Trojan infection on an Internet Relay Chat (IRC) channel.
Types of Trojans
TROJ_QAZ is a Trojan that renames the application notepad.exe file to note.com and then copies itself as notepad.exe to the Windows folder. This will cause the Trojan to be launched every time a user runs Notepad. It has a backdoor that a remote user or hacker can use to connect to and control the computer using port 7597. TROJ_QAZ also infects the registry so that it is loaded every time Windows is started.
Tini is a very small and simple backdoor Trojan for Windows operating systems. It listens on port 7777 and gives a hacker a remote command prompt on the target system. To connect to a Tini server, the hacker telnets to port 7777.
Donald Dick is a backdoor Trojan for Windows OS’s that allows a hacker full access to a system over the Internet. The hacker can read, write, delete, or run any program on the system. Donald Dick also includes a keylogger and a registry parser and can perform functions such as opening or closing the CD-ROM tray. The attacker uses the client to send commands the victim listening on a predefined port. Donald Dick uses default port 23476 or 23477.
NetBus is a Windows GUI Trojan program and is similar in functionality to Donald Dick. It adds the registry key HKEY_CURRENT_USER\NetBus Server and modifies the HKEY_CURRENT_USER\NetBus Server\General\TCPPort key. If NetBus is configured to start automatically, it adds a registry entry called NetBus Server Pro in
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\RunServices
.
SubSeven is a Trojan that can be configured to notify a hacker when the infected computer connects to the Internet and can tell the hacker information about the system. This notification can be done over an IRC network, by ICQ, or by e-mail. SubSeven can cause a system to slow down, and generates error messages on the infected system.
BackOrifice 2000 is a remote administration tool that an attacker can use to control a system across a TCP/IP connection using a GUI interface. BackOrifice doesn’t appear in the task list or list of processes, and it copies itself into the registry to run every time the computer is started. The filename that it runs is configurable before it’s installed. BackOrifice modifies the
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunServices
registry key. BackOrifice plug-ins add features to the BackOrifice program. Plug-ins include cryptographically
strong Triple DES encryption, a remote desktop with optional mouse and keyboard control, drag-and-drop encrypted file transfers, Explorer-like filesystem browsing, graphical remote registry editing, reliable UDP and ICMP communications protocols, and stealth capabilities that are achieved by using ICMP instead of TCP and UDP.
BoSniffer appears to be a fix for BackOrifice but is actually a BackOrifice server with the
SpeakEasy plug-in installed. If BoSniffer.exe the BoSniffer executable, is run on a target system it attempts to log on to a predetermined IRC server on channel #BO_OWNED with a random username. It then proceeds to announce its IP address and a custom message every few minutes so that the hacker community can use this system as a zombie for future attacks.
Hacking Tools
Graffiti is an animated game that can be wrapped with a Trojan. It entertains the user with an animated game while the Trojan is being installed in the background. Silk Rope 2000 is a wrapper that combines the BackOrifice server and any other specified application.ELiTeWrap is an advanced.exe wrapper for Windows used for installing and running programs.
ELiTeWrap can create a setup program to extract files to a directory and execute programs or batch files that display help menus or copy files on to the target system. IconPlus is a conversion program that translates icons between various formats. An attacker can use this type of application to disguise malicious code or a Trojan so that users are tricked into executing it thinking it is a legitimate application.
