Security Incidents mailing list archives

Re: New Trojan

From: Harlan Carvey <keydet89 () yahoo com>
Date: Sat, 25 Oct 2003 10:42:41 -0700 (PDT)

Jay,

I don't know if this is a new trojan or anything,
but I have tried doing some research on the Internet
and couldn't find anything on it. Well it has two
registry entries in my Run, and RunOnce.  Here is
the name of both keys acbdhpd and the values are
pointing to a file1129 I can not seem to find
rundll32 C:\WINNT\system32:acbdhpd.dll,Init 1.


Given the colon, it looks like you might have a DLL
hidden in an alternate data stream.  Is your file
system NTFS?

I
tried killing my explorer.exe to see if that is
reason I can't find it because I am most likely
using a trojanized explorer.exe,


I'm curious about that statement, given that you
really don't have anything to base it on.

but I could only
find a copy in my temp, I delete through DOS and
delete the registry entries to no success, the
registry keys appear within 30 seconds and the file
pops right back up.


What file?  I thought you said you couldn't see
anything, so what file is popping right back up?

Anybody seen this or can give
me some help to get this out without reloading? It
has also opened up two TCP, 3799, and 41225 and two
UDP ports, 1129, 1241.  Thanks


How have you determined this?  What tool are  you
using to determine that this particular issue is
opening those ports, and they're not being opened by
some other process?

In a nutshell, it looks as if you've got something on
your system, but it's hidden in an alternate data
stream.  

I'm willing to help, you can get me as "carvdawg" on
AIM and "keydet89" on Yahoo Messenger.



---------------------------------------------------------------------------
Network with over 10,000 of the brightest minds in information security
at the largest, most highly-anticipated industry event of the year.
Don't miss RSA Conference 2004! Choose from over 200 class sessions and
see demos from more than 250 industry vendors. If your job touches
security, you need to be here. Learn more or register at
http://www.securityfocus.com/sponsor/RSA_incidents_031023
and use priority code SF4.
----------------------------------------------------------------------------

Current thread:

New Trojan Jay Castaldo (Oct 25)
- Re: New Trojan Harlan Carvey (Oct 25)
  - Re: New Trojan lsi (Oct 27)
    - RE: New Trojan Lucretia (Oct 28)
    - RE: New Trojan Harlan Carvey (Oct 27)
- RE: New Trojan Rob Shein (Oct 25)
  - RE: New Trojan Tiago Halm (Oct 26)
- Re: New Trojan Damian Gerow (Oct 27)
  - RE: New Trojan Rob Shein (Oct 28)
    - Re: New Trojan Damian Gerow (Oct 28)
  - Re: New Trojan Brian Eckman (Oct 28)
    - Re: New Trojan Damian Gerow (Oct 28)

(Thread continues...)