rn4d Dirote.exe & Kolder.exe

Scan that folder with RAV and Housecall.

 

I finally got this one identified: It's the BDS/HacDef.073.B.4 virus.

A lot of virusscanners seem to detect this one. But my Norton Antivirus probably didn't.

That's strange.

 

First thing alot of viruses do is disable or hide themselves from onboard AV. Might need to reload it. Did either one of the online scanners detect it? Maybe the running processes are steathing it too and killing those might enable detection. Hmmmm

 

Bartkei, thanks for sending!

RAV report;

C:\WINDOWS\Profiles\Dave\Desktop\f0r0r.rar->dir32.exe->(CExe) - Tool:HideWindows -> Infected
C:\WINDOWS\Profiles\Dave\Desktop\f0r0r.rar->dorod.exe->(FSGPE) - Backdoor:Win32/Hackdef.0_84 -> Infected
C:\WINDOWS\Profiles\Dave\Desktop\f0r0r.rar->niamx - IRC/Generic* -> Suspicious
C:\WINDOWS\Profiles\Dave\Desktop\f0r0r.rar->ppi.exe->(UPXW) - Backdoor:Win32/MotivFTP.1_2 -> Infected
C:\WINDOWS\Profiles\Dave\Desktop\f0r0r.rar->van32.exe->(FSGPE) - Trojan:Win32/HideWindow -> Infected

Scanned
============================
Objects: 22
Directories: 0
Archives: 1
Size(Kb): 17249
Infected files: 4

Found
============================
Viruses found: 4
Suspicious files: 1
Disinfected files: 0
Mail files: 0

 

Some further testing.
Housecall freezes up while trying to scan the f0r0r folder.
Five other scanners find nothing.
AVG free finds this; F0R0R\NIAMX IRC/Backdoor.flood F0R0R\PPI.EXE Trojan horse BackDoor.InvisibleFTP
Stinger finds; f0r0r\wexp.exe Found the Exploit-DcomRpc.gen trojan

Since I didn't actually have the virus infection, only the folder on my desktop, I don't know if scan results would be different on an infected computer.

 

Nice work Guys

Im sure Adaware and spybot would like a submission to, if you still have the entire f0r0r folder ?
Zip up a copy and attach it to an email include an address back to this topic
This address<<

and for lavasoft
If you think something needs to be sent to us
for review, visit our submission site at:
http://submit.lavahelp.com

 

Yeah, I've still got it. I'll get it sent off. Funny, hotmail wouldn't allow the attachment to be sent (zipped .rar) but it came right through my Yahoo mail....no virus detected. AVG couldn't detect it until I unzipped it. RAV saw it either way.

I'm going to look for submittal addy's for Sophos, AVG, Kapersky and McAffee too. If anyone can think of others or provide submittal addresses, please do.

 

Dirote.exe

Here is a post that I made on another security site. This was on one of my honeypot systems.

Task Manager did see two process in memory,

ppi.exe and dirote.exe
I did some searching online but did not find too much on these two files that were in memory.
I was looking for them in the HDrive, win dirs, but i could not find them. Yes i checked and made sure the hidden dir and files was configured to be shown. I also used the windows search and verified the advanced feature of hidden files and folders was checked. I also tried the attrib -h *.* several of the main dirs //results = nothing//
I will try to cd to the dir in the blind in the near future. I am not used to seeing this rootkit like actions in the windows arena.

I did mount in the (Bump for the new knoppix 3.4) Linux boot cd to find where they were located. Notice in the file listing below there is one file that says dir32.exe hmmmmmmmmmmm
After the knoppix boot, I booted into windows (Forensic approach break I know) but I tried the attrib -h *.* in the system32 dir for the f0r0r dir and //results = nothing but very interesting//

Symantec does not catch any of the files listed below as of yet.
I went back to the linux boot disk.
The two processes were in the system32 dir //those two are zeros//
c:\windows\system32\f0r0r\

Did some strings, and got some good info, but I have just started and this was done pretty late last night,

