[Snort-sigs] Possible new trojan

Trent Whaley u233 at ...1761...
Thu Aug 14 02:04:16 EDT 2003

On Wednesday 13 August 2003 21:56, Chris Reid wrote about "Re: Possible new 
trojan" (message re-ordered somewhat):
> Hi Trent,

> There was a posting to the Full Disclosure mailing list on August 11, 2003
> titled "AIM Packet Injection for fun and propfit" by "Moot Industries".  As
> a wild guess, I'd speculate that the two are related.

Hmmm, it could be, as he was useing 2 SNs, but the executable does seem to 
have some strings that would hint that it was twiddling registry keys and/or 
adding a user account and a keylogger to the machine. Fortunately the "Moot 
Industries" post seems to indicate that the attack doesn't work against Linux 

 I think this was just a lame attempt to social engineer me into running the 
exe. I had someone try to con me into installing SubSeven server the day 
before too (I have a copy of that too if anyone's interested). 

> ... the best place to discuss this would probably be the Snort-Sigs mailing
> list...  First, look through the archives to see if it has already been
> discussed before. 

Gotcha, I don't think it has as I can find no references to the strings I've 
extracted that seem like they might be relatively unique.

> NOTE:  Do not post this trojan to the list!! 

Okee dokeee

>  ... post a summary of what you know about the trojan, and that
> you have a copy of the executable available.  

115289 bytes.

All I know is what I learned from the strings I extracted... I don't have an 
unused & offline Win32 box to test it on.

here are some interesting strings, sorry if some or all are mundane, I do not 
examine Win32 executables regularly (C-Style comments are mine, not from the 
executable) (strings -a -t x icycrack.v2.exe ):

2250 D:\Program Files\Microsoft Visual Studio\VB98\VB6.OLB
2761 You must agree to this license in order to install this software.
/* there doesn't seem to be anything resembling a license agreement in the 
file. */

/* a whole lotta whitespace, then neopets (the name of a web based game) */

61d9 msconfig.exe
839d BlueDeath

8fed msconfig
8ff6 PowerPass
9001 BlueDeath

a4d5 winver
a4dd hider
a4e9 keylog

a4f1 decryptpas
a501 rega
a509 shutdown

a51d BlueDeath

a999 GetCurrentProcessId
a9d0 hTG@
a9e5 RegisterServiceProcess
aa31 HideApplication
aa41 ShowApplication
aa79 advapi32.dll            /* I understand this can be used to twiddle 
security settings? */
aa8d RegOpenKeyA
aabc h at ...972...@
aad1 RegOpenKeyExA
ab21 RegEnumKeyA
ab65 RegEnumValueA
abad RegQueryValueExA
abe4 hhI@
abf9 RegDeleteValueA
ac41 RegDeleteKeyA
ac89 RegCloseKey
acb8 h<J@
accd TerminateProcess
ad19 GetWindowThreadProcessId
ad6d OpenProcess

adc5 s\FIXER359\Deskt

bc0d LookupPrivilegeValueA
bc5d AdjustTokenPrivileges
bca9 ExitWindows

be65 RegCreateKeyExA
bead RegSetValueExA

bf15 RegistryRootKey
bf25 SubDirectory
bf39 OpenRegistry
bf49 CloseRegistry

d431 Text1
d461 MS Sans Serif0
d479 Label2
d484 Current Password:
d4ab Label1
d4b6 Due to a corrupt segment in your account AIM has discovered a possible 
attack/insecure sector in your version of AIM. Please enter your password
d563 Image1
d578 GIF89a)

> If people are interested in
> obtaining it from you, they will contact you and then you can arrange a way
> to transmit it privately without setting off anti-virus scanners.

OK. If anyone wants to examine it and/or test it, I have it.

> ----- Original Message -----
> > It was sent to me by a script kiddie in an AIM chatroom.
> >
> > (all times pacific, Aug 13, 2003)
> >
> > in group "Computing Chat" on transport 5
> >
> > (19:17:57) XtreamGTrider69: anyone wanna test out my AIM Cracker? IM me
> > or press 555 now.

... Message repeated 4 times...

> >
> > (19:23:29) INF4M0US41: anyone want an AIM cracker? message me or press 5.
... Message repeated 5 times

> >
> > IM Sessions with XtreamGTrider69
> > ---- New Conversation @ Sat Sep 13 19:18:11 2003 ----
> > (19:18:28) me: send me your cracker!
> > (19:18:31) XtreamGTrider69: hi
> > (19:18:42) XtreamGTrider69: hey
> > (19:18:51) XtreamGTrider69: getting on my other name ok?

> > IM Sessions with INF4M0US41
> > ---- New Conversation @ Sat Sep 13 19:19:05 2003 ----
> > (19:19:05) INF4M0US41: hey
> > (19:19:23) INF4M0US41: Do you want the cracker or not?
> > ---- New Conversation @ Sat Sep 13 19:19:33 2003 ----
> > (19:19:33) INF4M0US41: Hello?
> > (19:19:47) me: what?
> > (19:20:09) INF4M0US41: so what do you think?
> > (19:20:45) me: just a sec.
> > (19:21:26) INF4M0US41: did it work?
> > (19:22:05) INF4M0US41: hello
> > (19:22:10) INF4M0US41: ur wasting my time, does it work
> > (19:22:11) INF4M0US41: or not?
> > (19:22:14) me: very nice, I don't believe I've seen this trojan before...
>>  I'll pass it on to snort.org
> > (19:22:31) INF4M0US41: trojan?
> > (19:22:40) INF4M0US41: did u open the file yes or no?
> > (19:22:57) me: oh yes, I opened it.
> > (19:23:09) me: in a hex editor.

More information about the Snort-sigs mailing list