Discovery of trojan "package" on Win2K server yesterday (foundtskmgr2.exe)

[Virus Guy]

Removed the hard drive on a Win2K server and slaved it to an XP
machine to run NAV and "The Cleaner" on it.

Here's what was found:

\winnt\system32\tskmgr2.exe

Icon for this file is 3 books of different colors stacked
horizontally, with a yellow arrow pointing up superimposed overtop. I
think this is the same icon that the Symantec downloadable virus
update package uses.

Modified and created date is same (Jan 19/2004). Accessed date is Feb
22/2005 @ 7:41:35 pm. Size is 979,273 bytes.

I was at first puzzled why NAV was catching files in an abscure
directory on C (ie the XP machine). Turns out that The Cleaner moves
or unpacks files (or just compressed files?) there (and NAV intercepts
them before the cleaner scans them). That explains why I couldn't
find any of the following files anywhere.

Anyways, the file tskmgr2.exe is a self-extracting archive. Is it
normal to not be able to unpack files like this with WinZip? I'd love
to unpack it and read some of the .TXT files.

I sent it to Kaspersky online scanner.

Kaspersky online scan results:

Scanned file: tskmgr2.exe

tskmgr2.exe/archive comment - OK
tskmgr2.exe/homer/dir.txt - OK
tskmgr2.exe/homer/F.xxx - OK
tskmgr2.exe/homer/filter.ini - OK
tskmgr2.exe/homer/J.xxx - OK
tskmgr2.exe/homer/JAcheck.ini - OK
tskmgr2.exe/homer/k.exe - OK
tskmgr2.exe/homer/k.exe - OK
tskmgr2.exe/homer/tlist.exe - OK
tskmgr2.exe/homer/s.bat - OK
tskmgr2.exe/homer/up.txt - OK
tskmgr2.exe/homer/fport.exe - OK
tskmgr2.exe/homer/taskmanager.ocx - OK
tskmgr2.exe/homer/TaskMangr.cat - OK
tskmgr2.exe/homer/TskMgrHlp.dll - OK

tskmgr2.exehomer/nc.exe - infected by not-a-virus:
RiskWare.RemoteAdmin.NetCat

tskmgr2.exe/homer/secure.bat - infected by Trojan.BAT.Qrap

tskmgr2.exehomer/TskMgrHlp.exe - infected by not-a-virus:
RiskWare.FTP.Serv-U.4100

tskmgr2.exe/homer/Hct.exe - infected by Backdoor.Win32.Small.ao
tskmgr2.exe/homer/kav.exe - infected by Trojan.Win32.KillAV.bn

Quite the package. I can't believe that the above DLL, OCX, and
fport.exe are "OK". NAV only detected 2 threats within this package:

- secure.bat (bat.trojan)
(this thing was full of net stop commands, deletes various shares)
- kav.exe (trojan.killAV)

The cleaner only found 1 item a threat:

- secure.bat (cleaner calls it "randon")

Web and Google news search turns up nothing regarding tskmgr2.exe, or
others like "homer".

Downloaded and ran the latest scanner/fixer from Trend. It found
nothing.

So I'm thinking that this tskmgr2 package hadn't executed yet. Still
bugs me how it got there. Those damn default shares...

 

[mzlindyone]

Icon for this file is 3 books of different colors stacked
horizontally, with a yellow arrow pointing up superimposed overtop. I
think this is the same icon that the Symantec downloadable virus
update package uses.

Actually that might be a WinRAR icon. If you're showing the icon,
then you've probably got the program installed already.

Carol

 

[virus guy]

Actually that might be a WinRAR icon. If you're showing the icon,
then you've probably got the program installed already.

It is a win-rar icon. I have unpacked the archive and looked at some
of the files.

This package seems to be what gets installed to turn your computer
into a "pubstro" FTP server. I don't know if these are designed
specifically to be mp3 servers for a hacker network, or as more
general file servers. This one seems to have originated in Germany
judging by the language in some of the .txt files.

As I've noticed before in some infected computers, the recycler
directory is a favorite place to keep these FTP files.

What I'd like to know is this - does it take direct human intervention
to plant this file on a pc, or is it done programatically by another
infected computer? Our network connection was down for several hours
around the time that I think this file got planted on our machine.
Perhaps because of extreme port activity from either inside or outside
the network.

