|
Contents:
---------
o Summary - a summary of the trojan
o Removal - how to remove the trojan
o Threat Analysis - the possible dangers
o Prevention - how to keep this from happening
o File Information - information on the .EXE file
o Unit Information - information on what 3rd party packages it uses
o Form 1 - information on the first window found in the application
o Form 2 - information on the second window found in the application
o Thoughts - conjecture of mine
Summary:
--------
The exe (ickill.exe, 98s.exe, icqhijaak.exe) was made with Borland
Delphi, either version 2 or 3, as it is a 32-bit application. When
executed, it copies itself to the Windows directory, and creates
registry entries to make it start up when Windows starts. Once opened,
it sets up a server on port 5000 or 7789, which allows certain persons
to download, upload, delete, and create files, and perhaps to even
take screenshots.
Removal:
--------
1.) Ctrl+Alt+Del and end any task named "mschv32.exe"
or any second explorer orany task named "1.exe"
2.) Delete *any* instance of MSCHV32.EXE or 1.EXE
3.) If there is an EXPLORER.EXE in your WINDOWS\SYSTEM directory,
delete it
4.) Open WINDOWS\REGEDIT.EXE and use Edit | Find to find and delete
anyreferences to 1.EXE or MSCHV.EXE
Threat Analysis:
----------------
Backdoor-style trojans such as these pose a serious threat to the
average user. Most people are used to having installation programs
crap out on them, and so when a program gives them an error message
and "quits," they delete the EXE and move on. If the user
has any sensitive information on their computer, they will indubitably
wish to keep it private.
Prevention:
-----------
One way to prevent such a trojan being installed unwittingly on
your machine is to change the way you install programs. InControl
3, available at http://www.zdnet.com/pcmag/pctech/content/15/13/ut1513.001.htmlis
a utility which tracks the changes to a system a program makes.
Use it whenever you're installing a program, regardless of the program's
pedigree. You can look at the log later to see what registry keys
have been added, what INI files have been changed, what directories
and files have been changed, added, or deleted. This kind of trojan
is too new to be detected with a virus scanner, and trojans are
simple to make. The best defense in this case is good program hygiene.
File Information:
-----------------
Filename: ICKILL.EXE, 98S.EXE, ICQHIJAAK.EXE
File Size: 335,872 bytes
MD5 Message Digest: 711DFB9A0F23058CB238302EB2D46C35
Unit Information:
-----------------
The units used are this:
À # �=Cheval �óFileCtrl �ÇConsts ÇSystem
SysInit � Dialogs �‘ExtCtrls
�3Messages KWindows ��SysUtils �^Classes �QTypInfo �sActiveX �&Controls
³Forms
�°Printers �WWinSpool �+Graphics �vMenus �ÁImm ��Commctrl
�dStdCtrls �IDlgs
�3CommDlg �ÂButtons �:Scrute �¡Spin �!WSocket �±WSockbuf
�£Wait �©WinSock �*ShellAPI
�8Registry øUnit2 îunit1
All units here are standard Delphi units except for Scrute, WSocket,
WSockbuf, Wait, Unit2, and unit1. Scrute is an unknown unit, whose
name, in French, means "scan". WSocket, WSockbuf, and
Wait are all units for a common winsock Delphi component, TWSocket.
Unit2 and unit1 are the two forms used by the project.
