Trojan Alert !
sf
my name and is joined to an executable that I wrote.
I just need to declare somewhere that this is not my mojo, this list is
good as any to do that. And you can have a laugh too.
Details:
Released on edonkey network as an upload crack. (It does contain and run
the working patch I released)
Name :
eDonkey_v.48.1_CRACK_UPLOAD_ADBANNER_(original_stonefisk_release) this
patch is packing by StoneFisk.rar
hash:
7b517398b5c358dde4cc9c9d57f42950
size:
1.15Mb
Binder used :
"GP-EXEJOINER By GigantPro".
GigantPro's shit (err I mean work) can be found here
http://de.geocities.com/GPWare/Zite.htm
All coded in l337 visual basic !
This binder can join only 2 files, inthis case these two files are :
1) my patch release @ a size of only 16896 bytes (Coded it in win32 asm
as always).
2) A mystery file weighing in @ a whopping 1219583 bytes.
The mystery file (TROJAN) has been compressed/packed with UPX version
1.20
Unpacked the mystery file weighs in at 1544192 bytes. (note low
compression ratio).
The mystery file carries it's own icon (cd symbol) which is one of the 5
icons on offer in the
GP-EXEJOINER tool.
The trojan will unbind and copy itself to windows system32 folder under
the name "cdrunxp.exe".
Initally the trojan will set the following keys :
\HKEY_CLASSES_ROOT\exefile\shell\open\command
and
\HKEY_LOCAL_MACHINE\SOFTWARE\Classes\exefile\shell\open\command
with the default key value of :
C:\WINDOWS\system32\cdrunxp.exe "%1" %*
>From then on, everytime window file explorer is run then so is
cdrunxp.exe.
cdrunxp.exe queries a bunch of reg keys including the calander and VB
"cdate" key, which holds current date.
This trojan has a date activate payload.
I have only given payload a brief examination and not fully aware of its
function. It appears to consist of:
Changing various reg keys that will effect iexplorer.
A activate an exe called gayslide.exe (or iexplorer.gayslide.exe) which
likely is a gay slide show which display 7 images that are packed along
with the trojan.
This exe may be then registered as a process.
A gay.mpg movie appear to me present also or at least referenced.
internet explorer' start page is set to "http://www.findgaypix.com"
"GAY SEX IS GREAT" is set as a title.
Desktop wallpaper is changed.
A file called xtra.bmp is displayed on start up via a registry key set
in /currentverion/run.
..like what the hell is the point of this shit ?
Trojan was coded by a German using visual basic. His seems to be named
"Stephan".
Up to date Norton antivirus detects no part of this shit whatso ever,
not even GigantPro's crappy joiner.
Anyway...the trojan is not mine. I did not release it.
My last official edonkey patch details :
name :
eDonkey_v.48.1_CRACK_UPLOAD_ADBANNER_(original_stonefisk_release).rar
hash: 22e3715a4a47d7bac6f6f94b80a45b29
size : 6kb
Stonefisk <><
punkle
my personal policy when grabbing filez is, if I can't find a consistent file
size between 2 or more of the "same" file, it doesn't get downloaded.
'course, the wife doesn't understand this...
"sf" <rhs...@sthsdthsdt.net> wrote in message
news:200306101310...@mail.zedz.net...
sf
Found another release of 3.8mb which also carries my patch also probably
is the work of Stephan, but I haven't bothered to investigate. It uses
the same lame exe joiner and icon anyway. Nearly 100 people had it
shared when I downloaded it, edonkey
rated it as a 3. Why are these people sharing this so fast ? It only a
day or two old and my patch was released weeks ago. I guess it is linked
on a forum somewhere.
I set up an XP virtual machine earlier and tested the trojan payload.
The payload was time delayed, I set the date 1 day ahead of initial
infection and vola it triggered.
It was just like I suspected in theory... a full screen slide show
displaying many hardcore gay porn images (more than the 7 that I guessed
at),
followed by Internet Explorer opening on a gay porn URL. Another gay
porn URL was set as the IE start page.