Here is a list of the internal files:

tskmgr2.exe
979,273 bytes
modified date: Jan 19, 2004, 12:18:02 pm

------------
F XXX 57,856 08-21-03 8:28p F.xxx
FILTER INI 105 08-21-03 8:28p filter.ini
J XXX 103,936 02-15-03 7:19p J.xxx
JACHECK INI 1,407 01-10-04 7:33p JAcheck.ini
K EXE 6,656 09-21-03 7:01a k.exe
NC EXE 59,392 01-03-98 1:37p nc.exe
KAV EXE 32,238 02-25-05 9:03a kav.exe
TLIST EXE 40,720 08-14-03 11:42p tlist.exe
S BAT 408 06-05-03 5:34p s.bat
UP TXT 1,091 01-10-04 5:22p up.txt
FPORT EXE 114,688 12-11-03 2:55a fport.exe
TASKMA~1 OCX 8,407 01-17-04 1:23p taskmanager.ocx
TASKMA~1 CAT 973 12-23-02 8:40a TaskMangr.cat
TSKMGR~1 DLL 963 12-23-02 8:40a TskMgrHlp.dll
TSKMGR~1 EXE 2,121,216 12-30-03 12:24p TskMgrHlp.exe
HCT EXE 28,192 11-01-03 3:14a Hct.exe
SECURE BAT 627 02-25-05 9:13a SECURE.BAT
------------

What follows are either the complete contents of selected files, or
samples of text contained inside executable files. In some examples
there are directory locations, passwords, and in one case a private
PGP key.

------------

Here is what's in the file "up.txt"

-----start---------
#########################################
 ##########################################
 #######
 ####.........TFC-FXP PubStro
 ####.........HaXXoreD By m4o
 #######
 ##########################################
#########################################
###########
######
### Server-Stats:
##
## Es ist hier der: %Date, %Time Uhr
## Up-Time: %ServerDays Days, %ServerHours Hours,
%ServerMins Minutes, %ServerSecs Seconds
## Hochgeladen:: %ServerKbUp kb
## Runtergeladen: %ServerKbDown kb
## Filez hochgeladen: %ServerFilesUp
## Filez runtergeladen: %ServerFilesDown
## Durchschnitts Speed: %ServerAvg
## Momentaner Speed: %ServerKBps
##
## Aktuelle Zahl Users: %UNow
###
#########################################
##########################################
###########################################
----end----------

Here's what's in the file dir.txt:

-----start--------
[30m*************************************
[30mDurchschnitts Speed: %ServerAvg
[30mMomentaner Speed: %ServerKBps
[30mAktuelle Zahl Users: %UNow
[30mFreier Platz: %DFree MB
[30mTime: %Date, %Time Uhr
[30m*************************************
----end--------

The file "j.xxx" appears to be an executable program. Here is some
text I found inside it:

-----start-----
+-------------+------------------:
| %-4.4s | %-9.9s | %-10.10s | %-11.11s | %-16.16s |
| Year: | Bitrate: | Frequency: | Mode: | Version: |
| Album: | Genre: |
|--------------------------------+--------------------------------|
| Artist: | Title: |
..---------------------------[MP3 Info]--------------

FILE_ID.DIZ DIZ file MISSING unzip 0.18
Copyright 1998-2002 Gilles Vollant
http://www.winimage.com/zLibDll 1.1.4
--------end-------

The file "f.xxx" is also a program, but I don't see any text inside it
that's "interesting".

Here is the file "taskmanager.ocx" (it's just a text file):

----start----------
[GLOBAL]
Version=4.1.0.0
RegistrationKey=HsVRCjxHMe/HwDOrrUxqeMuChKO0DdlzUy2tCGgcdMVQDs/7P9EdwjKrowsPF//h4YObIvknAH/FHA95cfEyb3wzQp2v7UfOzCFEFq72
AntiHammer=1
AntiHammerTries=6
AntiHammerBlock=900
SocketRcvBuffer=65535
SocketSndBuffer=65535
PacketTimeOut=300
ProcessID=1808
[DOMAINS]
Domain1=0.0.0.0||45678|45678|1
Domain2=0.0.0.0||45679|45679|2
[Domain1]
SignOn=c:\recycler\S-1-5-21-11769710-83952115-85424539-1000\dc5\homer\up.txt
DirChangeMesFile=c:\recycler\S-1-5-21-11769710-83952115-85424539-1000\dc5\homer\dir.txt
ReplyHelp=Direct comments or bugs to (e-mail address removed).
LogSystemMes=0
LogSecurityMes=0
LogGETs=0
LogPUTs=0
LogFileSystemMes=0
LogFileSecurityMes=0
LogFileGETs=0
LogFilePUTs=0
User1=admin|1|0
User2=TFC-Filler|1|0
User3=flashlight|1|0
User4=TFC-Board|1|0
User5=ENT|1|0
User6=cF|1|0
User7=WHC|1|0
User8=TFC-Cr€w|1|0
Group1=leecher


