rn4d Dirote.exe & Kolder.exe

I have a string in my run folder within the registry, title is "rn4d" and the value is:

"C:\WINDOWS\System32\f0r0r\kolder.exe C:\WINDOWS\System32\f0r0r\dirote.exe "

I can't find the f0r0r folder within System32 (even after unhiding system files etc)

I don't know what it is, but if I delete the string, it comes back within seconds.

I had a problem with the Sasser Worm, I had to manually uninstall NIS 2004 (headfull!!) then I reinstalled it, while I was online downloading the live update for NIS 2004, I contracted the Welchia Worm, I've got rid of that too.

NIS 2004 than came up with an alert "Dirote.exe is attempting to connect.......... "

I have no idea what this program is, nor can I get rid of it. It's obviously starting on boot (I can't get it out of MSCONFIG), and I can see 2 windows appear (then disappear) very swiftly indeed (I can't make out any details, and this mever happened before tonight).

Full system scan with Norton reveals nothing.

Can someone please enlighten me.

Thanks.

Dig.

 

Hi Dig,

You need a firewall. get free za:

http://zonealarm.com/

or avg:

http://www.grisoft.com/us/us_dwnl_free.php

EDIT: Then get spybot:
http://spybot.safer-networking.de/
and run it to delete the baddies.

 

I have a firewall, I've got Norton internet security 2004, which has antivirus & a firewall.

Something got into my system & messed it up, while I was online trying to find a solution I was getting attacked from all over, as I didn't have any protection.

I have now reinstalled Norton, and I can't get rid of, nor can I get find any information on the above that I mentioned earlier.

 

I've done a bit more digging, and I found that in task manager (Alt, CTRL + Delete), on the Processes tab, Dirote.exe is one of the many processes listed.

I clicked it, clicked "end process ", then when I went to the registry I was able to remove the string from the "run" folder that starts it on boot (YIPPEE!!!)

The two windows that flash on the screen at boot have now gone, and the string in MSCONFIG has gone (obviously). All Happy

I'll see if I can find the files themselves now.

DELETE!
DELETE!
DELETE!

 

OK, now that we've stopped the programs starting up, I can find the relevant folders, it must have been hiding them when it was running.

Here's a screen shot of what is inside the C:\WINDOWS\System32\f0r0r folder.

Can anyone tell me what this does?

 

Good work.

Hi Dig,

Hope your firewall will protect you now. I looked at your url and I think it does nothing at present and suggest you just delet it. Did you run spybot?

 

I didn't run spybot, but I have got spycop, is that any good? It didn't find anything, nor did Ad aware 6.

 

Update!

I have no experience with spycop, but whatever you use, make sure it's updated to the latest version before you use it.

 

Ciao a tutti! - f0r0r ???

Ciao cari, quella cartella viene creata da un dialer - porno
contiene da 1 a + infinito file eseguibili, suoni o altro
Windows xp non la puo' visualizzare come cartella.
Per risolvere il problema, basta cancellarne il contenuto ustilizzando un altro sistema operativo (BEOS o Windows PE vanno benissimo!)
e tutto si risolve.

Hello beloveds, that folder comes created from a dialer - porno it
contains from 1 to +infinite one executable files, sounds or other

Windows xp is not able to visualize the folder. In order to
resolve the problem, enough to cancel of the content with an
other operating system (BEOS or Windows PE goes very well!) and all it
is resolved.

CIAO!!!! my site? www.nonsolocuneo.com ! HI!

 

Recheck anything you have disabled in msconfig, reboot and run CWShredder. Download available from the link in my signature. Also download HijackThis from the same link. Place it in a permanent folder on the drive (I create a new one named HijackThis), open and scan, then save log. Once saved it will open in notepad. Select all from the edit menu, copy and paste here. Don't fix anything with it yet! Also suggest you scan with RAV and Housecall. Let us know what, if anything, is found and where.

 

Can someone in the know check my highjack this log to see if there is any unusual entries please?

Logfile of HijackThis v1.97.7
Scan saved at 20.39.41, on 14/05/2004
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
.........
remaining contents removed - Newt

 

Welcome to WindowsBBS luke74!

I'll gladly check your log, as will others, but please start a new thread and post it there. And suggest using a descriptive title that reflects your concerns/problems.

 

Same here

Seems like I have exactly the same problem. I can't "see" the f0r0r folder in windows32, I'm only able to acces it with cmd.exe. And with cmd.exe, I'm only able to see the files in the f0r0r folder, but not delete them.