Form 1:
-------
The property list for the first form looks like this:
object Form1: TForm1
Left = 370
Top = 198
BorderIcons = [biSystemMenu]
BorderStyle = bsDialog
Caption = 'Form1'
ClientHeight = 115
ClientWidth = 436
Font.Charset = DEFAULT_CHARSET
Font.Color = clWindowText
Font.Height = -11
Font.Name = 'MS Sans Serif'
Font.Style = []
Position = poScreenCenter
OnClose = FormClose
OnCreate = FormCreate
PixelsPerInch = 96
TextHeight = 13
object ChatPort: TEdit
Left = 10
Top = 41
Width = 31
Height = 21
Font.Charset = DEFAULT_CHARSET
Font.Color = clWindowText
Font.Height = -11
Font.Name = 'MS Sans Serif'
Font.Style = []
ParentFont = False
TabOrder = 0
Text = '5000'
Visible = False
end
object DelaiDistant: TSpinEdit
Left = 45
Top = 41
Width = 41
Height = 22
Font.Charset = DEFAULT_CHARSET
Font.Color = clWindowText
Font.Height = -11
Font.Name = 'MS Sans Serif'
Font.Style = []
MaxValue = 500
MinValue = 0
ParentFont = False
TabOrder = 1
Value = 0
Visible = False
end
object SrvSocket: TWSocket
Proto = 'tcp'
MultiThreaded = False
OnSessionAvailable = SrvSocketSessionAvailable
FlushTimeout = 60
SendFlags = wsSendNormal
Left = 5
Top = 4
end
object CliSocket: TWSocket
Proto = 'tcp'
MultiThreaded = False
OnDataAvailable = CliSocketDataAvailable
OnSessionClosed = CliSocketSessionClosed
FlushTimeout = 60
SendFlags = wsSendNormal
Left = 37
Top = 5
end
end
We can see it is a form, default size, screen center, with an edit
box (named ChatPort, default text = '5000'), and a spin box (named
DelaiDistant, default value = 500). It has two TWSockets, one a
server (apparently), the other a client. The server has some event
for when someone tries to connect to it. What that does is unknown.
The client has event handlers for when someonesends the client data,
and for when the client is disconnected. Again, what it does is
unknown.
Form 2:
-------
The property list for the second form:
object Form_HD: TForm_HD
Left = 415
Top = 189
Width = 138
Height = 87
BorderIcons = [biSystemMenu, biMaximize]
Caption = 'Form_HD'
Font.Charset = DEFAULT_CHARSET
Font.Color = clWindowText
Font.Height = -11
Font.Name = 'MS Sans Serif'
Font.Style = []
Position = poScreenCenter
PixelsPerInch = 96
TextHeight = 13
object DriveComboBox: TDriveComboBox
Left = 20
Top = 38
Width = 89
Height = 19
TabOrder = 0
Visible = False
end
object Scrute: TScruteDossier
Dossier = 'c:\'
Filtre = '*.*'
SousDossier = False
OnFichier = ScruteFichier
OnDossier = ScruteDossier
OnFinExecute = ScruteFinExecute
MaxPenetration = 10000
Left = 70
Top = 4
end
object FileCliSocket: TWSocket
Proto = 'tcp'
MultiThreaded = False
OnDataAvailable = FileCliSocketDataAvailable
OnSessionConnected = FileCliSocketSessionConnected
FlushTimeout = 60
SendFlags = wsSendNormal
Left = 31
Top = 3
end
end
This is the engine of the program. The form is non-default size
(87x138). It has an unknown component, TScruteDossier, which presumably
scans the directory tree, returning file names, paths, attributes,
etc. "Scrute Dossier" in French means "scan file."
It also has a drive combo box, which is simply a combo box with
a list of all drives on the machine. It has a TWSocket client, which
has event handlers for when the client receives data, and when the
client connects to a server.
Thoughts:
---------
(None of these are supported by fact, so don't mistake them for
the truth,
they are *my* opinions only):
I think this program was created by someone relatively new to Delphi
programming.
Why:
* The author uses Delphi components to do things like scan the directory
tree, check for all the drives on a machine, when code for this
is readily available in easier-to-use code snippits. * Naming conventions:
this program doesn't follow any Delphi naming conventions. Most
professional or intermediate Delphi programmers follow some sort
of naming convention, either Hungarian notation, or their own personal
conventions.
* The number of forms, etc. If this was a good programmer, they
could have made it much smaller, and much more obtrusive.
I'm told this program is called "Master's Paradise" and
that it's made by someone/some group/some place/somewhatever called
the Munich Brain House. Searches on the internet have turned up
squat, save for some pages about vibrators. No idea why. But apparently,
every woman needs a "Deep Stroker." I should put that
on my business card.
Anyways, if you have any more information about this trojan, where
it came from, who made it, etc, please mail me at messiah@jps.net.
Thanks.
|