Password=ny193AE0D2AF197F8BB84FCD7A8BE8612B
HomeDir=c:\recycler\S-1-5-21-11769710-83952115-85424539-1000\dc5\homer\tmp
TimeOut=600
Maintenance=System
Access1=d:\|RWAMELCDP
Access2=e:\|RWAMELCDP
Access3=f:\|RWAMELCDP
Access4=h:\|RWAMELCDP
Access5=g:\|RWAMELCDP
Access6=i:\|RWAMELCDP
Access7=j:\|RWAMELCDP
Access8=k:\|RWAMELCDP
Access9=l:\|RWAMELCDP
Access10=m:\|RWAMELCDP
Access11=n:\|RWAMELCDP
Access12=o:\|RWAMELCDP
Access13=c:\|RWAMELCDP


[GROUP=leecher|1]
Access1=c:\|RLP
Access2=d:\|RLP
Access3=e:\|RLP
Access4=f:\|RLP
Access5=g:\|RLP
Access6=h:\|RLP
Access7=i:\|RLP
Access8=j:\|RLP
Access9=k:\|RLP
Access10=l:\|RLP
Access11=m:\|RLP



[Domain2]
SignOn=c:\recycler\S-1-5-21-11769710-83952115-85424539-1000\dc5\homer\up.txt
DirChangeMesFile=c:\recycler\S-1-5-21-11769710-83952115-85424539-1000\dc5\homer\dir.txt
ReplyHelp=Direct comments or bugs to [email][email protected][/email].
LogSystemMes=0
LogSecurityMes=0
LogGETs=0
LogPUTs=0
LogFileSystemMes=0
LogFileSecurityMes=0
LogFileGETs=0
LogFilePUTs=0
User1=admin|1|0
User2=TFC-Filler|1|0
User3=flashlight|1|0
User4=TFC-Board|1|0
User5=ENT|1|0
User6=cF|1|0
User7=WHC|1|0
User8=TFC-Cr€w|1|0
Group1=leecher

[USER=admin|2]
Password=ny193AE0D2AF197F8BB84FCD7A8BE8612B
HomeDir=c:\recycler\S-1-5-21-11769710-83952115-85424539-1000\dc5\homer\tmp2
TimeOut=600
Maintenance=System
Access1=d:\|RWAMELCDP
Access2=e:\|RWAMELCDP
Access3=f:\|RWAMELCDP
Access4=h:\|RWAMELCDP
Access5=g:\|RWAMELCDP
Access6=i:\|RWAMELCDP
Access7=j:\|RWAMELCDP
Access8=k:\|RWAMELCDP
Access9=l:\|RWAMELCDP
Access10=m:\|RWAMELCDP
Access11=n:\|RWAMELCDP
Access12=o:\|RWAMELCDP
Access13=c:\|RWAMELCDP


[GROUP=leecher|2]
Access1=c:\|RLP
Access2=d:\|RLP
Access3=e:\|RLP
Access4=f:\|RLP
Access5=g:\|RLP
Access6=h:\|RLP
Access7=i:\|RLP
Access8=j:\|RLP
Access9=k:\|RLP
Access10=l:\|RLP
Access11=m:\|RLP