Media player opened a local movie (gay.mpg) and played it....hardcore
gay porn.
The desktop wallpaper was changed to a an image depicting .... you
guessed it ...gay porn.
This payload re-ran everytime explorer was accessed.
Got bored after that and reset the virtual machine. If there are any
other effects of the payload then I missed them. I had IRIS sniffing and
I didn't notice any other traffic than the IE sessions mentioned. Don't
believe there is a backdoor. But who knows..who cares. Spent too much
time on it already.
Sent the files concerned to Symantec Security Response so hopefully they
will add at least that exe joiner to virus detection.
sf<><
"punkle" <ppu...@cox.net> wrote in message
news:RfnFa.256899$3n5.1...@news2.central.cox.net...
sf
regularly search the network looking for releases that bare my nick
but sure as hell nothing to do with me.
However there is more to this story which I haven't got around to
updating until now.
After finding the first Trojan, I wrote a full description which
detailed every aspect of the Trojan, its installation method and
payload. Sent that info and all files concerned off to Symantec
response engineers (Norton). Sure enough 48 hours later they send back
their brain dead response that so 'n' so was a Trojan and they have
added to beta virus definition blah blah. Okay fair enough. Was a tad
peeved that they hadn't added the exe binder stub.
So I thought I would do a little more testing with the 3.8mb Trojan
payload. The author hadn't tested his crap and a stupid typo in his
registry entry made sure the payload never ever triggered......the
world is safe. Regardless whether or not the payload activates
it is still a Trojan and it changes the registry and the payload gets
placed into the system folder. I did only a minimal write-up on this
Trojan and sent my notes and the files concerned to Symantec, thinking
they had two brain cells to work things out. I was wrong, 48 hours
later, they inform me that all files I had sent where clean!
*OUTSTANDING INCOMPETENCE*
But as if that wasn't enough they now have declared my original v48
edonkey patch executable as a "Trojan deployer" in the latest Norton
definitions. This is the original exe I'm talking about.... Norton
nukes it soon as I compile it from the source! there is no nasty code
in my source...cheeky buggers. *RANK INCOMPETENCE AGAIN*
Anyway....
Sweeper ...source code lost in a HD failure AFIK :-( The binary is
like rocking horse poop. I never had a copy, so sorry.
Though you could look at the api calls of an exe/dll with one of the
tools on offer in MSVS 32bit tools.
<><SF
"Jolly" <YetSome...@hotmail.com> wrote in message
news:5da2acba.03062...@posting.google.com...
> Nice job noticing the trojanized copy...though out of curiosity, what
> do most of you guys use to actually analyze a copy of a unknown
> program....and for that matter, if anyone still has a copy of Sweeper,
> id appreciate if theyd send it to me. I tend to use a combination of
> trojan trap and basic antivirus +knowledge about avenues of infection
> for protection on my computer, then vmware to help analyze unknown
> programs.
>
> Jolly
>
> "sf" <rhs...@sthsdthsdt.net> wrote in message
news:<200306101713...@mail.zedz.net>...
2learn
I've also found another virus everyone should be made aware of,
labeled for the newly released V49.4. Someone used that dam gay sh*t
crap trogen and added it to your v48.1 fix and labeled it for the new
49.4, Shown below:
Name:
eDonkey 0.49.4 UPLOAD CRACK - Anti Adbanner - noratio hack - unlimited
Speed - orginal StoneFisk relase .zip
hash: 623fecdc6b1ac355cd7060d7f4bf1307 (Size: 1.02Mb)
Stonefisk, is it possible to post the actual original hash value for
when the real new release of V49.4 fix will become avaliable from you?
This is so that we get it from a reliable source. And also will know
which is the correct one or wrong one for the new released version
49.4...
PS: -Do you have an official website for your releases? Some other
safe place to D/L?
Thanks, keep up the great work..
Learner
"sf" <rhs...@sthsdthsdt.net> wrote in message news:<200306101310...@mail.zedz.net>...
sf
name.
