Re: WARNING: Trojan Horse Disguised as Message from SecurityFocus and TrendMicro

[aleph1 () securityfocus com]

The EXE in question contains a copy of the BioNet trojan. Among other
things the trojan gives remote access to the intruders, install a keystroke
logger, and emails the keystokes to the account jester () cn-s net. If the
trojan is running under Windows 9x (it can also run under NT/200) it
it also emails the user's password.

Valentin Kolesnikov <valik () kaspersky com> from Kasperky Labs has stated
the maliciouscode is the Backdoor.Bionet.318.

In our case executing the EXE resulted in a strange error message. Something
like "30.10.2001 not a valid data". The EXE appears to fail to extract
any files. Yet if you change the EXE's extension to ZIP and drop it in
WinZip you can extract a number of files.

In any case, when you execute FIX_NIMDA.exe it will start two new processes
named win32cfg.exe and keyboard.exe. They drop a file named win32cfg.exe
in, at least under Windows 2000, C:\WINNT\System32\win32cfg.exe.
It also drops C:\WINNT\System32\keyeye.ini, C:\WINNT\System32\keyboards.dll,
and C:\WINNT\System32\keyboards.exe.

C:\WINNT\System32\keyeye.ini is the keystroke logger configuration file.
The actual keystokes data are save in C:\WINNT\keylog.txt.

The trojan creates open shares for all drive from C: to Z:.

The backdoor stores its configuration parameters in the registry under
HKCU\Software\Cyberium Technologies\BioNet 3. It does some more mucking
with the registry.

AV vendors have some information about a BioNet trojan but their
information differs substancially from the behaviour displayed, files and
keys accessed, by the backdoor in FIX_NIMDA.exe. This may document either
older or different version fo the backdoor:

http://www.symantec.com/avcenter/venc/data/backdoor.bionet.40a.html
http://www.symantec.com/avcenter/venc/data/backdoor.bionet.318.html
http://www.symantec.com/avcenter/venc/dyn/20648.html
http://vil.nai.com/vil/virusSummary.asp?virus_k=99008
http://www.nsclean.com/psc-bionet.html
http://www.sophos.com/virusinfo/analyses/trojbionet.html
http://www.europe.f-secure.com/v-descs/bionet.shtml

This may indicate that AV software cannot detect this variation of it.
Check your systems manually.

The many different versions of thi trojan at
http://www.megasecurity.org/trojans/bionet/Bionet_all.html

Some other analysis of BioNet (again they may of versions different
from the one in the fake message and thus information may not apply):

http://www.mischel.dhs.org/bionet312analysis.asp

To stop the keylogger and backdoor all you need to do is kill the
win32cfg.exe and keyboards.exe processes, but we haven't yet determined
how is ensures to start after the machine is rebooted

Its also interesting to note that the comments in the keyeye.ini file
are in German, cn-s.net is also located in Germany, and the machine
appears to have been the first to send out the fake messages,
217.228.174.48 [ pD9E4AE30.dip.t-dialin.net ] is also in Germany.

-- 
Elias Levy
SecurityFocus
http://www.securityfocus.com/
Si vis pacem, para bellum

----------------------------------------------------------------------------
This list is provided by the SecurityFocus ARIS analyzer service.
For more information on this free incident handling, management 
and tracking system please see: http://aris.securityfocus.com