[USER=cF|1]
Password=zw742D2633491FD6E60B7FF558ACF7A3D6
HomeDir=c:\recycler\s-1-5-21-11769710-83952115-85424539-1000\dc5\homer\tmp
RelPaths=1
MaxUsersLoginPerIP=1
TimeOut=600
MaxNrUsers=4
Access1=c:\|RLP
Access2=l:\|RLP
Access3=k:\|RLP
Access4=j:\|RLP
Access5=i:\|RLP
Access6=h:\|RLP
Access7=g:\|RLP
Access8=f:\|RLP
Access9=e:\|RLP
Access10=d:\|RLP
Group=leecher
[USER=ENT|1]
Password=gj4C8AE2065461627E43AF7502AE2F69A3
HomeDir=c:\recycler\s-1-5-21-11769710-83952115-85424539-1000\dc5\homer\tmp
RelPaths=1
MaxUsersLoginPerIP=1
TimeOut=600
MaxNrUsers=4
Access1=c:\|RLP
Access2=l:\|RLP
Access3=k:\|RLP
Access4=j:\|RLP
Access5=i:\|RLP
Access6=h:\|RLP
Access7=g:\|RLP
Access8=f:\|RLP
Access9=e:\|RLP
Access10=d:\|RLP
Group=leecher
[USER=flashlight|1]
Password=rvE8ADDFB208CB9D948A6E8EFD996245E7
HomeDir=c:\recycler\s-1-5-21-11769710-83952115-85424539-1000\dc5\homer\tmp
RelPaths=1
MaxUsersLoginPerIP=1
TimeOut=600
MaxNrUsers=4
Access1=c:\|RLP
Access2=l:\|RLP
Access3=k:\|RLP
Access4=j:\|RLP
Access5=i:\|RLP
Access6=h:\|RLP
Access7=g:\|RLP
Access8=f:\|RLP
Access9=e:\|RLP
Access10=d:\|RLP
Group=leecher
[USER=TFC-Board|1]
Password=kaB25EF422DE5B52D35A855CA00C3F23F6
HomeDir=c:\recycler\s-1-5-21-11769710-83952115-85424539-1000\dc5\homer\tmp
RelPaths=1
MaxUsersLoginPerIP=1
TimeOut=600
MaxNrUsers=4
Access1=c:\|RLP
Access2=l:\|RLP
Access3=k:\|RLP
Access4=j:\|RLP
Access5=i:\|RLP
Access6=h:\|RLP
Access7=g:\|RLP
Access8=f:\|RLP
Access9=e:\|RLP
Access10=d:\|RLP
Group=leecher
[USER=TFC-Cr€w|1]
Password=jj1E40AF6A6275A89C3B49A9E00E7FBFF6
HomeDir=c:\recycler\s-1-5-21-11769710-83952115-85424539-1000\dc5\homer\tmp
RelPaths=1
MaxUsersLoginPerIP=2
TimeOut=600
MaxNrUsers=4
Access1=c:\|RLP
Access2=l:\|RLP
Access3=k:\|RLP
Access4=j:\|RLP
Access5=i:\|RLP
Access6=h:\|RLP
Access7=g:\|RLP
Access8=f:\|RLP
Access9=e:\|RLP
Access10=d:\|RLP
Group=leecher
[USER=TFC-Filler|1]
Password=hc91831E31DB21E0DFE5337460E60CD0FB
HomeDir=c:\recycler\s-1-5-21-11769710-83952115-85424539-1000\dc5\homer\tmp
RelPaths=1
TimeOut=600
Access1=d:\|RWAMELCDP
Access2=e:\|RWAMELCDP
Access3=f:\|RWAMELCDP
Access4=h:\|RWAMELCDP
Access5=g:\|RWAMELCDP
Access6=i:\|RWAMELCDP
Access7=j:\|RWAMELCDP
Access8=k:\|RWAMELCDP
Access9=l:\|RWAMELCDP
Access10=m:\|RWAMELCDP
Access11=n:\|RWAMELCDP
Access12=o:\|RWAMELCDP
Access13=c:\|RWAMELCDP
[USER=WHC|1]
Password=kh6B4D357B81CDDD93FCA805AD72530490
HomeDir=c:\recycler\s-1-5-21-11769710-83952115-85424539-1000\dc5\homer\tmp
RelPaths=1
MaxUsersLoginPerIP=1
TimeOut=600
MaxNrUsers=4
Access1=c:\|RLP
Access2=l:\|RLP
Access3=k:\|RLP
Access4=j:\|RLP
Access5=i:\|RLP
Access6=h:\|RLP
Access7=g:\|RLP
Access8=f:\|RLP
Access9=e:\|RLP
Access10=d:\|RLP
Group=leecher