If searched on "f0r0r" on google, and I found some more messages from people who suffer from this. And they were all complaining about problems starting around the start of may.

Perhaps this is a new virus that Norton isn't able to detect (yet).

 

Hi Bartkei. Welcome to WindowsBBS!

You say you can access the files within the f0r0r folder. Would you list them please? Also, would you install Process Explorer, open it and click file>save. Paste the contents here. Did you also specify to show hidden system files? It is possible that what appears to be a folder named f0r0r really isn't a folder. Try using Agent Ransack to search for it.

 

Research

I've just updated the virus definitions, and norton antivirus still doesn't recognize anything.

After I unloaded the processes ppi.exe and dirote.exe and deleted the registery key, I restarted my computer and the f0r0r folder became "viewable" in windows.

What I saw was really interesting.

I recognized the icons of the executables ppi.exe and kolder.exe.
It's the delphi icon. I know that this is the delphi icon because I used to program in delphi. So: this trojan is written in delphi.

Then there also is this file: demo.xt
It consits of 9410 lines. On every line there is a word.
For example: the beginning of the file is like this:
hfghfh
shaved
hustler
hardcore
netscape

Conclusion: This is a wordlist that is used for dictionary attacks.
Perhaps this virus is an automated dictionary attacker, attacking random computers.

Then there is the file: dordo.sys
This file contains nothing.

Then there is the file:dordo.ini, looking very interesting
These are the contents:
-----------------
[HIdden Table]
f0r0r
temp
dorod*

[RooT PrOcesses]
f0r0r
temp
dorod*

[HiDden SerVices]
HackerDefender*

[HiDDen RegKEys]
HackerDefender100
LEGACY_HACKERDEFENDER100
HackerDefenderDrv100
LEGACY_HACKERDEFENDERDRV100

[HIDden REGValues]

[StARTup Run]

[FrEE Space]

[HiDDen Ports]

[SETtings]
Password=dordo--
BackdoorShell=ccc.exe
FileMappingName=dordodesc
ServiceName=dordo
ServiceDisplayName=dordo Service
ServiceDescription=gl gl
DriverName=dordodrv
DriverFileName=dordo.sys
------------------
I mean what the hell? A backdoor shell??? ccc.exe??? I can't find ccc.exe

Then there is the following file: niamx
(without an extension indeed)
It's pretty big, so I can't post it. And I can't host it anywhere. I'm indicating this as a mirc script, but I'm not very good at mirc scripting so I cant really figure out what is does. I see this file changes and deletes some values in the register in HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\dordo\
It seems to mass invite people to a channel, and spam a lot.
It also seems to open a couple af sockets, and to be a "445 RPC scanner ".
This script looks really interesting, so if anyone wants to see it, just tell me and I can mail it to you.

Then we have the file: redroses
It has no extension but it looks like it's a configuration file for mIRC?

[warn]
fserve=on
dcc=off
[dirs]
logdir=logs\
waves=sounds\
midis=sounds\
mp3s=sounds\
wmas=sounds\
oggs=sounds\
[options]
n0=1,0,0,1,0,0,300,0,0,0,1,0,0,0,1,1,0,1,1,1,4096,0,1,0,0,0,1,1,0,50,1,1
n1=0,100,0,0,0,0,0,0,3,0,1,1,0,0,0,0,0,1,0,0,1,0,1,0,5,0,0,0,0,0,1,0,0
n2=0,0,0,0,1,1,0,1,0,60,120,0,0,1,0,0,0,1,0,120,20,10,0,0,1,0,0,1,0,0,0,0,0
n3=5000,0,0,0,1,0,1,0,0,1,0,1,0,0,1,1,3,1,0,1,0,0,0,0,0,0,2,3,0,0,0,3,180,0
n4=0,0,1,1,0,3,9999,0,0,1,1,1,1024,0,1,9,20,0,0,0,1,0,0,0,1,5000,1,2,0,0,2,0,0,0
n5=1,1,1,1,1,1,1,1,1,1,6667,0,0,0,0,0,1,0,300,30,10,0,0,26,0,0,0,8192,1,0,0,82,0
n6=0,0,0,1,1,0,0,0,0,0,0,0,0,0,0,0,0,0,1,0,0,0,100,1,1,0,0,0,0,0,2,1,0,1
n7=0,0,0,0,0,0,0,0,0,1,1,0,0,1,0,0,1,70,0,10,0,1,1,1,1,1,0,0,0,0,1,1,1,1
[about]
version=6.03
show=BR26354
[ports]
random=off
bind=off
[ident]
active=yes
userid=tw1s
system=UNIX
port=113
[socks]
enabled=no
port=1080
method=4
dccs=no
useip=yes
[language]
sjis=1
multibyte=1
[clicks]
status=
query=
channel=
nicklist=
notify=
message=
[dde]
ServerStatus=off
ServiceName=c0ldzz
CheckName=off
[marker]
show=off
size=3
colour=4
method=1
[text]
network=All
commandchar=/
linesep=-//-
timestamp=[HH:nn]
accept=*.bmp,*.gif,*.jpg,*.log,*.mid,*.mp3,*.ogg,*.png,*.txt,*.wav,*.wma,*.zip
ignore=*.exe,*.com,*.bat,*.dll,*.ini,*.mrc,*.vbs,*.js,*.pif,*.scr,*.lnk,*.pl,*.shs,*.htm,*.html
quit=wheebee
[fileserver]
warning=on
[dccserver]
n0=0,59,0,0,0,0
[agent]
enable=0,0,0
char=merlin.acs
options=1,1,1,100,0
speech=150,60,100,1,180,10,50,1,1,1,0,50,1
channel=1,1,1,1,1,1,1,1,1
private=1,1,1,1
other=1,1,1,1,1,1,1
pos=20,20
[real]
nick=[XP-9232]
host=0rdez.q8hell.orgSERVER:0rdez.q8hell.org:4578
user=Tw1st3r [1.4.4]
email=tw1s@tw1s
anick=[dsl-2963999]