Stephan the |337 and his amazing VB skills.
Considering countermeasures.
Yes, if I make loader for 49.4 public I will post hash here.
I'm distracted by other things right now.
sf<><
"2learn" <learn...@hotmail.com> wrote in message
news:a5d48cfa.03062...@posting.google.com...
MM
Your my hero ;-)
I have been using your hack with much enthusiasm for quite some time
now. I got bit in the ass hard by that friggin trojan and it was
mostly Symantec's fault. Norton AV suddenly started showing your
sf-edonk file as containing a trojan dropper around about June 21. I
was not sure what was happening at the time but of course this thread
has made it all crystal clear.
Anyways, to make a long and boring story shorter, I ended up
downloading the REAL infected file(which Norton did not and still does
not detect as infected :-((() after Norton detected and quarantined
the real McCoy. The trojanized version then proceeded to put that gay
shit on my computer. I had a hell of a time figuring out what it was
doing for a few days until I saw this post and deleted that
cdrunxp.exe file.
Problem solved but what a friggin waste of time and energy. Again,
mostly because of Symantec and not because of any of the relatively
harmless shit the trojan did. Norton AV has saved my ass in the past
but this time it burned me bad. I have been unhappy with this
software for sometime now and this was the last straw. Looks like I'm
changing to Sophos!
Any plans to release a version of sf-edonk for v0.49.4 anytime soon?
I'll definitely be watching for it but until then I'll be sticking to
V0.48.1 with sf-edonk and without Norton AV!
FUCK SYMANTEC! FUCK THEM IN EVERY ORFICE!
MM
"sf" <rhs...@sthsdthsdt.net> wrote in message news:<200306101713...@mail.zedz.net>...
UncleVan
I got recently stalked with that "cdrunxp" shit. Due to the strange
side effects and lack of info thereto, I decided to post this here. I
was also missing tips for how to clean up and this post will maybe
help some poor guy's machine to survive it.
I frankly admit, I didnt notice when I get infected. The VB scrap put
that record - s.b. - in the registry and dilligently used to kick on
with every program started.
But soon afterwards "cdrunxp.exe" got deleted - reload latest backup
or for some other reason, I dont know why. Now windows tryed to start
every program through the MISSING "cdrunxp.exe", which effectively
blocks the whole system! Fairly though, it exposed the trojan by
popping up a message that it cant find above program "... needed to
open files from type application/x-msdownload".
So I had to restore the backup again, and everything seemed to be OK.
In my spare time I use to compile Docs in .CHM format. Once I wanted
to look at the HTML source of a compiled page - and got the whole
thing again!
Further backup sessions and closer look revealed the poorly designed
intrusion scheme of this shit.
After unbinding itself (when one starts the career-host) it takes
three steps:
1. It copies cdrunxp.exe and the other smut approprietly
2. Modifies the registry key:
[HKEY_LOCAL_MACHINE\Software\CLASSES\exefile\shell\open\command]
@="\"%1\" %*"
to
[HKEY_LOCAL_MACHINE\Software\CLASSES\exefile\shell\open\command]
@="C:\\WINDOWS\\SYSTEM\\cdrunxp.exe \"%1\" %*"
...and - This is important!
3. Replaces
C:\WINDOWS\NOTEPAD.EXE and
C:\WINDOWS\SYSTEM32\NOTEPAD32.EXE (for NT users ;-)
with some other proggi but the same names
So even if you delete "cdrunxp.exe" and recover the registry, the next
time you want to look at something with NOTEPAD.exe, you actually
start the trojan again.
Strangely though, the patched NOTEPADs only modify the registry and
dont restore the other smut - maybe prog error.
Now how to ged rid of it?