Here is a listing of the files&dir that were in the dir:
calcu.exe //simular name to the calc.exe to possibly overlook//
dirote.exe
dorod.ini
logs //DIR//
redroses
van32.exe
demo.xt
dordo.sys
kltye.exe //Rnamed or Modified Sys Internals PS Tool to start remote processes..this name can be sanitized if the moderator wants//
niamx //RPC SCanner//
romto
wexp.exe
dir32.exe
dorod.exe
kolder.exe
ppi.exe
sounds //DIR//

Preliminary Analysis Results
• Reboots the system at least once
• Rootkit like characteristics
• SPAM and SYNFLood references
• Checks to see if virus/programs are installed in windows dir previous to copying dirod.exe and ppi.exe
• possible sniffer installed
• bnc referenced numerous times in code
• rpc scanner
• generic NIC installation (have not really verified this through the code but was installed in XP)
• IRC
• Referenced backdoor ccc.exe //I have not found this on the drive as of yet//


Day 2 added testing, but i didnt have much time last night:
I booted into the WinXP, the f0r0r dir can be access by cd, but does not show in the executed dir. The next step is to see if this is kernel level or just a overwritten binary issue.

Previous code review indicated a ftp scripted commands with the following credentials. So i ftp to the DMZ system with a linux box just in case. Also there was a text file called f0r //that is a zero again//

username: korod
pass: pass
//kind of strange though it throws you a error but still gives you access//

there is one file to download and it is named d0r1t1s.exe
//I plan to launch this file on a VMWARE system//

Applications that I have figured out.
calcu.exe -simular name to the calc.exe to possibly overlook, but it is really the program-PrcView v 3.7.2.5 command line utility by Igor Nys
Usage: pv -[<MODE>] -[<OPTIONS>] <ARGUMENTS>...-[<OPTIONS>]. The program will assist in starting and stopping programs remotely.
================================================
dirote.exe-in memory blocks all files and dir f0r0r within the c:\windows\system32\.
================================================
Wexp.exe- is a MS04011 Lsasrv.dll RPC buffer overflow remote exploit v0.1
--- Coded by .::[ houseofdabus ]::. ---
kylte.exe is renamed or hacked
PsExec v1.31 - execute processes remotely
Copyright (C) 2001-2002 Mark Russinovich
www.sysinternals.com
PsExec executes a program on a remote system, where remotely executed console applications execute interactively.
================================================

dorod.ini configures dorod.exe to accomplish the following
[HIdden Table]
f0r0r
temp
dorod*

[RooT PrOcesses]
f0r0r
temp
dorod*

[HiDden SerVices]
HackerDefender*

[HiDDen RegKEys]
HackerDefender100
LEGACY_HACKERDEFENDER100
HackerDefenderDrv100
LEGACY_HACKERDEFENDERDRV100

[HIDden REGValues]

[StARTup Run]

[FrEE Space]

[HiDDen Ports]

[SETtings]
Password=dordo--
BackdoorShell=ccc.exe
FileMappingName=dordodesc
ServiceName=dordo
ServiceDisplayName=dordo Service
ServiceDescription=gl gl
DriverName=dordodrv
================================================
niamx -this is a complex perl script that handles most of the actions of the trojan. I am not a perl expert, but I can say this accomplishes IRC connection, invites hosts to a room, tries to exploit the systmes with the lsass exploit listed above in the wexp description and the van32.exe

romto - this is a log that keeps information on when the local system was infected.


logs //DIR//
redroses
van32.exe
demo.xt
dordo.sys
dir32.exe
dorod.exe
kolder.exe
ppi.exe
sounds //DIR//

I will be looking at this more in the future when i have spare time.

Roger

 

Roger - welcome to the forum and than you for that.

Any who have this thing on board - it would be interesting to know if Agent Ransack will find it on search even with dirote.exe loaded in memory. The search engine is so much different than the native version that it really might.

 

Results of Kapersky scan on zipped folder.

