Jump to content

Rootkit Alert

eidenk

By eidenk
in Windows 9x Member Projects

 Share

Recommended Posts

eidenk

eidenk

Posted
Posted (edited)

OK guys, I catched a trojan rootkit on my Windows ME machine the other day. It is invisible from explorer once it is executed. It is also invisible from process viewers. It very probably also prevents its registry keys from being seen with Regedit, albeit I have not looked into that.

I did post it on the sysinternal forum on the 19th :

http://forum.sysinternals.com/forum_posts....;PN=1&TPN=9

Today I have seen on Softpedia that at least 10 antivirus software companies have updated their definitions.

It is very likely they have picked up the trojan on the sysinternal forum but I can't be sure about that.

The rootkit is here, along with the registry keys it writes :

http://stashbox.org/uploads/1158687866/Trojans.zip

You may want to download it and scan it with your antivirus if you use one, and report it if it is not detected.

You can also run it in a virtual machine if you have got one to see what it actually does. On my real machine, Jetico firewall intercepted it wanting to access the net but I am not sure other firewalls would have catched it as Jetico is way more efficient than all the others firewalls I have tried.

The exe is executed at startup from the HKLM runservicesonce key and the dll hooks into explorer.

If you are afraid to download it, you may want to search yor machine for ifN.exe and wuhch1.dll to see if you are infected.

I have since looked into all anti-rootkit software available and none works on 9x/ME.

The myth, propagated on this forum, notably by LLXX (Hi) that 9x/ME is secure because none is interested by attacking it and that no antivir or firewall is necessary on those platforms, it is just that : a myth.

Best regards to all.

Edited by eidenk

jimmsta

jimmsta

Posted
Posted

Hehe... I couldn't even download the file, thanks to NOD32. This is a reason why I still swear by antivirus applications - They're needed on all versions of Windows. :D

eidenk

eidenk

Posted
  • Author
Posted

Good to know that Nod32 blocks it which is not the case of all other antivirs. I had tried F-Prot on it I think and it found it was ok.

noguru

noguru

Posted
Posted

AVGfree, not known for it's perfect trojan detection, allows download of the zip-file but reports the trojan if you try to unpack it. Good enough for me.

bilemke

bilemke

Posted
Posted (edited)
If you are afraid to download it, you may want to search yor machine for ifN.exe and wuhch1.dll to see if you are infected.

Note, if it is a real root-kit, you most likely wont find it in a file search unless you boot from a non-infected copy of Windows..

Otherwise, it appears to be old spyware/malware/virus (whatever your choice of words).. Google "iFN.exe" and there are things from early 2005 mentioning the file name..

http://forums.techguy.org/security/338627-...y-trojan-2.html

Otherwise the comments on about Win9x and spyware are still partially right.. The worst I have seen in 98 wasnt able to hide from good old dos (which is a reboot and "F8" away).. For that matter, as far as hiding files from Windows, I have yet to see one go beyond the "hidden" file attribute in Win9X.. That isnt that bad compared to hiding it from the kernel in NT/2k/XP/2k3...

To each his own I guess.

BTW, does NOD32 really block the download or just download in the background and then scan it before giving you the chance to choose a place to save it?

Otherwise, my favorite for a while (Avast) catches both files in the zip file.

Edited by bilemke
wizardofwindows

wizardofwindows

Posted
Posted (edited)
:unsure: thanks for the info,we spend more time on the net fighting malware etc then surfing .microshaft should of fixed this problem back in 97.stupid IE and yes i use firefox and opera. Edited by wizardofwindows
eidenk

eidenk

Posted
  • Author
Posted
Otherwise the comments on about Win9x and spyware are still partially right.. The worst I have seen in 98 wasnt able to hide from good old dos (which is a reboot and "F8" away).. For that matter, as far as hiding files from Windows, I have yet to see one go beyond the "hidden" file attribute in Win9X.. That isnt that bad compared to hiding it from the kernel in NT/2k/XP/2k3...

To each his own I guess.

When you execute this ifn.exe, it disappears from your view and it does not appear in a process viewer list.

That has got nothing to do with file attributes, it has everything to do with it being a rootkit.

But despite this you can search it and find it if you know it's name.

I don't theorize like you man, I just report what I have seen and done.

Chozo4

Chozo4

Posted
Posted (edited)

Just checked out 'ifn.exe'...

the reason it dissappears after you run it is due to:

1) Once run it either moves or copies itself to another folder then deletes the original

2) gives itself a randomly selected name in a randomly selected path from it's own list inside the 'C:\program files\common files\' directory. In my case it ended up as 'C:\program files\common files\oiFxAtf.exe'

3) Sets the registry link with a random name to the path it sets itself to. In my case the keyname was '*GW'.

4) It will not show up in the task list as it instead hooks into processes and not runs as the file itself which would show in the process lists.

So in essence it really isn't a rootkit at all but a process hook while hiding itself through renaming itself and changing directories each time it's run. It's easily removed through safemode and through any other unregistration method. Had it been a rootkit you wouldn't even be able to see it through safemode either I believe.

Edited by Chozo4
eidenk

eidenk

Posted
  • Author
Posted

Intersting chozo but the sequence of events here was as follows :

I saw that file. I did execute it. It dissapeared from view but the search found it at the same place and no new exe appeared anywhere as far as I remember.

In the registry, it's startup vector remained ifN .exe at the same location. (not looked with Regedit but with a third party tool)

A new dll then appeared in the sys dir which is the wuhch1.dll hooked into explorer.

A bit later Jetico told me that ifN.exe wanted to go on the internet.

I'll need to rerun this in a virtual machine anyway.

bilemke

bilemke

Posted
Posted
I don't theorize like you man, I just report what I have seen and done.

Theorize? :rolleyes:

Just checked out 'ifn.exe'...

the reason it dissappears after you run it is due to:

1) Once run it either moves or copies itself to another folder then deletes the original

2) gives itself a randomly selected name in a randomly selected path from it's own list inside the 'C:\program files\common files\' directory. In my case it ended up as 'C:\program files\common files\oiFxAtf.exe'

3) Sets the registry link with a random name to the path it sets itself to. In my case the keyname was '*GW'.

4) It will not show up in the task list as it instead hooks into processes and not runs as the file itself which would show in the process lists.

So in essence it really isn't a rootkit at all but a process hook while hiding itself through renaming itself and changing directories each time it's run. It's easily removed through safemode and through any other unregistration method. Had it been a rootkit you wouldn't even be able to see it through safemode either I believe.

Intersting chozo but the sequence of events here was as follows :

I saw that file. I did execute it. It dissapeared from view but the search found it at the same place and no new exe appeared anywhere as far as I remember.

In the registry, it's startup vector remained ifN .exe at the same location. (not looked with Regedit but with a third party tool)

A new dll then appeared in the sys dir which is the wuhch1.dll hooked into explorer.

A bit later Jetico told me that ifN.exe wanted to go on the internet.

I'll need to rerun this in a virtual machine anyway.

If you can use the file search feature of Explorer to find it, it is hardly a rootkit in my mind.. Even if all it takes is starting in safe mode and then you can find it, not a rootkit.. If it just hides itself from taskman, so what.. I have seen proof of how easy this is too do.. Regardless... Never mind.. I dont care to explain this further..

Please sign in to comment

You will be able to leave a comment after signing in



Sign In Now
 Share
Go to topic listing

  • Recently Browsing   0 members

    • No registered users viewing this page.
×
×
  • Create New...