
> Steve Blass
> sblass@....edu
> 
> -----Original Message-----
> From: Hummer Marchand [mailto:HMarchand@...routt.co.us]
> Sent: Friday, September 26, 2003 1:17 PM
> To: full-disclosure@...ts.netsys.com
> Subject: [Full-Disclosure] new trojan
> 
> 
> 
> Has anyone seen or know of the Win32/Toolber.c.Trojan, what it does. My av
> found it in 	\WINNT\BUNDLER_WMS.EXE.  I searched TrendMicro,Sophos,CA,
> Symantic, Mcafee and could not find a reference.
> thanks,
> 
> Hummer Marchand
> Cyber Security Administrator
> Routt County Government
> 970-870-5305
> FX 970-879-3669
> 
> 970-870-5305 office
> FX 970-879-3669
> email: hmarchand@...routt.co.us <mailto:hmarchand@...routt.co.us> 
> 
> _______________________________________________
> Full-Disclosure - We believe in it.
> Charter: http://lists.netsys.com/full-disclosure-charter.html
> 
> _______________________________________________
> Full-Disclosure - We believe in it.
> Charter: http://lists.netsys.com/full-disclosure-charter.html
> 



Powered by blists - more mailing lists