Trojans/en

Trojans, worms, and viruses

From time to time, unscrupulous people believe that, in the better good of the Internet, that all computers should be running distributed.net clients without the permission of the owner of the machine. distributed.net frowns upon this practice and actively pursues these people. Such unauthorized methods of deploying our software is strongly against our usage policies and clearly violate our mission statement.

Currently, there are some known trojans being passed around. Many of the recent variants leverage the openness and connectivity of the Internet to actively look for weakly protected computers that can be remotely infected. Because of this new method of infection, computers can be infected without the user explicitly executing an infected program by themself. These computers (specifically Win9x machines) are infected not because of a specific operating system weakness, but because of a common mistake explicitly made by the user to share their entire hard-drive with full write access to anybody. This is roughly equivalent to leaving your front door completely unlocked.

Note that the presence of DNETC.EXE and DNETC.INI (but with another email address) on a computer may potentially represent an authorized installation of our client software, knowingly done by the owner of the machine, so it not reasonable to indiscriminately delete all instances of those filenames should you find them.

• Symantec has a description of what distributed.net is

Cleaning and Protecting your computer

There are many precautions that can be taken by users to keep their machines free from the potential of being infected in the first place. Since many of the newer worm variants replicate by copying themselves to writable file shares, users should be sure to avoid sharing folders unless they absolutely need to. Share folders as read-only access and avoid full-control sharing, since that allows others to alter or delete your files. Furthermore, if a folder is shared, you should be certain to share only a specific folder and not an entire hard drive or an entire subdirectory tree.

• Microsoft Protect Your PC (protection information)
• Symantec How to configure shared Windows folders for maximum network protection(protection information)
• Zone Labs Zone Alarm personal firewall (protection software)
• Gibson Research Shield's Up vulnerability scanner (protection check)
• MooSoft The Cleaner: Trojan Detection and Removal (cleanup software)
• Spybot Search and Destroy Spybot: Trojan and Spyware Removal (cleanup software)
• Ad-Aware Ad-Aware: Trojan and Spyware Removal (cleanup software)

Known variants (most recent first)

1. [Oct 2004] A trojan that is possible a variant of the iosdt a year ago has surfaced. It has been seen on peer-to-peer file sharing networks under the name "Sims2 Crack.exe" and when run it silently installs dnetc v2.9001-477 onto your computer. dnetc may have been renamed as iosdt.com or explorer.exe to hide its presence. The installer is compressed with UPX and contains the string "yeh, now we're ready to bring it on!" among other strings. This trojan appears to be Polish in origin and is running with participant id "grazpat@poczta.onet.pl"
2. [Oct 2003] A trojan named "Mega Emoticon Pack" is currently in circulation. It installs some emoticons and installs dnetc into the system32 directory. The id is koe@gameparty.net, and it uses a proxy named protoss.2y.net.
3. [Oct 2003] A trojan claiming to be a "Product Activation" tool is in circulation. It installs in system32\iosdt\. The id is nordom@o2.pl. It emails its log files through smtp.o2.pl. You will see a process, iosdt.exe, using taskman.
4. [Aug 2003] Several reports of Windows 2000 machines that have been compromised and found to have an unauthorized installation of dnetc and a stealthy rootkit. The dnetc.ini file is reported to contain the email address rc5@molice.nl and a personal proxy at 80.247.214.170. The website www.darkrider.nl is also suspected to have an unknown role in deploying the toolkit to attacked machines.

   
   The stealth rootkit contained logic to hide the presence of the root toolkit itself and the dnetc processes from other system utilities (such as task manager). The root toolkit can be recognized by the presence of Services named "yyzvxf", "yyzvxrk", and "yyzvxshl". Such machines will also contain a directory named "C:\Winnt\system32\yyzvxDIR" containing the files: "yyzvxf.exe", "yyzvxrk.exe", "yyzvxrk.ini", "yyzvxshl.exe", "yyzvxgina.reg","yyzvxinfo.exe". The rootkit includes a password keystroke logger, IRC bot, FTP file server, and other unknown functionality.

