lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [thread-next>] [day] [month] [year] [list]
Message-ID: <004001c6dcf3$96455e50$286210ac@Appiant>
Date: Wed, 20 Sep 2006 15:30:11 -0500
From: "Joel R. Helgeson" <joel@...geson.com>
To: <full-disclosure@...ts.grok.org.uk>
Subject: New virus - possible rootkit

Virus Alert - Possible Rootkit
--

The files ARE NOT detected by ANY current AV Scanning signature engine.

I do not have the time to write a report on the entire analysys but I wanted 
to get the data out to everyone ASAP so that you can detect this running on 
your computers.  I'm finding that this is pretty widespread here on my 
customers' network.

This appears to be an IRC bot that encrypts its traffic to fly beneath the 
radar. What makes it more interesting is that the directories it creates 
have SYSTEM ownership and only system and creator/owner can access the 
files.  Changing permissions on the files or directorys will only be changed 
back.  It also appears that if you remove the file, it will start revoking 
permissions on all files and will remove everyones but SYSTEM's permission 
to all files.

This is very, very early prelim info. and I am trying to both quarrantine 
the damage, investigate the infection on top of trying to get the word out. 
(I know what the cygwin files are, but they came with the infection so I 
include them here.)

I've uploaded the .zip file with all the programs in their respective 
directories recursed to my web site, I'll have it up there by 21 Sep, 2006.
http://www.appiant.net

The files and locations:
c:\windows\system32\cygcrypt-0.dll (linux crypto)
c:\windows\system32\cygwin1.dll     (linux command)
c:\windows\system32\dntus26.exe    (used for remote admin)
c:\windows\system32\javadebug.dll  (actually a text file)
c:\windows\system32\rundl32.exe    (ircbot interface)
c:\windows\system32\zonedown.bat (batch file that launches rundl32.exe with 
the text from javadebug.dll I dont know what else it does yet)
c:\windows\system32\scardsvrs.exe (the device that appears to launch the 
zonedown.bat file... still working)
c:\windows\system32\wbem\svchost.exe (Serv-u ftp service - modified -)
c:\windows\system32\wbem\wbem.exe (workin on what this one does)...

it also placed files in a hidden directory with only system priviledges:
c:\windows\system32\DirectX\Dinput\Others\

The file placed in there was a snippet of a movie, divx encoded...  the 
filename was Min2 (no extension).

Below is what the AVERT labs reported when I submitted the file.

Joel Helgeson
Appiant, Inc.
952-858-9111

-------------------------------

AVERT Labs - Beaverton
Current Scan Engine Version:4.4.00
Current DAT Version:4855
Thank you for your submission.

Analysis ID: 2533501
NameFindings        DetectionType    Extra
cygcrypt-0.dll        no malware    n
cygwin1.dll    no malware    n
dntus26.exe    heuristic detection    remadm-dwrc    Application    n
javadebug.dll    inconclusive    no
rundl32.exe    current detection    iroffer    Application    no
scardsvrs.exe    heuristic detection    srvany    Application    no
svchost.exe    current detection    servu-daemon    Application    no
wbem.exe    heuristic detection    srvany    Application    no
zonedown.batinconclusiveno

current detection [ rundl32.exe svchost.exe ]
Our analysis detected a potentially unwanted program file or joke program
with our current DAT files and engine. It is recommended that you update
your DAT and engine files and scan your computer again. You may not want
this program installed. If you do not want it installed, we recommend that
you use the Add/Remove Program in the Windows Control Panel to completely
uninstall the detected program. You can also contact the Virus Information
Library for information about manually uninstalling potentially unwanted
programs. If you are not seeing this with the product you are using, please
speak with technical support so that they can help you determine the cause
of this discrepancy.
If you use the McAfee VirusScan Online or VirusScan Retail products, and do
not have the Dat File Version specified, please visit
http://www.webimmune.net/extra/getextra.aspx and use the detection name
supplied in this message to receive an extra.dat file for detection.

inconclusive [ javadebug.dll zonedown.bat ]
Upon analysis the file submitted does not appear to contain one of the
100,000 known threats in the AutoImmune database. The file may contain a new
malware threat, or no code capable of being infected. Your submission is
being forwarded to an AVERT Researcher for further analysis. You will be
contacted by AVERT through e-mail with the results of that analysis.

heuristic detection [ dntus26.exe scardsvrs.exe wbem.exe ]
The file received may contain a potentially unwanted program file or joke
program. This potential threat was identified with our most powerful set of
heuristic DAT drivers. Heuristic drivers can make false-positive
identifications, as such, this issue is being escalated to AVERT for a
thorough review. In the meantime, it is recommended that you update your DAT
and engine files and scan your computer again. You will be contacted through
e-mail with the results of our analysis. Warning: McAfee products do not
clean potentially unwanted program files or joke programs. The attached will
only detected the potentially unwanted program. If you do not want it
installed, we recommend that you use the Add/Remove Program in the Windows
Control Panel to completely uninstall the detected program. You can also
contact the Virus Information Library for information about manually
uninstalling potentially unwanted programs.

no malware [ cygcrypt-0.dll cygwin1.dll ]
AVERT has found no indications of malicious code. Upon examining the file,
we observed no malicious behavior. If you still believe the files you sent
contain a virus or trojan, please provide more information on why you feel
these are suspect files.


Regards,



McAfee AVERT tm
A division of McAfee, Inc

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