Security Incidents mailing list archives
Re: strange windows behaviour.
From: J Mike Rollins <rollins () wfu edu>
Date: Fri, 10 Oct 2003 11:49:33 -0400 (EDT)
The rundll32 path\to\the\trojan.dll,Uninstall does seem to remove the entries from the registry. However, the stream is still on the system. Something like, "echo A > C:\path\to:trojan.dll" will clobber it. A comment on how to un-install this is in the comments of the program. Along with a bunch of other interesting text. I have posted the strings from the trojan on a web page: http://www.wfu.edu/~rollins/trojan.txt However, I am not sure that I feel safe after un-installing it this way. If this is a backdoor program, who knows what else might have been done to the system. On Fri, 10 Oct 2003, Fabio Panigatti wrote:
On September 25, 2003, I posted an article "Analysis of a Spam Trojan" to the full-disclosure and focus-virus Listservs. It details one particular spam trojan we found at the University of Minnesota. The full-disclosure archive can be viewed at: http://lists.netsys.com/pipermail/full-disclosure/2003-September/010914.htmlI went through the same analysis a couple of weeks ago and I can confirm a lot of your findings about this trojan, formerly known as AFlooder. The infection way was a VBScript script embedded in the html code of a spamvertized web page with mime type application/hta. The vbscript exploits the Scripting.FileSystemObject vulnerability of IE to write the file audio.exe in the local filesystem, and then runs it whith a Shell.Run. Audio.exe creates two files, one exe and one dll, in the system folder, with casual names. The exe is then referenced in one or more "autorun" keys of the registry. When the exe is fired up, it loads the dll in the execution space of explorer process and then it dies. The actual trojan is the dll, which is invisible in the task list because is running like an explorer.exe subprocess, eluding some personal firewall or a cursory analisys of the system. For the ones who are in trouble in removing the trojan, seems that the trojan can be uninstalled with "rundll32 path\to\the\trojan.dll,Uninstall", but I suggest to eradicate it with plain old manual methods, swithcing to DOS mode and deleting the involved files and registry keys. Where a DOS mode isn't available, the [rename] section in wininit.ini may helps a lot. In winnt/2k use InUse.exe, from the reskit, as administrator. Fabio
Mike Network Operations and Security, Wake Forest University ====================================================================== J. Mike Rollins rollins () wfu edu Wake Forest University http://www.wfu.edu/~rollins Winston-Salem, NC work: (336) 758-1938 ====================================================================== --------------------------------------------------------------------------- ----------------------------------------------------------------------------
Current thread:
- strange windows behaviour. Peter Moody (Oct 07)
- Re: strange windows behaviour. John Sage (Oct 07)
- Re: strange windows behaviour. Jeff Kell (Oct 08)
- Re: strange windows behaviour. Magosányi Árpád (Oct 09)
- Re: strange windows behaviour. Brian Eckman (Oct 08)
- Re: strange windows behaviour. Fabio Panigatti (Oct 10)
- Re: strange windows behaviour. J Mike Rollins (Oct 10)
- Re: strange windows behaviour. Tomasz Papszun (Oct 10)
- Re: strange windows behaviour. Jeff Kell (Oct 08)
- Re: strange windows behaviour. John Sage (Oct 07)
- <Possible follow-ups>
- Re: strange windows behaviour. H Carvey (Oct 08)
- Re: strange windows behaviour. Peter Moody (Oct 08)
- Re: strange windows behaviour. Harlan Carvey (Oct 08)
- Re: strange windows behaviour. Peter Moody (Oct 08)
- Re: strange windows behaviour. Derek (Oct 08)
- RE: strange windows behaviour. Schmehl, Paul L (Oct 09)
- RE: strange windows behaviour. J Mike Rollins (Oct 09)
- Re: strange windows behaviour. Jeff Kell (Oct 09)
- Re: strange windows behaviour. J Mike Rollins (Oct 09)
- RE: strange windows behaviour. J Mike Rollins (Oct 09)