|
Contents:
---------
o Summary - a summary of the trojan
o Removal - how to remove the trojan
o Threat Analysis - the possible dangers
o Prevention - how to keep this from happening
o File Information - information on the .EXE file
o Unit Information - information on what 3rd party packages
it uses
o Form 1 - information on the first window found in the
application
o Form 2 - information on the second window found in the
application
o Thoughts - conjecture of mine
Summary:
--------
The exe (ickill.exe, 98s.exe, icqhijaak.exe) was made with
Borland Delphi, either version 2 or 3, as it is a 32-bit
application. When executed, it copies itself to the Windows
directory, and creates registry entries to make it start up when
Windows starts. Once opened, it sets up a server on port 5000 or
7789, which allows certain persons to download, upload, delete, and
create files, and perhaps to even take screenshots.
Removal:
--------
1.) Ctrl+Alt+Del and end any task named "mschv32.exe" or
any second explorer orany task named "1.exe"
2.) Delete *any* instance of MSCHV32.EXE or 1.EXE
3.) If there is an EXPLORER.EXE in your WINDOWS\SYSTEM
directory, delete it
4.) Open WINDOWS\REGEDIT.EXE and use Edit | Find to find
and delete anyreferences to 1.EXE or MSCHV.EXE
Threat
Analysis:
----------------
Backdoor-style trojans such as these pose a serious threat
to the average user. Most people are used to having installation
programs crap out on them, and so when a program gives them an error
message and "quits," they delete the EXE and move on. If the user
has any sensitive information on their computer, they will
indubitably wish to keep it private.
Prevention:
-----------
One way to prevent such a trojan being installed
unwittingly on your machine is to change the way you install
programs. InControl 3, available at
http://www.zdnet.com/pcmag/pctech/content/15/13/ut1513.001.htmlis a
utility which tracks the changes to a system a program makes. Use it
whenever you're installing a program, regardless of the program's
pedigree. You can look at the log later to see what registry keys
have been added, what INI files have been changed, what directories
and files have been changed, added, or deleted. This kind of trojan
is too new to be detected with a virus scanner, and trojans are
simple to make. The best defense in this case is good program
hygiene.
File
Information:
-----------------
Filename: ICKILL.EXE, 98S.EXE, ICQHIJAAK.EXE
File Size: 335,872 bytes
MD5 Message Digest: 711DFB9A0F23058CB238302EB2D46C35
Unit
Information:
-----------------
The units used are this:
# =Cheval FileCtrl Consts System SysInit
Dialogs ExtCtrls
�3Messages KWindows SysUtils ^Classes QTypInfo sActiveX
&Controls Forms
Printers �WWinSpool +Graphics vMenus �Imm ��Commctrl
dStdCtrls �IDlgs
�3CommDlg Buttons :Scrute Spin !WSocket WSockbuf Wait
�WinSock �*ShellAPI
8Registry Unit2 unit1
All units here are standard Delphi units except for Scrute,
WSocket, WSockbuf, Wait, Unit2, and unit1. Scrute is an unknown
unit, whose name, in French, means "scan". WSocket, WSockbuf, and
Wait are all units for a common winsock Delphi component, TWSocket.
Unit2 and unit1 are the two forms used by the project.