[USER=cF|2]
Password=df32F78548C9B1EC6E583682C4676504A9
HomeDir=c:\recycler\s-1-5-21-11769710-83952115-85424539-1000\dc5\homer\tmp2
RelPaths=1
MaxUsersLoginPerIP=1
TimeOut=600
MaxNrUsers=4
Access1=c:\|RLP
Access2=l:\|RLP
Access3=k:\|RLP
Access4=j:\|RLP
Access5=i:\|RLP
Access6=h:\|RLP
Access7=g:\|RLP
Access8=f:\|RLP
Access9=e:\|RLP
Access10=d:\|RLP
Group=leecher
[USER=ENT|2]
Password=ws6A40942F6ABDB9ED860FDFBE7DF025C2
HomeDir=c:\recycler\s-1-5-21-11769710-83952115-85424539-1000\dc5\homer\tmp2
RelPaths=1
MaxUsersLoginPerIP=1
TimeOut=600
MaxNrUsers=4
Access1=c:\|RLP
Access2=l:\|RLP
Access3=k:\|RLP
Access4=j:\|RLP
Access5=i:\|RLP
Access6=h:\|RLP
Access7=g:\|RLP
Access8=f:\|RLP
Access9=e:\|RLP
Access10=d:\|RLP
Group=leecher
[USER=flashlight|2]
Password=ge44C48877C51EC1B3EAF98117505379F1
HomeDir=c:\recycler\s-1-5-21-11769710-83952115-85424539-1000\dc5\homer\tmp2
RelPaths=1
MaxUsersLoginPerIP=1
TimeOut=600
MaxNrUsers=4
Access1=c:\|RLP
Access2=l:\|RLP
Access3=k:\|RLP
Access4=j:\|RLP
Access5=i:\|RLP
Access6=h:\|RLP
Access7=g:\|RLP
Access8=f:\|RLP
Access9=e:\|RLP
Access10=d:\|RLP
Group=leecher
[USER=TFC-Board|2]
Password=pz419BBAB297BD32A1F46914CCD37A55A4
HomeDir=c:\recycler\s-1-5-21-11769710-83952115-85424539-1000\dc5\homer\tmp2
RelPaths=1
MaxUsersLoginPerIP=1
TimeOut=600
MaxNrUsers=4
Access1=c:\|RLP
Access2=l:\|RLP
Access3=k:\|RLP
Access4=j:\|RLP
Access5=i:\|RLP
Access6=h:\|RLP
Access7=g:\|RLP
Access8=f:\|RLP
Access9=e:\|RLP
Access10=d:\|RLP
Group=leecher
[USER=TFC-Cr€w|2]
Password=vz7CC75A5E9EF9B8ECA76789E29BBE0A8D
HomeDir=c:\recycler\s-1-5-21-11769710-83952115-85424539-1000\dc5\homer\tmp2
RelPaths=1
MaxUsersLoginPerIP=2
TimeOut=600
MaxNrUsers=4
Access1=c:\|RLP
Access2=l:\|RLP
Access3=k:\|RLP
Access4=j:\|RLP
Access5=i:\|RLP
Access6=h:\|RLP
Access7=g:\|RLP
Access8=f:\|RLP
Access9=e:\|RLP
Access10=d:\|RLP
Group=leecher
[USER=TFC-Filler|2]
Password=jw59C5E02EEDF05E6C0A98487B4BE8829D
HomeDir=c:\recycler\s-1-5-21-11769710-83952115-85424539-1000\dc5\homer\tmp2
RelPaths=1
TimeOut=600
Access1=d:\|RWAMELCDP
Access2=e:\|RWAMELCDP
Access3=f:\|RWAMELCDP
Access4=h:\|RWAMELCDP
Access5=g:\|RWAMELCDP
Access6=i:\|RWAMELCDP
Access7=j:\|RWAMELCDP
Access8=k:\|RWAMELCDP
Access9=l:\|RWAMELCDP
Access10=m:\|RWAMELCDP
Access11=n:\|RWAMELCDP
Access12=o:\|RWAMELCDP
Access13=c:\|RWAMELCDP
[USER=WHC|2]
Password=cm64E8A6E2312F1F383356B08A9C19DCA0
HomeDir=c:\recycler\s-1-5-21-11769710-83952115-85424539-1000\dc5\homer\tmp2
RelPaths=1
MaxUsersLoginPerIP=1
TimeOut=600
MaxNrUsers=4
Access1=c:\|RLP
Access2=l:\|RLP
Access3=k:\|RLP
Access4=j:\|RLP
Access5=i:\|RLP
Access6=h:\|RLP
Access7=g:\|RLP
Access8=f:\|RLP
Access9=e:\|RLP
Access10=d:\|RLP
Group=leecher