   
   It is currently unknown what network exploit is used initially gain access to the attacked machines. Only reports of attacked Windows 2000 machines have been received so far. However it is speculated that the DCOM vulnerability mentioned in MS03-026 may possibly be related since exploits for it that grant remote shells are readily available. It is believed that all machines were attacked "manually" and not through a self-propagating worm.

5. [Apr 2002] A number of compromised Windows machines have been found with a copy of the dnetc client configured with the address dpc_de@hotmail.com. The affected machines were typically using a dnetc.ini that used a personal proxy server at address 62.195.38.112 (node-d-2670.a2000.nl). Although the email address implies a connection with the team "Dutch Power Cows", there is no official relationship between the two. It is believed that the trojan was distributed on the Kazaa filesharing network within a program claiming to be an MSN hacking utility.
6. [Dec 2000] A new worm has been discovered that installs the dnetc client as DN2.EXE within the Windows directory. The INI file is known to contain the address Vinokurov@inbox.ru or jitchenko@usa.net. The client is configured to communicate with the personal proxy keyserver at bobik.2y.net. No other details are known at this time.
7. [Dec 2000] Another new worm has been discovered that installs the dnetc client v2.8002.446 as INTERNAT.EXE within the Windows directory. The client is configured to launch itself from the following registry key:

   HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunServices

   LangSupportEx="C:\WINDOWS\internat.exe -hide"

   
   The INTERNAT.INI is configured to use the email address cehghbp@yahoo.com. The client additionally is configured to connect through a personal proxy at 62.76.120.4 (video.krasu.ru) on port 2065. This worm seems able to infect open shares that have arbitrary names and not only those named "C".

8. [Sept 2000] An EXE based worm (known as W32/Msinit, Trojan.Win32.Bymer, W32.HLLW.Bymer, Dnet.Dropper) that infects Win9x machines with open file shares has been discovered. This worm propagates by randomly selecting an arbitrary IP address and attempting to connect to the "C" file share on that machine. If it is successful in accessing that share, it will copy several files into the remote machine's "\WINDOWS\Start Menu\Programs StartUp\" and "\WINDOWS\SYSTEM\" directories:
   • MSxxx.EXE ~22016 bytes (size and filename varies slightly)
   • MSCLIENT.EXE 4096 bytes
   • INFO.DLL (text file log of other infected computers)
   • DNETC.EXE 186188 bytes (official release v2.8010-463-CTR-00071214)
   • DNETC.INI (containing the email address bymer@inec.kiev.ua or bymer@ukrpost.net)

   
   Please note that the MSxxx.EXE file will vary slightly and will contain the first numerical component of your computer's IP address and possibly a few extra characters. For example, the following filenames have been encountered: MS216.EXE, MSI216.EXE, MSI211.EXE. The size of the file has been found to sometimes vary slightly as well but is always approximately 22kb in size.

   
   Additionally, as a part of the infection, the following line may be added to the remote computer's \WINDOWS\WIN.INI file: load=c:\windows\system\msxxx.exe (filename varies)

   
   Once either of the first two EXEs have executed once, under the HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\RunServices\ registry key, the following registry value may be added: MSINIT=c:\windows\system\msxxx.exe(filename varies)

   
   Since the worm also executes "dnetc.exe -hide -install", there will also be the addition of another registry value to automatically start the client as well. Note that the existence of that other registry value in itself may not necessarily imply an unauthorized installation of our software by the worm, such as if the owner of the machine had legitimately installed our client software.

