A trojan that deletes spyware? - More botnet fun - World record attempt

Published: 2004-10-05. Last Updated: 2004-10-06 13:33:39 UTC
by Chris Carboni (Version: 1)
0 comment(s)
Anti Spyware Trojan?

As reported by ISC Handler Pat Nolan, a new trojan has been released into the wild that seems to terminate processes and delete files and registry keys known to be associated with adware products. More details are available at http://securityresponse.symantec.com/avcenter/venc/data/downloader.lunii.html



Botnets

We've received reports of a few new botnet infestations of the same critter Deb Hale reported in http://isc.sans.org/diary.php?date=2004-09-25 . Botnets are a perfect example of why you need to know what's normal on your network and what's not. Great job Dan and Mr. Anonymous Senior Analyst. ;)

Speaking of botnets ...

The ISC was alerted to a .jpg image file (thanks Mark!) that had an MS04-028 overflow which caused the machine to download and run an executable, jpeg.exe

jpeg.exe silently installs a service on the PC as well as a registry key to autorun at reboot, then goes out to an IRC site, notifies of the compromise and waits for commands.

Actions have been taken to have the offending site blocked.

AV scan results of jpeg.exe are as follows (from http://www.virustotal.com ):

Antivirus Version Update Result

BitDefender 7.0 10.05.2004 Backdoor.Hackarmy.1.Gen

ClamWin devel-20040922 10.05.2004 -

eTrust-Iris 7.1.194.0 10.04.2004 Backdoor/AZV.Variant

F-Prot 3.15a 10.05.2004 W32/Hackarmy.AJ@bd

Kaspersky 4.0.2.24 10.05.2004 Backdoor.Hackarmy.gen

McAfee 4396 09.29.2004 BackDoor-AZV.gen

NOD32v2 1.884 10.04.2004 probably unknown NewHeur_PE

Norman 5.70.10 09.30.2004 W32/Backdoor

Panda 7.02.00 10.04.2004 Bck/HackArmy.T

Sybari 7.5.1314 10.05.2004 Backdoor.Hackarmy.gen

Symantec 8.0 10.04.2004 -

TrendMicro 7.000 10.04.2004 -


Bellhops and luggage carts and sheets, oh my!

While SANS NS Las Vegas 2004 will remain firmly engraved in many people's memory, it hopefully won't be remembered for the record attempt mentioned previously, that eventually failed. We're happy to report that there were no serious injuries and that all handlers have (apparently) survived unharmed. It should be noted however that the handler attempting the record has not been heard from since just after the attempt when he was seen with several statuesque showgirls. Good luck Tom, wherever you are. ;)

Chris Carboni

Handler on Duty

Keywords:
0 comment(s)

Comments


Diary Archives