irc.erols.com a trojan?

Hobbes

Just switched on my brothers machine and MIRC has vanished. So I check to see what's installed recently and there is an "Adult Browser" installed.

I check the netstat and irc.erols.com is permantly connected on 6667. I can't find any IRC client running.

Anyone know what this is?

Hobbes

Ok it's "Backdoor.Trojan". I've set up the machine so it stops it from working and I ran the latest NAV2K virus definations.

But... it removed it, but when I rebooted it reinstalled itself again. I've checked all the usual places where a reinstall can happen and it looks ok which seems to suggest some other DLL is infected and NAV can't see it.

The details on Trojan are sketchy on the Symantic site anyone got any info on how this sucker works?

sam

look for a line in startup like
"rundll32.exe suspicious.dll,arguments"
lots of the dlls in there are meant to be there as well, so remove a dll only if you know what youre doing.. dont go removing all lines that begin with "rundll32.exe dll.dll"

sam

if the guy who installed the trojan had a clue, he wouldve compressed the file so navc wouldnt pick it up

if navc picks up the trojan, try doing navc /doallfiles /zips (both arguments are needed.. dooallfiles doesnt do zips)
as a matter of interest, what file did navc find that was 'infected', and was it executed on startup? if so, what was the line in the registry or win.ini, or was the program actually in your startup folder?

Hobbes

The infected file was WSOCK.DLL which NAV2K said was "backdoor.trojan", I removed it and it killed the trojan running.

Then when I rebooted, there is no WSOCK.DLL and NAVC says there is no virus.

However port 31415 UDP+TCP is open again and listening (with everything shut down), and a connection is reconnected to IRC. It seems to pick random IRC servers (I did a search on the machine for any possible lists).

As soon as the IRC connects I get information coming in then my machine tries to send out on 31415, when the firewall blocks it I get a few more then it tries to send out to the same address but under a different port then (at which point I have it blocked).

It seems to stop me connecting to the Undernet when it's running. I did eventually manage to get on and I was able to find out the clones name (some werid nick like oybwryy..etc). It also disconnected from the IRC server it was on and moved to my server when I had connected.

My brother says he never uses IRC, so I have set the firewall to block all IRC traffic, which it isnt seeming to do I guess, and before you ask yes I know how to set up conseal

Btw, I had already gotten the list from the run section and was able to match the lines to the programs he has always ran on the machine. However as he's more concerned about the trojan I've nuked them too just now from the registry.

Hobbes

Been there done that. Checked all the reg entries, Autoexec, config and win.ini and system.ini

It has to be an infected file already existing on the system.

Hobbes

So no l33t hackers able to help me? *hmrph*

Ok, I don't know what the program totally does but from what I can gather it can be used to attack sites.

The reason I say that is, I connected with the firewall in full monitor mode and open ports. About five minutes some packet came in from the server on port 6667 and now my machine is sending 4 packets to www.fbi.gov on port 6667 every minute. It's low enough not to cause me lag. Port 6667 is blocked anyway now.

I really want this program off this machine.

Hobbes

*Does a little happy dance*

ack finally using a firewall, port sniffer, process viewer and a port backtracker I found the begger.

Note to self, in the registry when checking the RUN, RUNLOAD, also check the RUNSERVICES type keys.

The virus file is KRNi386.exe (it's all caps so the i confused me with the L which is a correct windows file).

When the program runs it creates the following reg key...

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\RunServices]
"Machine Debug Hook"="C:\\WINDOWS\\SYSTEM\\KRNI386.EXE"

You can remove the virus by removing that line and deleting the EXE and rebooting.

sam

duh, didnt i ask was it executed on startup??
and then you ask "so no l33t hackers able to help me?"

also hkey_local_machine is not the only place software can be run at startup, hkey_current_user is another, and win.ini, and a few other places
use msconfig or something next time, and dont say stuff if youre not sure youve done it

Been there done that. Checked all the reg entries, Autoexec, config and win.ini and system.ini

most windows trojans are started from registry or other such startup items, the rest are usually attached to a file like explorer.exe or something and compressed (in which case youre ****ed)

Hobbes

Originally posted by sam:
duh, didnt i ask was it executed on startup??

If you want to nitpick startup means nothing and Bedlam had already mentioned the full key (which I knew). The Runservices* keys I may of even looked at, it's not my machine and for all I know he has some development software installed (not to mention the I/L threw me). I had actually been stripping all of the registry entries and adding stuff back one by one.

And I am aware of both keys as well. If you thought I wasn't you should of explained in more detail. Funny how you flame me with more precise details yet you weren't very forthcoming to begin with.

Are you upset because I don't think your l33t?

most windows trojans are started from registry or other such startup items, the rest are usually attached to a file like explorer.exe or something and compressed (in which case youre ****ed)

I believe you said the exact same thing I did.


[This message has been edited by Hobbes (edited 13-08-2000).]

sam

no, i assumed you knew it all after you said you checked "all the reg entries, been there done that"
so i obviously thought you were aware of all the keys

sam

oh yeah "startup" is anything that runs upon system/user startup, obviously

if you want to really nitpick there is no such thing as a computer

Hobbes

Originally posted by sam:
if you want to really nitpick there is no such thing as a computer

can I have yours then?