   • McAfee's description of W32/Msinit or profile
   • Symantec's description of W32.HLLW.Bymer
   • Symantec's manual removal instructions
   • Computer Associate's description of Win32.Bymer
   • Summary of the results of the honeypot project, which focused primarily on the Bymer worm
9. [Oct 2000] An EXE worm that is a variant of the above worm was discovered that replicates using the same techniques as above, except it deploys a file named WININIT.EXE into the WINDOWS\SYSTEM directory, which is approximately 220kb in size. Both variations have the same functionality, but their payloads vary slightly. Wininit.exe carries the Dnetc client with it, whereas Msinit.exe only copies it, which accounts for the size difference. The DNETC.EXE and DNETC.INI are also deployed into the WINDOWS\SYSTEM directory, and the client is configured to run with the email addresses ogr@gala.net or mereel@gmx.de or mama@papa.net or gentleps@muohio.edu or postmaster@127.0.0.1
   • Antivirus products typically identify this variant as being identical to the Win32.Bymer or W32.HLLW.Bymer worm.
10. [Aug 2000] Another EXE worm (known as W32.HLLW.QAZ.A, QAZ.Trojan, Trojan/Notepad, note.com) replicates by renaming your Windows NOTEPAD.EXE to NOTE.COM and replacing the original filename with a trojan executable. Once running, it will try to copy itself to other computers within your Windows Network Neighborhood. This worm includes the ability to allow others to remotely control your machine and give hackers direct access to any files that your machine has access to. Some variants of this worm have been known to simultaneously install copies of the distributed.net dnetc.exe client.
    • McAfee's description of W32/QAZ.worm or profile
    • Symantec's description of W32.HLLW.Qaz.A or what it is
    • Symantec's qazfix tool
    • Computer Associate's description of Qaz Worm
11. [April 2000] There are two variants of the VBS.Network or VBS.NetLog worm that distribute versions 2.8005.455 or 2.8007.45X of dnetc.exe with their payload. This virus/worm can be recognized by the presence of "network.vbs" and "microsoft_office.lnk" in the Windows StartUp group, and "network.log" in the c:\ root directory. A copy of dnetc.exe and dnetc.ini are placed in the c:\windows\ directory with the email address: bl4ckr0d@hotmail.com or jdefoe@linuxstart.com or nugget@slacker.com

    
    This worm replicates by randomly connecting to an arbitrary IP address and attempting to open a fileshare named "C" and copying the infected files directly into the StartUp group. Users can protect themselves by ensuring that they do not share their entire hard drive for full-write access without a password.

    • CERT advisory about the netlog worm
    • Symantec's description of VBS.Network or what it is
    • McAfee's description of VBS/NetLog.worm.c

    • Computer Associate's description of VBS.Network

12. [June 2000] A LiteStep desktop theme that resembles a StarCraft "Zerg" style theme has been distributed under the filename "installtheme.exe" on some websites. When this self-installing theme is installed, it simultaneously installs a copy of the distributed.net client.
13. [May 1998] There are rumors of one being passed around on the Usenet in the X-files news groups. This one was cloaked as a puzzle game with Gillian Anderson pics, which also installed rc5desg.exe and an ini. This trojan was posted twice once in May 1998, and again in June 1998. The reason it is "rumored" is that we have not been able to verify its existence because of the age of the postings.
14. [Dec 1997] It is also known that version 2.6403 of the win32gui has been circulated in a zipfile named ipspoof.zip, which contains the files ipspoof.dat, ipspoof.dll, ipspoof.exe, and readme!.txt. The simple exe installer will copy the client to \windows\system\rc564gui.exe and configure the client to start automatically in hidden mode and compute blocks for the user fbicrasher@hotmail.com. This appears to have been distributed in this manner starting in December 1997.
15. One called "mycollection.exe". This supposedly is a picture viewer with Teen pornography. This was being distributed by an IRC bot automatically dcc sending to clients when they joined certain channels. This trojan consisted an install program, which installed rc5desg.exe and ini into your windows/system directory, and hid it and ran it.
16. Another is called cindyply.zip. This is even worse in that not only does it do what mycollection.exe does, it installs Back Orifice with the Butt Trumpet plug-in as well. This one is being distributed on Usenet binaries groups as an AVI collection and player.

Punishments

All guilty parties have been removed from their teams, their passwords changed, and no longer can win any money, and removed from stats. Their team password is also changed, and email is sent to the team coordinator.

If a team organizer can show that this was done without authorization or knowledge of the organizer, the team will be returned, and all blocks done for the team by the guilty email address will be removed.

If you have any information on any of these, or ones that you've discovered on your own or have been victims, please mail abuse@distributed.net or visit our email support form and we will get on the case right away.