Re: strange windows behaviour.

["Fabio Panigatti" <ml-panigatti () minerprint it>]

> On September 25, 2003, I posted an article "Analysis of a Spam Trojan" 
> to the full-disclosure and focus-virus Listservs. It details one 
> particular spam trojan we found at the University of Minnesota. The 
> full-disclosure archive can be viewed at:
> http://lists.netsys.com/pipermail/full-disclosure/2003-September/010914.html

I went through the same analysis a couple of weeks ago and I can confirm 
a lot of your findings about this trojan, formerly known as AFlooder.

The infection way was a VBScript script embedded in the html code of 
a spamvertized web page with mime type application/hta. The vbscript
exploits the Scripting.FileSystemObject vulnerability of IE to write
the file audio.exe in the local filesystem, and then runs it whith a
Shell.Run. Audio.exe creates two files, one exe and one dll, in the 
system folder, with casual names. The exe is then referenced in one
or more "autorun" keys of the registry. When the exe is fired up, it 
loads the dll in the execution space of explorer process and then it 
dies. The actual trojan is the dll, which is invisible in the task 
list because is running like an explorer.exe subprocess, eluding some 
personal firewall or a cursory analisys of the system. 

For the ones who are in trouble in removing the trojan, seems that the 
trojan can be uninstalled with "rundll32 path\to\the\trojan.dll,Uninstall",
but I suggest to eradicate it with plain old manual methods, swithcing to 
DOS mode and deleting the involved files and registry keys. Where a DOS 
mode isn't available, the [rename] section in wininit.ini may helps a lot.
In winnt/2k use InUse.exe, from the reskit, as administrator.


Fabio

---------------------------------------------------------------------------
----------------------------------------------------------------------------