I'm not coming here for help (it's too late for that) but i want to warn everyone about a new trojan/virus that is out in the wild and has claimed at least one victim already.
It has the full package, a real trojan's trojan including: a Keylogger, a virus that attacks .exe, .com, and .vbs files, the hidden server, the ability to create ISO files (using exe2bin.exe), and the topper is a hidden "read only" file system containing a boot image and hidden modules that are embedded into your systems ramdisk (BIOS), and infects Windows on every re-install also any hard drive that is connected to the mainboard (before or after infection).
It attempts to phone home to 184.108.40.206 (a bogus IP) on port TCP 1900 as an instance of svc.host ... has language support for Korean, Japanese, and Chinese...I found 3 website URL's as well, piaodown.net and piaodown.com and a crsky.net ... all out of China.
piaodown.net = [ 220.127.116.11 ]
harbin Heilongjiang 150070
piaodown.com = [ 18.104.22.168 ]
wenquan li (CDXHQTKOFD)
haerbin Heilongjiang 150070
crsky.net = [ 22.214.171.124 ]
Domain Name: crsky.net
RM.502 NO.11 PUHUA ALLEY BAIXIA DISTRICT NANJING CHN
I am no stranger to trojans ... this one is one high tech piece of code. It seems to use a flaw that Microsoft supposedly fixed and that is faking Microsoft digitally signed certificates for drivers (like i386.cab) and it also creates a multitude of hash rules for all group and local policy settings on the victims PC (essentially taking ownership).
It also controls your disk controller (unfortunantly mine was built-in) so you can't use your Floppy or CD-Rom drives to try and combat the trojan, and sets up an ADMIN account.
To make an even longer story a bit shorter ... It can infect AT LEAST Windows XP Home/Pro w/SP1 and most of the pre-sp2 patches installed, and no scanner (TDS-3, Tauscan, NOD32, Sophos, Hi-Jack This, Kaspersky, Trojan Hunter, Spybot, or Trojan Remover to name a few even detects it at all in the slightest fashion. I am working on getting Gavin from DCS the makers of TDS-3 the files from this thing for study when i get going again.
You may wonder how i found it then ... well that is a long story, but it basically started with finding some strange files and file exstensions and ended up with me looking at all the hidden modules and the bootloader and failing to be able to remove anything without the password, at which it then retaliated and filled my drive up to the MAX with temp files (and locked it) forcing a Windows re-install and a re-infection ... this time it would not allow any AV's, Firewall's, or Disk Cleaner's to be installed.
I just bought a new board on E-bay today to replace this trojanized board and some new memory just to be extra safe ... But right now i am using a very weak backup PC and i am not too happy with the money it's costing me.
Edited by Swami, 15 June 2004 - 10:58 PM.