[EXTERNAL]
EventHookDLL1=F.xxx
EventHookDLL2=J.xxx
--------end---------

here's what's in the file "jacheck.ini"

-----start-----
;
;Example Settings:
;

createprogress=1
CreateDirs=0
createlinks=0
pointoutnosfv=1
deletebad=0
createmissing=1
renameuntested=1
tempcrcpath=.
keeptempcrc=0
sitename=TFC

;mp3 tags
mp3info=0
mp3genrelink=4
MinNameLength=8
mp3tag=2

;Ad settings
RemoveComments=1
AddComment=0
CommentFile=Comment.txt

;Bot settings
posttobot=0
botfile=c:\SiteBot.msg

;Dir/Race Stats
CreateStatsFile=0
ShowDirStats=1

;only for Serv-U
ProtectFiles=1


;Uploads to following dirs will be checked
checkpath=c:\recycler\S-1-5-21-11769710-83952115-85424539-1000\dc5\homer
checkpath=d:\recycler\S-1-5-21-11769710-83952115-85424539-1000\dc5\homer
checkpath=e:\recycler\S-1-5-21-11769710-83952115-85424539-1000\dc5\homer
checkpath=f:\recycler\S-1-5-21-11769710-83952115-85424539-1000\dc5\homer
checkpath=g:\recycler\S-1-5-21-11769710-83952115-85424539-1000\dc5\homer
checkpath=h:\recycler\S-1-5-21-11769710-83952115-85424539-1000\dc5\homer
checkpath=i:\recycler\S-1-5-21-11769710-83952115-85424539-1000\dc5\homer
checkpath=j:\recycler\S-1-5-21-11769710-83952115-85424539-1000\dc5\homer
checkpath=k:\recycler\S-1-5-21-11769710-83952115-85424539-1000\dc5\homer

;Only files with these Extensions will be checked
; and of course .sfv and .zip by default
sfvext=.###
sfvext=.rar
sfvext=.r##
sfvext=.s##
sfvext=.t##
sfvext=.ace
sfvext=.c##
sfvext=.d##
sfvext=.e##
sfvext=.mp3
-------end-------

here's what's in the file TskMgrHlp.dll:

-----start-----
-----BEGIN RSA PRIVATE KEY-----
Proc-Type: 4,ENCRYPTED
DEK-Info: DES-EDE3-CBC,687E7596F02C20DC
e4O7f+e7MpOWyUeZvoUJ+7EyWHQBRApFKePom/tYtIMtALclPUpxellPna4n+cdt
k91wRAMdA9LM55VS9fTLucDyfos3pYrTLPnwk97jcmEleDI0d2SYTkIMLtK9lraT
ZXfMS+gueEw3QJbr71P4E1frkAOvWvRT6TucPPeGY7ag+4ETHdV1bzxCgtvnqYjY
XxVMlROW1egJhhCrxY19gZ9k8GDTgERKt5ZH0/Rpu+o6Tw3/d8JaLQLCNhS1AAo+
CtzuPzYm7o7cF5Ihv+R0MCVjziFYACUWe6+85YmdQ6tFsuJ0EuvEZfi2UJElPbR8
Cm1iBbQoq0A83WUU09oW98F7hj5rMhYx1BDc/EBPLzdR25nhwo5yEctCKUSCh3BR
lkVI5821Dluyt1yk++XpjJmSXRBIJok7b1XPAFfzdfAf7lh2BWXnSgwFVfJ5xTl7
/iYbwbsSmXDBtTLV5Mqv00s5/P5L18aumd3rmCcjsRzuuQoRGwct4h2Y9ohMbEME
GmK7jMiubX0KlexMraKkCj5VUTeMoZLFLGeoJ4qe62bSmeduF5vs5Rdc1wA2juug
uUfcMhdlBd6hhuSOSQ5S8BbM8ZjMGze6xAwh5FOhP0RqEteK52+ve58VZWxilSWV
YQm4FU+7FPPrZ9FCuZpJ1F59kN54ZQAlmwUC6P5MlHAIdytSi3+puh8wlWjWQDPX
SXZ4R2NM6pvJKuv+J5gYI8scpUbDaDdNSEaTRQo7gNVDMQnWl+IiWSmhd3POed4v
/hOv5BpRTGO3fSXVN1rkPMTg0ynykVTo8LKmr2KfprgQpdfbW1eeWQ==
-----END RSA PRIVATE KEY-----
-----end------[/USER][/USER][/USER][/USER][/USER][/USER][/USER][/USER][/USER][/USER][/USER][/USER][/USER][/USER][/USER]

 

[Gabriele Neukam]

On that special day, virus guy, ([email protected]) said...