Form 1:
-------
The property list for the first form looks like this:
object Form1: TForm1
Left = 370
Top = 198
BorderIcons = [biSystemMenu]
BorderStyle = bsDialog
Caption = 'Form1'
ClientHeight = 115
ClientWidth = 436
Font.Charset = DEFAULT_CHARSET
Font.Color = clWindowText
Font.Height = -11
Font.Name = 'MS Sans Serif'
Font.Style = []
Position = poScreenCenter
OnClose = FormClose
OnCreate = FormCreate
PixelsPerInch = 96
TextHeight = 13
object ChatPort: TEdit
Left = 10
Top = 41
Width = 31
Height = 21
Font.Charset = DEFAULT_CHARSET
Font.Color = clWindowText
Font.Height = -11
Font.Name = 'MS Sans Serif'
Font.Style = []
ParentFont = False
TabOrder = 0
Text = '5000'
Visible = False
end
object DelaiDistant: TSpinEdit
Left = 45
Top = 41
Width = 41
Height = 22
Font.Charset = DEFAULT_CHARSET
Font.Color = clWindowText
Font.Height = -11
Font.Name = 'MS Sans Serif'
Font.Style = []
MaxValue = 500
MinValue = 0
ParentFont = False
TabOrder = 1
Value = 0
Visible = False
end
object SrvSocket: TWSocket
Proto = 'tcp'
MultiThreaded = False
OnSessionAvailable = SrvSocketSessionAvailable
FlushTimeout = 60
SendFlags = wsSendNormal
Left = 5
Top = 4
end
object CliSocket: TWSocket
Proto = 'tcp'
MultiThreaded = False
OnDataAvailable = CliSocketDataAvailable
OnSessionClosed = CliSocketSessionClosed
FlushTimeout = 60
SendFlags = wsSendNormal
Left = 37
Top = 5
end
end
We can see it is a form, default size, screen center, with
an edit box (named ChatPort, default text = '5000'), and a spin box
(named DelaiDistant, default value = 500). It has two TWSockets, one
a server (apparently), the other a client. The server has some event
for when someone tries to connect to it. What that does is unknown.
The client has event handlers for when someonesends the client data,
and for when the client is disconnected. Again, what it does is
unknown.
Form 2:
-------
The property list for the second form:
object Form_HD: TForm_HD
Left = 415
Top = 189
Width = 138
Height = 87
BorderIcons = [biSystemMenu, biMaximize]
Caption = 'Form_HD'
Font.Charset = DEFAULT_CHARSET
Font.Color = clWindowText
Font.Height = -11
Font.Name = 'MS Sans Serif'
Font.Style = []
Position = poScreenCenter
PixelsPerInch = 96
TextHeight = 13
object DriveComboBox: TDriveComboBox
Left = 20
Top = 38
Width = 89
Height = 19
TabOrder = 0
Visible = False
end
object Scrute: TScruteDossier
Dossier = 'c:\'
Filtre = '*.*'
SousDossier = False
OnFichier = ScruteFichier
OnDossier = ScruteDossier
OnFinExecute = ScruteFinExecute
MaxPenetration = 10000
Left = 70
Top = 4
end
object FileCliSocket: TWSocket
Proto = 'tcp'
MultiThreaded = False
OnDataAvailable = FileCliSocketDataAvailable
OnSessionConnected = FileCliSocketSessionConnected
FlushTimeout = 60
SendFlags = wsSendNormal
Left = 31
Top = 3
end
end
This is the engine of the program. The form is non-default
size (87x138). It has an unknown component, TScruteDossier, which
presumably scans the directory tree, returning file names, paths,
attributes, etc. "Scrute Dossier" in French means "scan file." It
also has a drive combo box, which is simply a combo box with a list
of all drives on the machine. It has a TWSocket client, which has
event handlers for when the client receives data, and when the
client connects to a server.
Thoughts:
---------
(None of these are supported by fact, so don't mistake them
for the truth,
they are *my* opinions only):
I think this program was created by someone relatively new
to Delphi
programming.
Why:
* The author uses Delphi components to do things like scan
the directory tree, check for all the drives on a machine, when code
for this is readily available in easier-to-use code snippits. *
Naming conventions: this program doesn't follow any Delphi naming
conventions. Most professional or intermediate Delphi programmers
follow some sort of naming convention, either Hungarian notation, or
their own personal conventions.
* The number of forms, etc. If this was a good programmer,
they could have made it much smaller, and much more obtrusive.
I'm told this program is called "Master's Paradise" and
that it's made by someone/some group/some place/somewhatever called
the Munich Brain House. Searches on the internet have turned up
squat, save for some pages about vibrators. No idea why. But
apparently, every woman needs a "Deep Stroker." I should put that on
my business card.
Anyways, if you have any more information about this
trojan, where it came from, who made it, etc, please mail me at
messiah@jps.net. Thanks.
Credits
The Holy Bible 1997-1998 Self-Induced Negativity
ICKill Trojan Analysis
By: The Messiah
Released: July 3, 1998
http://www.sinnerz.com
|