Approved-By: route@RESENTMENT.INFONEXUS.COM
Date: 	     Sat, 3 Oct 1998 01:40:46 MDT
Reply-To:    L S D 
Sender:      Bugtraq List 
From:        L S D 
Subject:     Another Windows Trojan...
To:          BUGTRAQ@NETSPACE.ORG

The source code to the Windows trojan called 'Acid Shiver' that covered most
of Efnet last year has been released.  The source code is all Visual Basic 5.0
(SP3), and not much effort was put into organization.  It had been distributed
through 'WaReZ' DCC bots, and had over 7000 users within 2 months.  It was
diguised as a million different applications, the Setup.exe file in different
programs was replaced by the trojan, which would install itself into the
registry on first use.  As soon as the program is run, it registers its
process as a 'Windows Service', thus removing it from all task lists.  It
waits until an active internet conection is established (by attempting
connections to an array of SMTP servers), and then e-mails the creator with
the random TCP port number it listens on, the time, and a large amount of
sensitive information resident on the victims hard drive.  The creator then
connects via telnet to the specified port and is given a prompt that looks
like a DOS shell.  Any command can be executed, with the results shot back
across the tcp connection, network topology can be shown (net * comands),
files may be downloaded, the deployer may "bounce" through the victim to
another host, and system settings/registry entries can be changed.  The victim
can use a netstat to see the listening port/connections.  It loads
automatically through the HKLM/M$/Windows/Current Version/Run Services, Run,
Run Once, and Run Services Once entries. If it detects another copy running it
exits.  The file size for the exe changed depending upon the exe-packer used,
and any hex-editing done by the deployer.  Among the IRC operators infected
were _cls_ and saralee, along with some other high profiles on Efnet (among
the hacking/warez community).


- elessdee