[files]
servers=servers.ini
finger=finger.txt
urls=urls.ini
addrbk=addrbk.ini
[styles]
thin=3
font=0
hide=0
color=default
size=2
buttons=0
[pfiles]
n0=popups.ini
n1=popups.ini
n2=popups.ini
n3=popups.ini
n4=popups.ini
[windows]
scripts=167,739,102,606,0,0,0
main=986,123,691,34,0,1,0
wchannel=0,123,0,34,0,1,0
wquery=56,631,56,396,1,1,0
wchat=0,631,0,397,1,1,0
[colours]
n0=1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1
[wizard]
warning=2


[waves]
query=No Sound
notice=No Sound
invite=No Sound
disconnect=No Sound
send=No Sound
highlight=No Sound
flash=No Sound
dccfail=No Sound
[dragdrop]
n0=*.wav:/sound $1 $2-
n1=*.*:/dcc send $1 $2-
s0=*.*:/dcc send $1 $2-
[extensions]
n0=defaultEXTDIR:\
n1=*.wav,*.mid,*.mp3,*.wma,*.oggEXTDIR:hh\
[afiles]
n0=aliases.ini
[forevr]
n0=romt0
n1=romto
n2=niamx

Then there is this file: romto
Contents:
%many 45
%infecttime Friday 07/05/2004 17:00:44

I don't really understand the first line, but the secund one is pretty clear i guess.

The following executables are in the f0r0r folder:
calcu.exe
dir32.exe
dirote.exe
dorod.exe
kltye.exe
kolder.exe
ppi.exe
van32.exe
wexp.exe

Why am I posting this? I don't really know. I think this virus has not yet been discovered by any virus-scan company (at least, my scanner detects nothing). So it needs research. What should I do with this?

 

f0r0r

Hi Dave/Noahdfear,

Just did that .
f0r0r appears to be a real folder.
It was not a hidden folder (it didn't have a +h attrib),
but, one of the processes (either ppi.exe or dirote.exe) prevented this folder from being listed in the windows explorer.

 

forgot something

I forgot to say one more thing.

By unloading this virus, I just got rid of something that has really been irritating me.

In the past week, I couldn't delete anything from my windows desktop, and I couldn't rightclick on my windows desktop. When I tried that, explorer.exe seemed to restart (the taskbar disappeared and for a second or so, all I saw was my wallpaper, then everything, every window, the taskbar, reappeared again. But no file was deleted from the desktop).

It was not only with the desktop, but also with certain windows system folders (can't remember which ones).

But now it all disappeared, so it must have been this virus.

 

Four links to submit a file for examination.

eTrust

Panda

Symantec

Trend Micro

Might prove helpful to alot of people if you submit it to all.

 

I see this file changes and deletes some values in the register in HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\d ordo\

Interesting that it messed with ControlSet001 rather than CurrentControlSet. For any of those changes to take effect I'd expect the critter to force a reboot and a reversion to 'last known good config'.

Bartkei - nice analysis and thanks for posting it. I agree with Dave about the other places you could report it since the lack of info on this thing indicates they may not have good details yet.