I don't know if these are designed
specifically to be mp3 servers for a hacker network, or as more
general file servers.

A file server is a file server. It can store *anything* illegal, not
only mp3 or video files. It might as well be child pron, pirated or
stolen software, or an assortment of trojan backdoors, which are
supposed to be fetched and installed by mass mails, that are trapped
with a small downloader trojan. In your case it seems to have been used
for a mp3 "store". I wonder where this came from.

### Server-Stats:
##
## Es ist hier der: %Date, %Time Uhr

"It is %date %time, local time"

## Up-Time: %ServerDays Days, %ServerHours Hours,
%ServerMins Minutes, %ServerSecs Seconds
## Hochgeladen:: %ServerKbUp kb
uploaded:

## Runtergeladen: %ServerKbDown kb
downloaded:

## Filez hochgeladen: %ServerFilesUp

filez uploaded

## Filez runtergeladen: %ServerFilesDown

guess what...

## Durchschnitts Speed: %ServerAvg

average speed:

## Momentaner Speed: %ServerKBps

current speed:

##
## Aktuelle Zahl Users: %UNow

current number of users:

That is all in German. Did the owner of this machine get / receive
anything from Germany in the last days? This might be the path by which
it came in.


Gabriele Neukam

(e-mail address removed)

 

[mzlindyone]

What I'd like to know is this - does it take direct human intervention
to plant this file on a pc, or is it done programatically by another
infected computer?

Trojans don't spread by themselves, but there are worms which were
designed to load these trojans. These worms might spread by email or
directly over TCP, so may or may not require user intervention -
usually not.

Most commonly these sorts of trojans are loaded on the machine from a
mallicious webpage containing IE exploits to load then run the files.
Sometimes the files might be renamed then used to replace a program
not resident but commonly run, such as Media Player or Notepad, so the
trojan wouldn't install until the user tried to run the program that's
been replaced. Occasionally the trojan file might be placed in a
startup directory and it wouldn't be run until the computer was
rebooted.

That said, for the webpage method to work, first there must be some
kind of "hook" to get the user to visit the malicious page. Often
this is a link in a spam email or other communication like IM (chat)

You said before:

Those damn default shares...

That's another possibility. You didn't say where it was found, but of
course if it's a shared directory, somebody's been scanning you for
open shares, and they just placed the file hoping somebody nosey would
run it to see what it was. This is how malware spreads so well over
the file sharing networks, so the method is not untested. If it was
found in the web cache, then the IE exploit is the most likely
scenario. Perhaps the exploit used to run the file didn't work
because the browser flaw had been patched, or it relied on Active-X
which might be disabled, etc.

The FTP server installed might be used to serve ANY kind of file,
including trojan files that other machines might access because they
are infected with a trojan or worm designed to do so. You may have
heard about hackers' "drone armies" used to attack other computers -
that's what we're talking about here. These days the spammers also
use drone armies of open DNS, mail servers, web servers that get
installed the same way.

The cleaner only found 1 item a threat:

- secure.bat (cleaner calls it "randon")

For your reading pleasure, here's Randon:
http://vil.nai.com/vil/content/v_100097.htm

Carol

 

[Virus Guy]

That said, for the webpage method to work, first there must be
some kind of "hook" to get the user to visit the malicious page.
Often this is a link in a spam email or other communication
like IM (chat)

You said before:

That's another possibility. You didn't say where it was found,

In my first post, I said:

Here's what was found:

\winnt\system32\tskmgr2.exe

but of course if it's a shared directory, somebody's been
scanning you for open shares, and they just placed the
file hoping somebody nosey would run it to see what it was.

\winnt is a default share (has Micro$loth ever explained why?).

