[eidenk]

OK guys, I catched a trojan rootkit on my Windows ME machine the other day. It is invisible from explorer once it is executed. It is also invisible from process viewers. It very probably also prevents its registry keys from being seen with Regedit, albeit I have not looked into that.

I did post it on the sysinternal forum on the 19th :

http://forum.sysinternals.com/forum_posts....;PN=1&TPN=9

Today I have seen on Softpedia that at least 10 antivirus software companies have updated their definitions.

It is very likely they have picked up the trojan on the sysinternal forum but I can't be sure about that.

The rootkit is here, along with the registry keys it writes :

http://stashbox.org/...866/Trojans.zip

You may want to download it and scan it with your antivirus if you use one, and report it if it is not detected.

You can also run it in a virtual machine if you have got one to see what it actually does. On my real machine, Jetico firewall intercepted it wanting to access the net but I am not sure other firewalls would have catched it as Jetico is way more efficient than all the others firewalls I have tried.

The exe is executed at startup from the HKLM runservicesonce key and the dll hooks into explorer.

If you are afraid to download it, you may want to search yor machine for ifN.exe and wuhch1.dll to see if you are infected.

I have since looked into all anti-rootkit software available and none works on 9x/ME.

The myth, propagated on this forum, notably by LLXX (Hi) that 9x/ME is secure because none is interested by attacking it and that no antivir or firewall is necessary on those platforms, it is just that : a myth.

Best regards to all.

This post has been edited by eidenk: 22 September 2006 - 05:17 AM

[wizardofwindows]

its not because of 9x or nt its because of IE always first 2 catch a cold lol.

[jimmsta]

Hehe... I couldn't even download the file, thanks to NOD32. This is a reason why I still swear by antivirus applications - They're needed on all versions of Windows.

[eidenk]

Good to know that Nod32 blocks it which is not the case of all other antivirs. I had tried F-Prot on it I think and it found it was ok.

[noguru]

AVGfree, not known for it's perfect trojan detection, allows download of the zip-file but reports the trojan if you try to unpack it. Good enough for me.

[eidenk]

I have uploaded them on jotti : http://virusscan.jotti.org/





On a second scan nod32 didn't recognize the dll. And F-Prot (Dos version) didn't recognize either on my machine.

[bilemke]

eidenk, on Sep 22 2006, 04:57 AM, said:

If you are afraid to download it, you may want to search yor machine for ifN.exe and wuhch1.dll to see if you are infected.

Note, if it is a real root-kit, you most likely wont find it in a file search unless you boot from a non-infected copy of Windows..

Otherwise, it appears to be old spyware/malware/virus (whatever your choice of words).. Google "iFN.exe" and there are things from early 2005 mentioning the file name..

http://forums.techguy.org/security/338627-...y-trojan-2.html


Otherwise the comments on about Win9x and spyware are still partially right.. The worst I have seen in 98 wasnt able to hide from good old dos (which is a reboot and "F8" away).. For that matter, as far as hiding files from Windows, I have yet to see one go beyond the "hidden" file attribute in Win9X.. That isnt that bad compared to hiding it from the kernel in NT/2k/XP/2k3...

To each his own I guess.

BTW, does NOD32 really block the download or just download in the background and then scan it before giving you the chance to choose a place to save it?

Otherwise, my favorite for a while (Avast) catches both files in the zip file.

This post has been edited by bilemke: 24 September 2006 - 02:34 AM

[wizardofwindows]

thanks for the info,we spend more time on the net fighting malware etc then surfing .microshaft should of fixed this problem back in 97.stupid IE and yes i use firefox and opera.

This post has been edited by wizardofwindows: 24 September 2006 - 05:51 AM

[eidenk]

bilemke, on Sep 24 2006, 02:31 AM, said:

Otherwise the comments on about Win9x and spyware are still partially right.. The worst I have seen in 98 wasnt able to hide from good old dos (which is a reboot and "F8" away).. For that matter, as far as hiding files from Windows, I have yet to see one go beyond the "hidden" file attribute in Win9X.. That isnt that bad compared to hiding it from the kernel in NT/2k/XP/2k3...

To each his own I guess.

