[Snort-sigs] Possible new trojan
u233 at ...1761...
Thu Aug 14 02:04:16 EDT 2003
On Wednesday 13 August 2003 21:56, Chris Reid wrote about "Re: Possible new
trojan" (message re-ordered somewhat):
> Hi Trent,
> There was a posting to the Full Disclosure mailing list on August 11, 2003
> titled "AIM Packet Injection for fun and propfit" by "Moot Industries". As
> a wild guess, I'd speculate that the two are related.
Hmmm, it could be, as he was useing 2 SNs, but the executable does seem to
have some strings that would hint that it was twiddling registry keys and/or
adding a user account and a keylogger to the machine. Fortunately the "Moot
Industries" post seems to indicate that the attack doesn't work against Linux
I think this was just a lame attempt to social engineer me into running the
exe. I had someone try to con me into installing SubSeven server the day
before too (I have a copy of that too if anyone's interested).
> ... the best place to discuss this would probably be the Snort-Sigs mailing
> list... First, look through the archives to see if it has already been
> discussed before.
Gotcha, I don't think it has as I can find no references to the strings I've
extracted that seem like they might be relatively unique.
> NOTE: Do not post this trojan to the list!!
> ... post a summary of what you know about the trojan, and that
> you have a copy of the executable available.
All I know is what I learned from the strings I extracted... I don't have an
unused & offline Win32 box to test it on.
here are some interesting strings, sorry if some or all are mundane, I do not
examine Win32 executables regularly (C-Style comments are mine, not from the
executable) (strings -a -t x icycrack.v2.exe ):
2250 D:\Program Files\Microsoft Visual Studio\VB98\VB6.OLB
2761 You must agree to this license in order to install this software.
/* there doesn't seem to be anything resembling a license agreement in the
/* a whole lotta whitespace, then neopets (the name of a web based game) */
aa79 advapi32.dll /* I understand this can be used to twiddle
security settings? */
aabc h at ...972...@
d461 MS Sans Serif0
d484 Current Password:
d4b6 Due to a corrupt segment in your account AIM has discovered a possible
attack/insecure sector in your version of AIM. Please enter your password
> If people are interested in
> obtaining it from you, they will contact you and then you can arrange a way
> to transmit it privately without setting off anti-virus scanners.
OK. If anyone wants to examine it and/or test it, I have it.
> ----- Original Message -----
> > It was sent to me by a script kiddie in an AIM chatroom.
> > (all times pacific, Aug 13, 2003)
> > in group "Computing Chat" on transport 5
> > (19:17:57) XtreamGTrider69: anyone wanna test out my AIM Cracker? IM me
> > or press 555 now.
... Message repeated 4 times...
> > (19:23:29) INF4M0US41: anyone want an AIM cracker? message me or press 5.
... Message repeated 5 times
> > IM Sessions with XtreamGTrider69
> > ---- New Conversation @ Sat Sep 13 19:18:11 2003 ----
> > (19:18:28) me: send me your cracker!
> > (19:18:31) XtreamGTrider69: hi
> > (19:18:42) XtreamGTrider69: hey
> > (19:18:51) XtreamGTrider69: getting on my other name ok?
> > IM Sessions with INF4M0US41
> > ---- New Conversation @ Sat Sep 13 19:19:05 2003 ----
> > (19:19:05) INF4M0US41: hey
> > (19:19:23) INF4M0US41: Do you want the cracker or not?
> > ---- New Conversation @ Sat Sep 13 19:19:33 2003 ----
> > (19:19:33) INF4M0US41: Hello?
> > (19:19:47) me: what?
> > (19:20:09) INF4M0US41: so what do you think?
> > (19:20:45) me: just a sec.
> > (19:21:26) INF4M0US41: did it work?
> > (19:22:05) INF4M0US41: hello
> > (19:22:10) INF4M0US41: ur wasting my time, does it work
> > (19:22:11) INF4M0US41: or not?
> > (19:22:14) me: very nice, I don't believe I've seen this trojan before...
>> I'll pass it on to snort.org
> > (19:22:31) INF4M0US41: trojan?
> > (19:22:40) INF4M0US41: did u open the file yes or no?
> > (19:22:57) me: oh yes, I opened it.
> > (19:23:09) me: in a hex editor.
More information about the Snort-sigs