This came through the BugTraq list over the weekend:
Subject:
Another Windows Trojan...
From:
L S D <[EMAIL PROTECTED]>
To:
[EMAIL PROTECTED]
The source code to the Windows trojan called 'Acid Shiver' that covered
most
of Efnet last year has been released. The source code is all Visual
Basic 5.0
(SP3), and not much effort was put into organization. It had been
distributed
through 'WaReZ' DCC bots, and had over 7000 users within 2 months. It
was
diguised as a million different applications, the Setup.exe file in
different
programs was replaced by the trojan, which would install itself into the
registry on first use. As soon as the program is run, it registers its
process as a 'Windows Service', thus removing it from all task lists.
It
waits until an active internet conection is established (by attempting
connections to an array of SMTP servers), and then e-mails the creator
with
the random TCP port number it listens on, the time, and a large amount
of
sensitive information resident on the victims hard drive. The creator
then
connects via telnet to the specified port and is given a prompt that
looks
like a DOS shell. Any command can be executed, with the results shot
back
across the tcp connection, network topology can be shown (net *
comands),
files may be downloaded, the deployer may "bounce" through the victim to
another host, and system settings/registry entries can be changed. The
victim
can use a netstat to see the listening port/connections. It loads
automatically through the HKLM/M$/Windows/Current Version/Run Services,
Run,
Run Once, and Run Services Once entries. If it detects another copy
running it
exits. The file size for the exe changed depending upon the exe-packer
used,
and any hex-editing done by the deployer. Among the IRC operators
infected
were _cls_ and saralee, along with some other high profiles on Efnet
(among
the hacking/warez community).
For a .zip of the source code, e-mail [EMAIL PROTECTED] with "Send AS
Source"
as subject.
- elessdee
____________________________________________________________________
Get free e-mail and a permanent address at
http://www.netaddress.com/?N=1
______________________________________________________________________
David Nicol 816.235.1187 UMKC Network Operations [EMAIL PROTECTED]
verse-chorus-verse-verse-chorus-verse-bridge-verse-chorus-out
