KLC Consulting, Inc.
Information Security Services
info@klcconsulting.net 

Where are Trojans hiding?

Tel: 617-921-5410

Translate

Home

About KLC

Services

SMAC

Trojan Analysis Security Resources Spoof MAC Address

On Sale! Linux CD's with FREE SHIPPING!

NEWS! WebDAV Vulnerability and Fixes (MS03-007)

NEWS! DeLoder worm/Trojan Analysis

NEWS! SQL Slammer Worm Analysis

NEWS! SMAC 1.1 is released on January 25, 2003! It is a MAC Address Modifying Utility for Windows 2000 and XP in all languages.

NEWS! SMAC Made Headlines!

Virus/Worm/Trojan
Resources

Virus List

Trojans Library

Trojan Ports

Symantec AV

Virus Alert


Updated 04/24/2003

URL of this article is: http://www.klcconsulting.net/trojan/trojan_identification.htm 

Author :

Kyle Lai, CISSP, CISA

KLC Consulting, Inc.

klai@klcconsulting.net 

www.klcconsulting.net

Where are Trojans hiding in your systems?

 

In any cases of virus/worm/Trojan infections, we should not automatically assume that HKLM\Software\Microsoft\Windows\CurrentVersion\Run registry key is the only place Trojans try to tamper, otherwise we would be in a false sense of security TRAP.

There are many other places on a Windows system that Trojans can add scripts and shortcuts to startup Trojan processes:

íP         [HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run]

íP         [HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\RunOnce]

íP         [HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\RunServices]

íP         [HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\RunServicesOnce]

íP         [HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run]

íP         [HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\RunOnce]

Note:  For the following registry keys, the key value should be exactly "%1 %*" .  Any programs that are added to the key value will get executed every time a binary file (.exe, .com) is executed, i.e."Trojan.exe %1 %*".

íP         [HKEY_CLASSES_ROOT\exefile\shell\open\command]

íP         [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\exefile\shell\open\command]

Also, check

íP         Startup folder:  to go to this folder, click on Start->Programs->Startup, and right click on Startup and select "Open" from the menu.  Check every file in this folder and make sure you know what they are.  These files will startup automatically every time you login to your systems.

íP         Windows Scheduler - check if any programs are scheduled to startup at any specific time.  Some Trojans use scheduler as a mean for program execution.

o        For Windows NT, 2000 and XP systems, use AT command to verify.  Go to command prompt and type "at" and if there is any scheduled tasks, it will display "Status, ID, Day of execution, Time of execution, and Command line to be executed"

o        For Windows 9x/ME systems, use Windows Explorer and go to Task Scheduler, which is under My Computer.

íP         Win.ini (load=Trojan.exe or run=Trojan.exe)

íP         system.ini (Shell=Explorer.exe trojan.exe)

íP         autoexec.bat - look for added Trojan files, may be in the following file extensions: .exe, .scr, .pif, .com, .bat

íP         config.sys - look for added Trojan files

íP         Any suspicious or new batch files (.BAT), which might call the actual Trojan.

In addition, watch out for social engineering...  Social engineering?  Yes.  Don't be fooled by processes or programs with similar and/or exactly the same filename as the legitimate Windows system programs.  Many known Trojans have included programs with exact same name as Windows system programs, but put them into different folders.  Many people lower their guard when they see familiar Windows system programs, and some Trojans did successfully create deceptions and exploit this human vulnerability.   If you just use the Windows Task Manager to check processes, you might be fooled if you don't examine them carefully.  You might want to use some other tools for detailed examination i.e. pstools from www.systeminternals.com.  

Here are some sample filename of files included in recent Trojans: (assuming Windows is installed in c:\windows or c:\winnt)

íP         Explorer.exe - a legitimate program exists in \Windows or \Winnt folder, NOT \Windows\system32 or \Winnt\system32, or anywhere else

íP         Rundll32.exe - a legitimate program exists in \Windows\system32 or \Winnt\system32 folder, not anywhere else

íP         taskmngr.exe - the legitimate program is called "taskmgr.exe", not taskmngr.exe"

Let's be vigilant about the files, registries and different places that Trojan can touch.

Reference:

íP         Ocxdll.exe/mIRC Virus Analysis by KLC Consulting: http://www.klcconsulting.net/mirc_virus_analysis.htm

íP         Deloder worm / IRC worm/Trojan Analysis by KLC Consulting: http://www.klcconsulting.net/deloder_virus_analysis.htm

íP         The Complete Windows Trojans Paper By Dancho Danchev: http://www.frame4.com/

Additional resources on recovery:

Trojan Ports list:

CERT - Steps for Recovering from a UNIX or NT System Compromise

http://www.blackcode.com/trojans/ports.php 

Compromised Computer Identification and Fixing Guidelines by Allen Chang at UC Berkeley

http://www.sans.org/resources/idfaq/oddports.php 

http://www.govital.net/~soz/lists/Port_Lists.htm 

Additional resources on Trojan Horse:

http://www.iss.net/security_center/advice/Exploits/Ports/default.htm 

Complete Windows Trojans Paper

 

Distributed Denial of Service (DDoS) Attacks/tools

mIRC Trojan Variants:

TrendMicro TROJ_FLOOD.BI.DR / IRC_ZCREW Trojan Analysis

IETF Assigned Ports:

VirusList Worm.Win32.Randon worm/Trojan

http://www.iana.org/assignments/port-numbers 

Copyright © 2002-2011 KLC Consulting, Inc..
All rights reserved.