THis is actually a rootkit that is as serious as I had feared. I am gathering up more information. If you have the files in the directories specified, you have a problem.
The file is http://www.appiant.net/infected.zip password is infected If you are infected with the rootkit, it does not alarm on any of the files... Joel ----- Original Message ----- From: "Joel R. Helgeson" <[EMAIL PROTECTED]> To: <full-disclosure@lists.grok.org.uk> Sent: Wednesday, September 20, 2006 3:30 PM Subject: [Full-disclosure] New virus - possible rootkit > Virus Alert - Possible Rootkit > -- > > The files ARE NOT detected by ANY current AV Scanning signature engine. > > I do not have the time to write a report on the entire analysys but I > wanted > to get the data out to everyone ASAP so that you can detect this running > on > your computers. I'm finding that this is pretty widespread here on my > customers' network. > > This appears to be an IRC bot that encrypts its traffic to fly beneath the > radar. What makes it more interesting is that the directories it creates > have SYSTEM ownership and only system and creator/owner can access the > files. Changing permissions on the files or directorys will only be > changed > back. It also appears that if you remove the file, it will start revoking > permissions on all files and will remove everyones but SYSTEM's permission > to all files. > > This is very, very early prelim info. and I am trying to both quarrantine > the damage, investigate the infection on top of trying to get the word > out. > (I know what the cygwin files are, but they came with the infection so I > include them here.) > > I've uploaded the .zip file with all the programs in their respective > directories recursed to my web site, I'll have it up there by 21 Sep, > 2006. > http://www.appiant.net > > The files and locations: > c:\windows\system32\cygcrypt-0.dll (linux crypto) > c:\windows\system32\cygwin1.dll (linux command) > c:\windows\system32\dntus26.exe (used for remote admin) > c:\windows\system32\javadebug.dll (actually a text file) > c:\windows\system32\rundl32.exe (ircbot interface) > c:\windows\system32\zonedown.bat (batch file that launches rundl32.exe > with > the text from javadebug.dll I dont know what else it does yet) > c:\windows\system32\scardsvrs.exe (the device that appears to launch the > zonedown.bat file... still working) > c:\windows\system32\wbem\svchost.exe (Serv-u ftp service - modified -) > c:\windows\system32\wbem\wbem.exe (workin on what this one does)... > > it also placed files in a hidden directory with only system priviledges: > c:\windows\system32\DirectX\Dinput\Others\ > > The file placed in there was a snippet of a movie, divx encoded... the > filename was Min2 (no extension). > > Below is what the AVERT labs reported when I submitted the file. > > Joel Helgeson > Appiant, Inc. > 952-858-9111 > > ------------------------------- > > AVERT Labs - Beaverton > Current Scan Engine Version:4.4.00 > Current DAT Version:4855 > Thank you for your submission. > > Analysis ID: 2533501 > NameFindings DetectionType Extra > cygcrypt-0.dll no malware n > cygwin1.dll no malware n > dntus26.exe heuristic detection remadm-dwrc Application n > javadebug.dll inconclusive no > rundl32.exe current detection iroffer Application no > scardsvrs.exe heuristic detection srvany Application no > svchost.exe current detection servu-daemon Application no > wbem.exe heuristic detection srvany Application no > zonedown.batinconclusiveno > > current detection [ rundl32.exe svchost.exe ] > Our analysis detected a potentially unwanted program file or joke program > with our current DAT files and engine. It is recommended that you update > your DAT and engine files and scan your computer again. You may not want > this program installed. If you do not want it installed, we recommend that > you use the Add/Remove Program in the Windows Control Panel to completely > uninstall the detected program. You can also contact the Virus Information > Library for information about manually uninstalling potentially unwanted > programs. If you are not seeing this with the product you are using, > please > speak with technical support so that they can help you determine the cause > of this discrepancy. > If you use the McAfee VirusScan Online or VirusScan Retail products, and > do > not have the Dat File Version specified, please visit > http://www.webimmune.net/extra/getextra.aspx and use the detection name > supplied in this message to receive an extra.dat file for detection. > > inconclusive [ javadebug.dll zonedown.bat ] > Upon analysis the file submitted does not appear to contain one of the > 100,000 known threats in the AutoImmune database. The file may contain a > new > malware threat, or no code capable of being infected. Your submission is > being forwarded to an AVERT Researcher for further analysis. You will be > contacted by AVERT through e-mail with the results of that analysis. > > heuristic detection [ dntus26.exe scardsvrs.exe wbem.exe ] > The file received may contain a potentially unwanted program file or joke > program. This potential threat was identified with our most powerful set > of > heuristic DAT drivers. Heuristic drivers can make false-positive > identifications, as such, this issue is being escalated to AVERT for a > thorough review. In the meantime, it is recommended that you update your > DAT > and engine files and scan your computer again. You will be contacted > through > e-mail with the results of our analysis. Warning: McAfee products do not > clean potentially unwanted program files or joke programs. The attached > will > only detected the potentially unwanted program. If you do not want it > installed, we recommend that you use the Add/Remove Program in the Windows > Control Panel to completely uninstall the detected program. You can also > contact the Virus Information Library for information about manually > uninstalling potentially unwanted programs. > > no malware [ cygcrypt-0.dll cygwin1.dll ] > AVERT has found no indications of malicious code. Upon examining the file, > we observed no malicious behavior. If you still believe the files you sent > contain a virus or trojan, please provide more information on why you feel > these are suspect files. > > > Regards, > > > > McAfee AVERT tm > A division of McAfee, Inc > > _______________________________________________ > Full-Disclosure - We believe in it. > Charter: http://lists.grok.org.uk/full-disclosure-charter.html > Hosted and sponsored by Secunia - http://secunia.com/ _______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/