When you execute this ifn.exe, it disappears from your view and it does not appear in a process viewer list.

That has got nothing to do with file attributes, it has everything to do with it being a rootkit.

But despite this you can search it and find it if you know it's name.

I don't theorize like you man, I just report what I have seen and done.

[eidenk]

bilemke, on Sep 24 2006, 02:31 AM, said:

Google "iFN.exe" and there are things from early 2005 mentioning the file name..

http://forums.techguy.org/security/338627-...y-trojan-2.html

A filename means nothing. There is no behaviour of ifn.exe described anywhere on your link. Nor is there is there a code name for it.

[Chozo4]

Just checked out 'ifn.exe'...

the reason it dissappears after you run it is due to:
1) Once run it either moves or copies itself to another folder then deletes the original
2) gives itself a randomly selected name in a randomly selected path from it's own list inside the 'C:\program files\common files\' directory. In my case it ended up as 'C:\program files\common files\oiFxAtf.exe'
3) Sets the registry link with a random name to the path it sets itself to. In my case the keyname was '*GW'.
4) It will not show up in the task list as it instead hooks into processes and not runs as the file itself which would show in the process lists.

So in essence it really isn't a rootkit at all but a process hook while hiding itself through renaming itself and changing directories each time it's run. It's easily removed through safemode and through any other unregistration method. Had it been a rootkit you wouldn't even be able to see it through safemode either I believe.

This post has been edited by Chozo4: 24 September 2006 - 01:00 PM

[eidenk]

Intersting chozo but the sequence of events here was as follows :

I saw that file. I did execute it. It dissapeared from view but the search found it at the same place and no new exe appeared anywhere as far as I remember.

In the registry, it's startup vector remained ifN .exe at the same location. (not looked with Regedit but with a third party tool)

A new dll then appeared in the sys dir which is the wuhch1.dll hooked into explorer.

A bit later Jetico told me that ifN.exe wanted to go on the internet.

I'll need to rerun this in a virtual machine anyway.

[bilemke]

eidenk, on Sep 24 2006, 08:17 AM, said:

I don't theorize like you man, I just report what I have seen and done.

Theorize?

Chozo4, on Sep 24 2006, 12:56 PM, said:

Just checked out 'ifn.exe'...

the reason it dissappears after you run it is due to:
1) Once run it either moves or copies itself to another folder then deletes the original
2) gives itself a randomly selected name in a randomly selected path from it's own list inside the 'C:\program files\common files\' directory. In my case it ended up as 'C:\program files\common files\oiFxAtf.exe'
3) Sets the registry link with a random name to the path it sets itself to. In my case the keyname was '*GW'.
4) It will not show up in the task list as it instead hooks into processes and not runs as the file itself which would show in the process lists.

So in essence it really isn't a rootkit at all but a process hook while hiding itself through renaming itself and changing directories each time it's run. It's easily removed through safemode and through any other unregistration method. Had it been a rootkit you wouldn't even be able to see it through safemode either I believe.

eidenk, on Sep 24 2006, 01:20 PM, said:

Intersting chozo but the sequence of events here was as follows :

I saw that file. I did execute it. It dissapeared from view but the search found it at the same place and no new exe appeared anywhere as far as I remember.

In the registry, it's startup vector remained ifN .exe at the same location. (not looked with Regedit but with a third party tool)

A new dll then appeared in the sys dir which is the wuhch1.dll hooked into explorer.

A bit later Jetico told me that ifN.exe wanted to go on the internet.

I'll need to rerun this in a virtual machine anyway.

If you can use the file search feature of Explorer to find it, it is hardly a rootkit in my mind.. Even if all it takes is starting in safe mode and then you can find it, not a rootkit.. If it just hides itself from taskman, so what.. I have seen proof of how easy this is too do.. Regardless... Never mind.. I dont care to explain this further..

[eidenk]

I think my only possibly wrong assumption was that it was ifn.exe that was the rootkit whereas it is the dll it drops.

A variant of LinkOptimizer/Gromozon apparently.

http://www.scmagazine.com/us/news/article/...ted-250000-pcs/
http://securityblog....rtal.com/?p=465