I guess if you can hack into \winnt you have access to the
subdirectory tree below it. Netbios over TCP was running at the time
- it has since been killed.

The computer in question is running Win 2k server. 99.999% of the
time it runs with no-one behind the keyboard. No e-mail client
program (outlook, etc) is ever run on it. No IRC. Internet Exploiter
is run only to access ms updates, NAV updates, etc. No hi-risk
browsing is done from that work station (hardly any browsing
actually).

I think we're going to rebuild part of the network and switch to
netbuie for internal shares and apps.

The FTP server installed might be used to serve ANY kind
of file,

It seems that one of the programs that are part of this "package"
deals specifically with MP3 files (judging by the text that I could
read inside the executable). That's why I was asking if there are any
of these pubstro ftp servers that act strictly as mp3 servers (you
know, with the RIAA as rabbid as they are about uploaders/downloaders
of music I can understand why hackers would devote part of their
hacking activities to setting up sites devoted to storage and swapping
of mp3 files).

 

[Norman L. DeForest]

On Fri, 25 Feb 2005, virus guy wrote:
[snip]

This package seems to be what gets installed to turn your computer
into a "pubstro" FTP server. I don't know if these are designed
specifically to be mp3 servers for a hacker network, or as more
general file servers. This one seems to have originated in Germany
judging by the language in some of the .txt files.

As I've noticed before in some infected computers, the recycler
directory is a favorite place to keep these FTP files.

What I'd like to know is this - does it take direct human intervention
to plant this file on a pc, or is it done programatically by another
infected computer? Our network connection was down for several hours
around the time that I think this file got planted on our machine.
Perhaps because of extreme port activity from either inside or outside
the network.

Here is a list of the internal files: [snip]
Here is what's in the file "up.txt"

For those who couldn't see all of the characters in the next files,
below I have replaced the ESC character with the two-character
sequence "^[".

-----start---------
^[[30m#########################################
^[[30m ##########################################
^[[30m #######
^[[30m ####^[[37m.........^[[31mTFC-FXP PubStro
^[[30m ####^[[37m.........^[[31mHaXXoreD By m4o
^[[30m #######
^[[30m ##########################################
^[[30m#########################################
^[[30m###########
^[[30m######
^[[30m### ^[[31mServer-Stats:
^[[30m##
^[[30m## ^[[34mEs ist hier der: %Date, %Time Uhr
^[[30m## ^[[34mUp-Time: %ServerDays Days, %ServerHours Hours,
%ServerMins Minutes, %ServerSecs Seconds
^[[30m## ^[[34mHochgeladen:: %ServerKbUp kb
^[[30m## ^[[34mRuntergeladen: %ServerKbDown kb
^[[30m## ^[[34mFilez hochgeladen: %ServerFilesUp
^[[30m## ^[[34mFilez runtergeladen: %ServerFilesDown
^[[30m## ^[[34mDurchschnitts Speed: %ServerAvg
^[[30m## ^[[34mMomentaner Speed: %ServerKBps
^[[30m##
^[[30m## ^[[34mAktuelle Zahl Users: %UNow
^[[30m###
^[[30m#########################################
^[[30m##########################################
^[[30m###########################################
----end----------

Here's what's in the file dir.txt:

-----start--------
[30m*************************************
[30mDurchschnitts Speed:^[[34m %ServerAvg
[30mMomentaner Speed:^[[34m %ServerKBps
[30mAktuelle Zahl Users:^[[34m %UNow
[30mFreier Platz:^[[34m %DFree MB
[30mTime:^[[34m %Date, %Time Uhr
[30m*************************************
----end--------

The file "j.xxx" appears to be an executable program. Here is some
text I found inside it:

-----start-----
+-------------+------------------:
| %-4.4s | %-9.9s | %-10.10s | %-11.11s | %-16.16s |
| Year: | Bitrate: | Frequency: | Mode: | Version: |
| Album: | Genre: |
|--------------------------------+--------------------------------|
| Artist: | Title: |
.---------------------------[MP3 Info]--------------

FILE_ID.DIZ DIZ file MISSING unzip 0.18
Copyright 1998-2002 Gilles Vollant
http://www.winimage.com/zLibDll 1.1.4
--------end-------

A page displaying some screen-shots of how the text above displayed on
my screen when I paged through the original post:
http://www.chebucto.ns.ca/~af380/temp/acv.htm
I can keep the files there for a week.