W
Walter Horowitz
I'm trying to fix a friends computer that has been infected with a Trojan.
The machine tries to access the site http://10g.org when he logs on. The
HTTP request it makes is included below.
The trojan creates a value in HKLM\Software\Microsoft\Windows\Current
Version\Run\pidhtil with string value "rundll32
C:\WINNT\system32
idhtil.dll, Init 1"
If this key is deleted, it is recreated within 5 seconds. If I kill the
rundll32 process that does this, then the current explorer.exe process takes
over. If I kill the explorer.exe process, then taskman.exe or some other
process does it. I suspect that some system dll has been changed to contain
the Trojan code and when any appropriate task calls the common routine, then
the Trojan does its thing. I have not been able to identify the Trojan yet.
This will happen even if I start the machine in Safe Mode.
I have been unable to find any reference to pidhtil or 10g.org by searching
for strings on his machine. Does anyone have any idea on how to find and
remove this beastie
Frame 82 (365 bytes on wire, 365 bytes captured)
Arrival Time: Mar 21, 2004 14:21:43.602484000
Time delta from previous packet: 0.000379000 seconds
Time relative to first packet: 97.366265000 seconds
Frame Number: 82
Packet Length: 365 bytes
Capture Length: 365 bytes
Ethernet II, Src: 00:00:86:38:ba:90, Dst: 00:a0:c5:e1:3e:f4
Destination: 00:a0:c5:e1:3e:f4 (192.168.0.1)
Source: 00:00:86:38:ba:90 (192.168.0.3)
Type: IP (0x0800)
Internet Protocol, Src Addr: 192.168.0.3 (192.168.0.3), Dst Addr:
66.98.188.91 (66.98
Version: 4
Header length: 20 bytes
Differentiated Services Field: 0x00 (DSCP 0x00: Default; ECN: 0x00)
0000 00.. = Differentiated Services Codepoint: Default (0x00)
.... ..0. = ECN-Capable Transport (ECT): 0
.... ...0 = ECN-CE: 0
Total Length: 351
Identification: 0x0043 (67)
Flags: 0x04
.1.. = Don't fragment: Set
..0. = More fragments: Not set
Fragment offset: 0
Time to live: 128
Protocol: TCP (0x06)
Header checksum: 0x39ed (correct)
Source: 192.168.0.3 (192.168.0.3)
Destination: 66.98.188.91 (66.98.188.91)
Transmission Control Protocol, Src Port: 1029 (1029), Dst Port: http (80),
Seq: 24300
Source port: 1029 (1029)
Destination port: http (80)
Sequence number: 2430045908
Next sequence number: 2430046219
Acknowledgement number: 3588306347
Header length: 20 bytes
Flags: 0x0018 (PSH, ACK)
0... .... = Congestion Window Reduced (CWR): Not set
.0.. .... = ECN-Echo: Not set
..0. .... = Urgent: Not set
...1 .... = Acknowledgment: Set
.... 1... = Push: Set
.... .0.. = Reset: Not set
.... ..0. = Syn: Not set
.... ...0 = Fin: Not set
Window size: 65535
Checksum: 0x138c (correct)
Hypertext Transfer Protocol
POST /cgi-bin/ref.cgi?Sun%20Mar%2021%2015%3A22%3A44.489%202004
HTTP/1.0\r\n
Request Method: POST
Host: l0g.org\r\n
Content-Type: application/x-www-form-urlencoded\r\n
Content-Length: 40\r\n
Accept: */*\r\n
Accept-Language: en\r\n
Accept-Encoding: gzip, deflate\r\n
User-Agent: AF/2.6-test35\r\n
Connection: close\r\n
\r\n
Data (40 bytes)
0000 69 64 3d 34 30 35 38 30 32 31 31 37 31 26 76 65 id=4058021171&ve
0010 72 3d 32 36 33 35 26 73 79 73 3d 57 69 6e 4e 54 r=2635&sys=WinNT
0020 35 2e 30 2d 32 31 39 35 5.0-2195
The machine tries to access the site http://10g.org when he logs on. The
HTTP request it makes is included below.
