|
|
|
|
| |
| We previously released an analysis of the WinSATAN Trojan (WinSATAN Backdoor/Trojan). Narr0w from Legion2000 has done some further research on the Trojan, and found some more information on the Trojan. |
| |
Credit:
Narr0w's full analysis of the Trojan is available at: http://narr0w.thehackers.com/
|
| |
Apparently, the Trojan starts an FTP daemon that listens for connections on port 999. The default directory for this FTP server is C:\TEMP and there's no need for username or password - any username/password pair will gain entry.
As we previously described, the Trojan gives remote access to the victim's machine. One of the 'features' this Trojan give to the attacker, is the ability to format the victim's hard-drive. This is accomplished by running the following command:
echo,y,|,format,c:\",>,c:\autoexec.bat
This command adds a line to the autoexec.bat, instructing it to run an unconditional format the next time the computer starts.
Narr0w also found the complete list of IRC servers this Trojan tries to connect to:
irc.stealth.net, www.rootshell.com, irc.webbernet.net, irc.stealth.net, ircnet.sprynet.org, irc.webbernet.net, irc.univ-lyon.fr, ircnet.sprynet.com, irc.rus.uni.stuttgart.de, irc.rus.uni-stuttgart.de, eu.ircnet.org, us.ircnet.org, us.ircnet.org, eu.ircnet.org, web.im.tut.fi, irc.univ-lyon1.fr, 206.252.192.20 (irc.stealth.net).
After connecting to an IRC server, the Trojan uses one of the following nicknames:
USIL55, GUERIN, Entel, Procergs6, Rich0433, Niels, SII78, KTE-MP63, Usil94,
CCG67, Usil5, PROCERGS, Authorized, Jorge, Suporte88.
A private message is sent to the nickname scroll and scroll1. The message looks like this:
Privmsg scroll Online! I am ... , I use ... , my CPU is a ...
Privmsg scroll1 Online! I am ... , I use ... , my CPU is a ...
|
|
|
|
|
|
|
|
|
|
