Jump to content

Rootkit Alert


eidenk

Recommended Posts

OK guys, I catched a trojan rootkit on my Windows ME machine the other day. It is invisible from explorer once it is executed. It is also invisible from process viewers. It very probably also prevents its registry keys from being seen with Regedit, albeit I have not looked into that.

I did post it on the sysinternal forum on the 19th :

http://forum.sysinternals.com/forum_posts....;PN=1&TPN=9

Today I have seen on Softpedia that at least 10 antivirus software companies have updated their definitions.

It is very likely they have picked up the trojan on the sysinternal forum but I can't be sure about that.

The rootkit is here, along with the registry keys it writes :

http://stashbox.org/uploads/1158687866/Trojans.zip

You may want to download it and scan it with your antivirus if you use one, and report it if it is not detected.

You can also run it in a virtual machine if you have got one to see what it actually does. On my real machine, Jetico firewall intercepted it wanting to access the net but I am not sure other firewalls would have catched it as Jetico is way more efficient than all the others firewalls I have tried.

The exe is executed at startup from the HKLM runservicesonce key and the dll hooks into explorer.

If you are afraid to download it, you may want to search yor machine for ifN.exe and wuhch1.dll to see if you are infected.

I have since looked into all anti-rootkit software available and none works on 9x/ME.

The myth, propagated on this forum, notably by LLXX (Hi) that 9x/ME is secure because none is interested by attacking it and that no antivir or firewall is necessary on those platforms, it is just that : a myth.

Best regards to all.

Edited by eidenk
Link to comment
Share on other sites


If you are afraid to download it, you may want to search yor machine for ifN.exe and wuhch1.dll to see if you are infected.

Note, if it is a real root-kit, you most likely wont find it in a file search unless you boot from a non-infected copy of Windows..

Otherwise, it appears to be old spyware/malware/virus (whatever your choice of words).. Google "iFN.exe" and there are things from early 2005 mentioning the file name..

http://forums.techguy.org/security/338627-...y-trojan-2.html

Otherwise the comments on about Win9x and spyware are still partially right.. The worst I have seen in 98 wasnt able to hide from good old dos (which is a reboot and "F8" away).. For that matter, as far as hiding files from Windows, I have yet to see one go beyond the "hidden" file attribute in Win9X.. That isnt that bad compared to hiding it from the kernel in NT/2k/XP/2k3...

To each his own I guess.

BTW, does NOD32 really block the download or just download in the background and then scan it before giving you the chance to choose a place to save it?

Otherwise, my favorite for a while (Avast) catches both files in the zip file.

Edited by bilemke
Link to comment
Share on other sites

Otherwise the comments on about Win9x and spyware are still partially right.. The worst I have seen in 98 wasnt able to hide from good old dos (which is a reboot and "F8" away).. For that matter, as far as hiding files from Windows, I have yet to see one go beyond the "hidden" file attribute in Win9X.. That isnt that bad compared to hiding it from the kernel in NT/2k/XP/2k3...

To each his own I guess.

When you execute this ifn.exe, it disappears from your view and it does not appear in a process viewer list.

That has got nothing to do with file attributes, it has everything to do with it being a rootkit.

But despite this you can search it and find it if you know it's name.

I don't theorize like you man, I just report what I have seen and done.

Link to comment
Share on other sites

Just checked out 'ifn.exe'...

the reason it dissappears after you run it is due to:

1) Once run it either moves or copies itself to another folder then deletes the original

2) gives itself a randomly selected name in a randomly selected path from it's own list inside the 'C:\program files\common files\' directory. In my case it ended up as 'C:\program files\common files\oiFxAtf.exe'

3) Sets the registry link with a random name to the path it sets itself to. In my case the keyname was '*GW'.

4) It will not show up in the task list as it instead hooks into processes and not runs as the file itself which would show in the process lists.

So in essence it really isn't a rootkit at all but a process hook while hiding itself through renaming itself and changing directories each time it's run. It's easily removed through safemode and through any other unregistration method. Had it been a rootkit you wouldn't even be able to see it through safemode either I believe.

Edited by Chozo4
Link to comment
Share on other sites

Intersting chozo but the sequence of events here was as follows :

I saw that file. I did execute it. It dissapeared from view but the search found it at the same place and no new exe appeared anywhere as far as I remember.

In the registry, it's startup vector remained ifN .exe at the same location. (not looked with Regedit but with a third party tool)

A new dll then appeared in the sys dir which is the wuhch1.dll hooked into explorer.

A bit later Jetico told me that ifN.exe wanted to go on the internet.

I'll need to rerun this in a virtual machine anyway.

Link to comment
Share on other sites

I don't theorize like you man, I just report what I have seen and done.

Theorize? :rolleyes:

Just checked out 'ifn.exe'...

the reason it dissappears after you run it is due to:

1) Once run it either moves or copies itself to another folder then deletes the original

2) gives itself a randomly selected name in a randomly selected path from it's own list inside the 'C:\program files\common files\' directory. In my case it ended up as 'C:\program files\common files\oiFxAtf.exe'

3) Sets the registry link with a random name to the path it sets itself to. In my case the keyname was '*GW'.

4) It will not show up in the task list as it instead hooks into processes and not runs as the file itself which would show in the process lists.

So in essence it really isn't a rootkit at all but a process hook while hiding itself through renaming itself and changing directories each time it's run. It's easily removed through safemode and through any other unregistration method. Had it been a rootkit you wouldn't even be able to see it through safemode either I believe.

Intersting chozo but the sequence of events here was as follows :

I saw that file. I did execute it. It dissapeared from view but the search found it at the same place and no new exe appeared anywhere as far as I remember.

In the registry, it's startup vector remained ifN .exe at the same location. (not looked with Regedit but with a third party tool)

A new dll then appeared in the sys dir which is the wuhch1.dll hooked into explorer.

A bit later Jetico told me that ifN.exe wanted to go on the internet.

I'll need to rerun this in a virtual machine anyway.

If you can use the file search feature of Explorer to find it, it is hardly a rootkit in my mind.. Even if all it takes is starting in safe mode and then you can find it, not a rootkit.. If it just hides itself from taskman, so what.. I have seen proof of how easy this is too do.. Regardless... Never mind.. I dont care to explain this further..

Link to comment
Share on other sites

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now
  • Recently Browsing   0 members

    • No registered users viewing this page.
×
×
  • Create New...