US Dept. of Justice Trojan... anyone know what it does?

[msdonb]

Our company was just hit with a trojan inside a spoofed USDOJ e-mail. Looked somewhat legitimate, but haven't been able to find a fix anywhere? Does anyone know anything about this or how to get rid of it? Not sure what kind of damage it does, but if it's a keylogger I need a fix asap because it's on an important machine. Thanks all for your help:

http://www.websense.com/securitylabs/blog/blog.php?BlogID=162

 

[pechenegs]

Did you search for the file xp2007.dat in C:\?

Member of ASAP Alliance of Security Analysis Professionals

under the name khazars

 

[pechenegs]

ok, nothing in those logs, post the combo and you cna try running a few rootkit scanners!




* Copy the contents of the code box below into notepad and save it as
findtheother.bat and save it to your desktop.



echo ** This batch was originally written by OSC **
cd C:\WINDOWS\system32\rfrnjyp
if exist C:\contents.txt del C:\contents.txt
echo ************************************>> C:\contents.txt
echo **These are the hidden files found**>> C:\contents.txt
echo ************************************>> C:\contents.txt
dir /a:h >> c:\contents.txt
echo ************************************>> C:\contents.txt
echo **These are the system files found**>> C:\contents.txt
echo ************************************>> C:\contents.txt
dir /a:s >> C:\contents.txt
attrib /d /s -s -r -h -a
start notepad c:\contents.txt
exit




Doubleclick the findtheother.bat file to run it. When it is done it will
open
a text file showing all hidden and system files in that folder. Post the
contents of that file in your next reply to this thread.




Download rkfiles

http://skads.org/special/rkfiles.zip

and unzip the contents to a new folder on your desktop.


* Unzip RKfiles.zip to the desktop
* Double-click RKFiles.bat to run it.
o It may take a while.
* When it is finished a window should appear with a log.
* Please copy the contents of the log and paste them here
o Note: the log with be saved at c:\log.txt



Download catchme.exe ( 25kB ) to your desktop.

http://www.gmer.net/catchme.php

Double click the catchme.exe to run it.
Open the catchme.log and copy and paste its contents here please



Also, please run Blacklight beta:

http://www.f-secure.com/blacklight/

Don't let it fix anything but post the log it makes.



so, post the catchme log, the blacklight, the bat file, and the rkfile log!




Member of ASAP Alliance of Security Analysis Professionals

under the name khazars

 

[msdonb]

So, on Friday before I ran the combo, my Trend Micro Office Scan alerted me of two file infected by the same trojan that were quarrantined but not removed from the system:

Time/Date Computer Name Virus name Infection source Infected file Scan type Scan result View detail...
2/29/2008 12:22:08 MSHR001 TROJ_ALLAPLE.AG A0007414.EXE Manual Scan Virus successfully detected, but infected file cannot be cleaned. File was quarantined. View

2/29/2008 11:47:15 MSHR001 TROJ_ALLAPLE.AG csrss.EXE Scheduled Scan Virus successfully detected, but infected file cannot be cleaned. File was quarantined. View

 

[pechenegs]

ok, where are these files located, give their full path?

They look like they are in system restore?

Member of ASAP Alliance of Security Analysis Professionals

under the name khazars

 

[msdonb]

c:\windows\inf\

C:\System Volume Information\_restore{987E0331-0F01-427C-A58A-7A2E4AABF84D}\RP132\

Yes, it did infect system restore. System restore has been disabled on that machine.

 

[pechenegs]

ok, can you post the logs requested!

For system restore just switch it off and then switch it back on and make a new restore point and that will flush out any baddies!

Member of ASAP Alliance of Security Analysis Professionals

under the name khazars

 

[msdonb]

************************************
**These are the hidden files found**
************************************
Volume in drive C has no label.
Volume Serial Number is 5067-C4CB

Directory of C:\

01/15/2007 12:01 PM 211 BOOT.INI
09/03/2002 11:13 AM 512 BOOTSECT.DOS
12/19/2003 11:55 AM 5,243 DELL.SDR
02/29/2008 12:31 PM 534,827,008 hiberfil.sys
09/03/2002 11:36 AM 0 IO.SYS
12/19/2003 12:14 PM 869 IPH.PH
09/03/2002 11:36 AM 0 MSDOS.SYS
01/15/2007 11:53 AM 47,564 NTDETECT.COM
01/15/2007 11:53 AM 250,032 NTLDR
02/29/2008 12:31 PM 805,306,368 pagefile.sys
01/29/2007 02:48 PM <DIR> RECYCLER
03/03/2008 09:22 AM <DIR> System Volume Information
10 File(s) 1,340,437,807 bytes
2 Dir(s) 64,459,837,440 bytes free
************************************
**These are the system files found**
************************************
Volume in drive C has no label.
Volume Serial Number is 5067-C4CB

Directory of C:\

01/15/2007 12:01 PM 211 BOOT.INI
09/03/2002 11:13 AM 512 BOOTSECT.DOS
02/29/2008 12:31 PM 534,827,008 hiberfil.sys
01/15/2007 11:53 AM 47,564 NTDETECT.COM
01/15/2007 11:53 AM 250,032 NTLDR
02/29/2008 12:31 PM 805,306,368 pagefile.sys
01/29/2007 02:48 PM <DIR> RECYCLER
03/03/2008 09:22 AM <DIR> System Volume Information
6 File(s) 1,340,431,695 bytes
2 Dir(s) 64,459,837,440 bytes free

 

[pechenegs]

What log is that the bat file? Can you post the rest?

so, post the catchme log, the blacklight, the bat file, and the rkfile log!

Member of ASAP Alliance of Security Analysis Professionals

under the name khazars