Scanned file: f0r0r.rar

f0r0r.rar - archived by RAR
f0r0r.rar/calcu.exe - packed with UPX
f0r0r.rar/calcu.exe - OK
f0r0r.rar/demo.xt - OK
f0r0r.rar/dir32.exe - packed with Cexe
f0r0r.rar/dir32.exe/dir32.exe - OK
f0r0r.rar/dirote.exe - packed with UPX
f0r0r.rar/dirote.exe - OK
f0r0r.rar/dordo.sys - OK
f0r0r.rar/dorod.exe - packed with FSG
f0r0r.rar/dorod.exe - infected by Backdoor.HacDef.084
f0r0r.rar/dorod.ini - OK
f0r0r.rar/kltye.exe - packed with UPX
f0r0r.rar/kltye.exe - OK
f0r0r.rar/kolder.exe - packed with UPX
f0r0r.rar/kolder.exe - OK
f0r0r.rar/niamx - infected by Worm.Win32.Randon
f0r0r.rar/ppi.exe - packed with UPX
f0r0r.rar/ppi.exe - infected by Backdoor.MotivFTP.12
f0r0r.rar/redroses - OK
f0r0r.rar/romto - OK
f0r0r.rar/van32.exe - packed with FSG
f0r0r.rar/van32.exe - OK
f0r0r.rar/wexp.exe - packed with Cexe
f0r0r.rar/wexp.exe - infected by Exploit.Win32.RPCLsa.01.c

 

Working on a customers machine that was pretty infected (spyware/viruses/worms) thought I had it cleaned up. contacted the customer about 2 suspicious "network drives" she said she had not created them. I disconnected them and when restarted, was when ZoneAlarm notified me that ppi.exe and dirote.exe were trying to access internet. Not sure if those drives are relevant, thought I would mention it. think the drive names were: d$winbackup and windevelopement.
One of the quick flashes on boot up was an ftp window.
This thread was VERY helpfull, thanks to all, Joe

 

Welcome to WindowsBBS TJ-IT!

Good to hear you found help here, and thanks for the added input. If you think of anything else, or learn anything else about it, please post it here. We're obviously on to something new and complex, with what appears to be a target date of 7-05-2004 for something. I've been tracking some other discussions also and will post more information that may be helpful as I find it. Some of what I've found suggests that this may remain resident in memory even after deleted, and recreate itself.

I did recieve an email from Panda AV that simply said, "Thank you for the file submission. We have added it to our signatures. "
Hope that means their scanner can detect and remove it, even with it being hidden by the running process.

 

Dirote.exe

Thanks newt for the welcome. Not much more to post here.

I downloaded and tried the agent ransack. With the dirote.exe in memory, the source file can not be found. In addition this happens with other trusted binaries of command.com. I tried with a copy of Helix (Forensics CD with trusted command.com and other windows forensic tools) and I got the same results from dir within the system32 dir. The files are very well hidden unless you are a technical person and know what you are doing.

Others are indicating they can see the dir after stopping the dirote and ppi services. I am getting different results where I can not see it at all unless I go to a linux OS, or cd directly to it. But then again I did not delete out of the registry or reboot, since I want to explore this more.

I infected a vmware system with the d0r1t1s.exe, this is the file that is made available via ftp when a system is infected. This file is located in another well hidden dir c:\Temp. The d0r1t1s.exe is the only file in the hidden Temp dir. Once the application is executed the newly infected system does a standard DNS query to 0rdez.q8hell.org. It also puts the dirote.exe and ppi.exe into memory, creates the dir of f0r0r in the systems32 dir. Also a ftp server locally is setup with the same file dor1t1s.exe is made available. If you look at the processes when the system first boots, you will see van32.exe and dordo.exe in the processes, but they soon dissapear.

There was nothing else downloaded from the domain 0rdez.q8hell.org

As for the reinstallation, many viruses will call itself back through the windows XP restore. So Disable System Restore (Windows XP) when taking care of viruses. But as complex as this one is, it will be very easy to miss something.

As stated earlier, I ran a sniffer online with the infected system. Other then the DNS (which does happen more then just on boot, but nothing that will catch the eye unless paying close attention)-this trojan is make very little network noise.

-Roger

 

That folder is mentioned in spywareinfo's newsletter

"Nasty new parasite discoverd "
http://www.spywareinfo.com/newsletter/archives/0504/18.php

 

They did mention it but we seem to have more and better info here. They were clueless about dealing with the thing.