The trojan creates a value in HKLM\Software\Microsoft\Windows\Current
Version\Run\pidhtil with string value "rundll32
C:\WINNT\system32
idhtil.dll, Init 1"If this key is deleted, it is recreated within 5 seconds. If I kill the
rundll32 process that does this, then the current explorer.exe process takes
over. If I kill the explorer.exe process, then taskman.exe or some other
process does it. I suspect that some system dll has been changed to contain
the Trojan code and when any appropriate task calls the common routine, then
the Trojan does its thing. I have not been able to identify the Trojan yet.
This will happen even if I start the machine in Safe Mode.
I have been unable to find any reference to pidhtil or 10g.org by searching
for strings on his machine. Does anyone have any idea on how to find and
remove this beastie
Frame 82 (365 bytes on wire, 365 bytes captured)
Arrival Time: Mar 21, 2004 14:21:43.602484000
Time delta from previous packet: 0.000379000 seconds
Time relative to first packet: 97.366265000 seconds
Frame Number: 82
Packet Length: 365 bytes
Capture Length: 365 bytes
Ethernet II, Src: 00:00:86:38:ba:90, Dst: 00:a0:c5:e1:3e:f4
Destination: 00:a0:c5:e1:3e:f4 (192.168.0.1)
Source: 00:00:86:38:ba:90 (192.168.0.3)
Type: IP (0x0800)
Internet Protocol, Src Addr: 192.168.0.3 (192.168.0.3), Dst Addr:
66.98.188.91 (66.98
Version: 4
Header length: 20 bytes
Differentiated Services Field: 0x00 (DSCP 0x00: Default; ECN: 0x00)
0000 00.. = Differentiated Services Codepoint: Default (0x00)
.... ..0. = ECN-Capable Transport (ECT): 0
.... ...0 = ECN-CE: 0
Total Length: 351
Identification: 0x0043 (67)
Flags: 0x04
.1.. = Don't fragment: Set
..0. = More fragments: Not set
Fragment offset: 0
Time to live: 128
Protocol: TCP (0x06)
Header checksum: 0x39ed (correct)
Source: 192.168.0.3 (192.168.0.3)
Destination: 66.98.188.91 (66.98.188.91)
Transmission Control Protocol, Src Port: 1029 (1029), Dst Port: http (80),
Seq: 24300
Source port: 1029 (1029)
Destination port: http (80)
Sequence number: 2430045908
Next sequence number: 2430046219
Acknowledgement number: 3588306347
Header length: 20 bytes
Flags: 0x0018 (PSH, ACK)
0... .... = Congestion Window Reduced (CWR): Not set
.0.. .... = ECN-Echo: Not set
..0. .... = Urgent: Not set
...1 .... = Acknowledgment: Set
.... 1... = Push: Set
.... .0.. = Reset: Not set
.... ..0. = Syn: Not set
.... ...0 = Fin: Not set
Window size: 65535
Checksum: 0x138c (correct)
Hypertext Transfer Protocol
POST /cgi-bin/ref.cgi?Sun%20Mar%2021%2015%3A22%3A44.489%202004
HTTP/1.0\r\n
Request Method: POST
Host: l0g.org\r\n
Content-Type: application/x-www-form-urlencoded\r\n
Content-Length: 40\r\n
Accept: */*\r\n
Accept-Language: en\r\n
Accept-Encoding: gzip, deflate\r\n
User-Agent: AF/2.6-test35\r\n
Connection: close\r\n
\r\n
Data (40 bytes)
0000 69 64 3d 34 30 35 38 30 32 31 31 37 31 26 76 65 id=4058021171&ve
0010 72 3d 32 36 33 35 26 73 79 73 3d 57 69 6e 4e 54 r=2635&sys=WinNT
0020 35 2e 30 2d 32 31 39 35 5.0-2195