Its frankly simple:
Make a *.REG file with following content:
******************************************************************
REGEDIT4
[HKEY_LOCAL_MACHINE\Software\CLASSES\exefile\shell\open\command]
@="\"%1\" %*"
******************************************************************
and name it p.e. "myfile.reg"
Since you wont be able to start the registry editor (p.e. by
doublecklicking the .REG file), as any other program too, youll have
to fall back to raw DOS mode (panic!). Don be afraid, type only
following on the command prompt:
**********************
regedit myfile.reg
**********************
Now restart windows. Once in the GUI, find & destroy "cdrunxp.exe",
NOTEPAD.EXE & NOTEPAD32.EXE and restore the original NOTEPAD.EXE or
NOTEPAD32.EXE, the later only on NT systems. You can use for instance
the SFC.exe -> "Extract one file from installation disk" option.
Im not especially fond of disassembling VB stuff, so that was it for
me. If you remember above three points you are quite soon out of
trouble. Neverthless its a
lousy attack and I would like to kick that silly german D-sucker in
the perfidious ass.
Thats for know -
Your UncleVan
In the post script I just bring up few friendly words for our
hopefully-german-speaking-backloading-fag-of-a-cracker, just in case
he is searching the web for his "creation"
P.S.:
cdrunxp cdrunxp cdrunxp cdrunxp cdrunxp cdrunxp cdrunxp cdrunxp
cdrunxp
***********************************************************************
stephan stephan stephan stephan stephan stephan stephan stephan
stephan
Was hast du dir dabei gedacht, du gemeine, arsch-verfickte,
mund-fotzige Tunten-Sau, unsere kostbare Zeit mit deinen mikrigen
Schwulitäten zu verplempern ?
Schwuchtel wie du gehören umgehend vergast, auch in Deutschland!
UncleVan
Sorry,
I didnt actually want to open new thread.
UncleVan
TheSaint
UncleVan that provided simple step to this. I had to help a friend
that did catch this trojan by email apparently and it's was great
help. I will just add the following information :
Apparently, even when the trojan is active, it's still possible to
access internet (my friend was able to), in this case, it is possible
to receive mail from any web mail account. So, it is quite easy to ask
someone to create the textfile for the registry following UncleVan
instructions, and to make it send on any web mail account. Then, just
openning it and asking the internet browser to execute it instead of
only saving it, did work. This is much easier to do for people that
are not so good in computer (like my friend is, so he dont need to go
in dos mode or whatever...).
Thanks you guys !!!! This trojan has been eradicted !!!
God save us !
TheSaint
==============================================================================
uncl...@hotmail.com (UncleVan) wrote in message news:<46c4d437.03072...@posting.google.com>...
EagleF
my system.
The trojan modified the notepads as u said but also
windows\system32\restore\rstrui.exe
that file looks like the cdrunxp.exe: over 1Mb in size (original
should be around 360kb) it has an icon representing a CD.
U have to restore the original file to fully get rid of this trojan.
The trojan also remove the desktop tab of the display properties so u
cant change back the wallpaper, u can fix this by deleting this key:
HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System\NoDispBackgroundPage
It changes the internet explorer title bar, u can fix this here:
HKCU\Software\Microsoft\Internet Explorer\Main\Window Title
Good luck
The_Real_...@yahoo.fr (TheSaint) wrote in message news:<d1e8497a.03080...@posting.google.com>...
UncleVan
While that thing is still going around this thread apparently
will be active.
Let us postulate some rules for the postings here. I would suggest:
1. OS Version
2. Date of intrusion, if known
3. Symptoms
4. Harms & damages (infected/replaced files, new copied files, changes
to the registry etc)
5. Version tracking, if possible
6. Clean-up tips/solutions, if any
Postings are not supposed to comply with all items, but to try.
Further suggestions are wellcome, of course.
Your UncleVan.
uncl...@hotmail.com (UncleVan) wrote in message news:<46c4d437.03072...@posting.google.com>...
Sync
have tried the removal process as stated but still am having problems
with it. Has anyone discovered an anti-virus software that will remove
it? If not, what are the exact removal procedures for XP? I actually
feel that this trojan is worse than one that would allow others to
access your computer through a back door. That German dude is one sick
person to even look which pictures to add in. Well thanks in advance.