Written in Visual Basic

size: 453.632 bytes

text string in binary: "Dynamic Trojan Horse Network"

According to ISS X-Force:
" DTHN propagates through email and
through open NetBIOS file shares. DTHN installs itself and establishes
communication to a sophisticated peer-to-peer communications network,
to further spread infections and launch additional attacks.

Impact: 

As with most network worms, DTHN propagation can cause network
congestion, automatically compromise victim systems, and configure a
sophisticated network that can be used for Distributed Denial of
Service (DDOS). Once the backdoor is installed, it can be accessed
by the author, or third party attackers.

Description: 

The DTHN worm reportedly originated in Germany in October 2002.
Propagation in the wild was only detected on December 19, 2002. 

DTHN has the following capabilities: 

-Mass emailing component 
-DDOS component 
-NetBIOS file share scanning component
-IRC flooding component 
-Port redirection 
-Port scanning 
-Secure P2P communications network 

DTHN is a new class of Trojan that includes a data driven
configuration, sophisticated P2P communications, and a modular
architecture. Once installed on a system, DTHN scans Internet Relay
Chat (IRC) servers that are hard-coded in the DTHN configuration
script. The DTHN Trojan captured by X-Force communicates over multiple
IRC networks, yet does not join IRC channels like many IRC capable
Trojan horse programs of the past. This behavior makes it more
difficult to detect the size and scope the DTHN network. DTHN uses a
large list of IRC nicknames with an additional character prefix and
suffix defined by the configuration file. Each DTHN Trojan is
assigned a static username parameter which is defined in the
configuration file. This is used by the network to perform peer
discovery.

While scanning for and connecting to an IRC server, DTHN actively
scans for open NetBIOS shares on a network and then attempts to
propagate by copying instances of itself to writable shares. DTHN
establishes an additional peer-to-peer network of infected systems
using high TCP ports. The peer-to-peer network forwards authenticated
messages between the infected systems from the "master" user. DTHN has
a distributed update mechanism that allows the master to modify the
configuration file to change the behavior of individual Trojan horse
installations, or that of the entire network. DTHN modules can also
be pushed to the network to add new capabilities such as, mass-email,
DDoS, NetBIOS scanning, IRC flooding, port redirection, and port
scanning. DTHN uses MD5 hashes to authenticate the master user to
the DTHN machines."