Total Members: 14176
Posted by: Amker
« on: 16. June 2007., 15:18:51 »This trojan uses winpcap drivers to monitor and capture network traffic and to carry out IP and DNS spoofing attacks. For accomplishing this, it uses few tools like "Winpcap_3_1_beta4 Dos Installer" and "zxarps". It can potentially insert malicious html code into data packets returned from server.
Characteristics -
This trojan uses winpcap drivers to monitor and capture network traffic and to carry out IP and DNS spoofing and man-in-the-middle attacks. For accomplishing this, it uses few tools like "Winpcap_3_1_beta4 Dos Installer" and "zxarps". It can potentially insert malicious html code into HTTP response packets returned from server; as well as sniffing passwords from the network.
(Winpcap is a popular tool that is often used in legitimate network monitoring.)
Upon installation this trojan installs legitimate packet filter libraries in %sysdir%.
%WINDIR%\inf\netnm.pnf ( 14736 bytes )
%WINDIR%\inf\netrasa.pnf ( 23504 bytes )
%SYSTEMDIR%\wpcap.dll ( 221184 bytes )
%SYSTEMDIR%\netmoninstaller.exe ( 6656 bytes )
%SYSTEMDIR%\wanpacket.dll ( 61440 bytes )
%SYSTEMDIR%\drivers\npf.sys ( 32000 bytes )
%SYSTEMDIR%\pthreadvc.dll ( 53299 bytes )
%SYSTEMDIR%\rpcapd.exe ( 86016 bytes )
%SYSTEMDIR%\packet.dll ( 81920 bytes )
%SYSTEMDIR%\daemon_mgm.exe ( 49152 bytes )
%SYSTEMDIR%\npf_mgm.exe ( 49152 bytes )
Following tools are dropped in the same directory from which the trojan executes.
wpc.dll - Winpcap_3_1_beta4 Dos Installer - Installs packet filtering libraries.
cmd.dll - zxarps Build 01/17/2007 By LZX. - Tool to carry out DNS Spoofing Attack.
Following is the list of commands than can be issued by this tool
options:
-idx [index]
-ip [ip]
-sethost [ip]
-port [port]
-reset
-hostname
-logfilter [string]
-save_a [filename]
-save_h [filename]
-hacksite [ip]
-insert [html code
-postfix [string]
-hackURL [url]
-filename [name]
-hackdns [string]
-Interval [ms]
-spoofmode [1|2|3]
-speed [kb]
There are many registries created upon installation of the trojan, most of them are related to WinPCap installation. Registries unique to this trojan are mentioned below.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\ESENT\Process\CMD\DEBUG\Trace Level: ""
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\MS-DOS Emulation\DisplayParams
Registry responsible for restarting the trojan on reboot is
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\InternetEx
Symptoms -
Presence of aforementioned files and registry keys.
Unusual network activity of ARP requests.
Method of Infection -
Trojans do not self-replicate. They spread manually, often under the premise that the executable is something beneficial. Trojans may also be received as a result of poor security practices, or un-patched machines and vulnerable systems. Distribution channels include IRC, peer-to-peer networks, email, newsgroups postings, etc.
Removal -
AVERT recommends to always use latest DATs and engine. This threat will be cleaned if you have this combination.
Additional Windows ME/XP removal considerations
McAfee
Characteristics -
This trojan uses winpcap drivers to monitor and capture network traffic and to carry out IP and DNS spoofing and man-in-the-middle attacks. For accomplishing this, it uses few tools like "Winpcap_3_1_beta4 Dos Installer" and "zxarps". It can potentially insert malicious html code into HTTP response packets returned from server; as well as sniffing passwords from the network.
(Winpcap is a popular tool that is often used in legitimate network monitoring.)
Upon installation this trojan installs legitimate packet filter libraries in %sysdir%.
%WINDIR%\inf\netnm.pnf ( 14736 bytes )
%WINDIR%\inf\netrasa.pnf ( 23504 bytes )
%SYSTEMDIR%\wpcap.dll ( 221184 bytes )
%SYSTEMDIR%\netmoninstaller.exe ( 6656 bytes )
%SYSTEMDIR%\wanpacket.dll ( 61440 bytes )
%SYSTEMDIR%\drivers\npf.sys ( 32000 bytes )
%SYSTEMDIR%\pthreadvc.dll ( 53299 bytes )
%SYSTEMDIR%\rpcapd.exe ( 86016 bytes )
%SYSTEMDIR%\packet.dll ( 81920 bytes )
%SYSTEMDIR%\daemon_mgm.exe ( 49152 bytes )
%SYSTEMDIR%\npf_mgm.exe ( 49152 bytes )
Following tools are dropped in the same directory from which the trojan executes.
wpc.dll - Winpcap_3_1_beta4 Dos Installer - Installs packet filtering libraries.
cmd.dll - zxarps Build 01/17/2007 By LZX. - Tool to carry out DNS Spoofing Attack.
Following is the list of commands than can be issued by this tool
options:
-idx [index]
-ip [ip]
-sethost [ip]
-port [port]
-reset
-hostname
-logfilter [string]
-save_a [filename]
-save_h [filename]
-hacksite [ip]
-insert [html code
-postfix [string]
-hackURL [url]
-filename [name]
-hackdns [string]
-Interval [ms]
-spoofmode [1|2|3]
-speed [kb]
There are many registries created upon installation of the trojan, most of them are related to WinPCap installation. Registries unique to this trojan are mentioned below.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\ESENT\Process\CMD\DEBUG\Trace Level: ""
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\MS-DOS Emulation\DisplayParams
Registry responsible for restarting the trojan on reboot is
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\InternetEx
Symptoms -
Presence of aforementioned files and registry keys.
Unusual network activity of ARP requests.
Method of Infection -
Trojans do not self-replicate. They spread manually, often under the premise that the executable is something beneficial. Trojans may also be received as a result of poor security practices, or un-patched machines and vulnerable systems. Distribution channels include IRC, peer-to-peer networks, email, newsgroups postings, etc.
Removal -
AVERT recommends to always use latest DATs and engine. This threat will be cleaned if you have this combination.
Additional Windows ME/XP removal considerations
McAfee