Re: New Trojan

[Damian Gerow <damian () sentex net>]

Thus spake Jay Castaldo (fupayme2003 () hotmail com) [25/10/03 13:28]:
> I don't know if this is a new trojan or anything, but I have tried doing
> some research on the Internet and couldn't find anything on it. Well it
> has two registry entries in my Run, and RunOnce.  Here is the name of
> both keys acbdhpd and the values are pointing to a file1129 I can not
> seem to find rundll32 C:\WINNT\system32:acbdhpd.dll,Init 1.  I tried
> killing my explorer.exe to see if that is reason I can't find it because
> I am most likely using a trojanized explorer.exe, but I could only find
> a copy in my temp, I delete through DOS and delete the registry entries
> to no success, the registry keys appear within 30 seconds and the file
> pops right back up.  Anybody seen this or can give me some help to get
> this out without reloading? It has also opened up two TCP, 3799, and
> 41225 and two UDP ports, 1129, 1241.  Thanks

I, as well as a handful of other people, have been chasing this down for
some time.  Here's a brief rundown...

The trojan is apparently similar to Coreflood (and may even share some
code), but is not.

On startup, the Trojan is started via registry entries.  Since it is a DLL,
it needs rundll32.exe to start.  When it starts, it hooks itself into (I
think) *every* running process on the system, so you can't actually kill it
without shutting down the system.

It checks the registry keys periodically (configurable, I believe), and if
they are missing, it adds them back in again.

When the trojan starts, it starts up two proxies -- one HTTP, and one
SOCKS5.  I haven't looked at the UDP ports yet, but that's interesting.
Watching packet dumps of an infected machine didn't even show these UDP
ports being used.

Once the proxies are started, it connects to a remote machine (name
withheld) and tells it where it is, and what ports the proxies are running
on.  This machine then seemingly disseminates this information to a rather
large network of 'clients', that proceed to spam through the infected
machine.

AFAIK, there is *no* method of removal for this trojan, due to its way of
infection.  Some have speculated that there is an option for removal within
the trojan, but I have no confirmation of this -- try running strings on the
DLL, and see if you can find anything in there (i.e. grep for 'remov',
'instal').

We have a number of infected customers; as of right now, I am making them
reformat and reinstall when we find one that's infected.

---------------------------------------------------------------------------
Network with over 10,000 of the brightest minds in information security
at the largest, most highly-anticipated industry event of the year.
Don't miss RSA Conference 2004! Choose from over 200 class sessions and
see demos from more than 250 industry vendors. If your job touches
security, you need to be here. Learn more or register at
http://www.securityfocus.com/sponsor/RSA_incidents_031023
and use priority code SF4.
----------------------------------------------------------------------------