Infected myself via Virtual Machine (Windows XP SP3; Last Patches[July] )
Infection Method - Direct (Downloaded and Ran 'taizi.exe')
[ Virus Files and Names ]
• c:\windows\system32\<randomly-generated-name>.dll - Trojan.PcClient-1603
• c:\windows\system32\drivers\<randomly-generated-name>.sys - Trojan.Dropper-10666
• taizi.exe - Unknown Dropper (Scanned; AV Did Not Warn)
[ Trojan Abilities ]
• Injects a DLL into other Programs (keystroke logging)
--- • IMPORTANT : Keystroke logging works in any program (web browsers, email clients, pol, etc)
• Text Capture (of keystrokes; confirmed)
• Image Capture (of keystrokes?; unconfirmed, but loads files related to capturing images)
• Video Capture (of keystrokes?; gameplay?; unconfirmed, but loads files related to capturing video)
• Live Password Uploading (via web server)
• Does NOT appear to capture text when using built-in POL virtual keyboard (captures external virtual keyboard strokes)
• Does NOT appear to send POL files which contain saved passwords
• Does NOT appear to use ADS (Alternate Data Streams) to hide data
• Does NOT appear to gather POL ID data (after much testing it only seems to be after passwords and text, which is very confusing)
[ Installs Service(s) ]
• VSSC - (c:\windows\system32\<randomly-generated-name>.dll; ~93KBs size)
• yuctvyaf - (c:\windows\system32\drivers\<randomly-generated-name>.sys; ~5KBs size)
--- • NOTE : The DLL and SYS file appear to share the same randomly generated name.
[ Installs Other File(s) ]
• Text Log of Passwords - (c:\windows\system32\<randomly-generated-name>.key)
--- • NOTE : The KEY log appears to share the same randomly generated name as the DLL and SYS files.
• INI File [Unknown Usage] - (c:\windows\system32\<randomly-generated-string>.ini; 1KB size)
• Host Information from PC.TXT - (c:\windows\temp\<randomly-generated-number>.exe; 1KB size)
[ Creates Connection(s) ] :
Code:
www.crackwg.net/pcshare/pc.txt
NOTE : Connects and downloads PC.TXT every 30 seconds until connected to host specified in file
Code:
59.34.148.248:7866/20080826/063853/753874.jsp
NOTE : 59.34.148.248 is current host specified in pc.txt; Subject to change at any time
NOTE : Connection to 59.34.148.248:7866 seems persistent and does not terminate unless connection is lost to the host. If connection to the host is lost, the trojan will attempt to connect to crackwg.net every 30 seconds and attempt to connect to the specified host in the PC.TXT file. Once connected to the specified host, it will cease attempting to connect to crackwg.net. The path to the JSP and the JSP file itself is randomly generated based on the current date and time.
[ Other Data ]
Initial Data Received from 59.34.148.248\*\*.JSP :
Code:
Send: Return Code: 0x00000000
00000000 52 0D 12 12 8A 1A 12 12 12 D2 E5 19 F6 16 12 12 R...............
00000010 A7 13 12 12 12 12 12 12 10 12 12 12 13 12 12 12 ................
00000020 56 21 13 12 53 7B B9 14 8D 51 2F 58 A2 A5 F3 93 V!..S{...Q/X....
00000030 68 B7 D6 11 12 12 12 12 12 12 12 12 12 12 12 12 h...............
00000040 12 12 12 12 12 12 12 12 46 5B 55 57 40 59 24 12 ........F[UW@Y$.
00000050 12 12 12 12 12 12 12 12 12 12 12 12 12 12 12 12 ................
00000060 12 12 12 12 12 12 12 12 12 12 12 12 12 12 12 12 ................
00000070 12 12 12 12 12 12 12 12 12 12 12 12 12 12 12 12 ................
00000080 12 12 12 12 12 12 12 12 12 12 12 12 12 12 12 12 ................
00000090 12 12 12 12 12 12 12 12 12 12 12 12 12 12 12 12 ................
000000A0 12 12 12 12 12 12 12 12 12 12 12 12 12 12 12 12 ................
000000B0 12 12 12 12 12 12 12 12 12 12 12 12 12 12 12 12 ................
000000C0 12 12 12 12 12 12 12 12 46 5B 55 57 40 59 24 12 ........F[UW@Y$.
000000D0 12 12 12 12 12 12 12 12 12 12 12 12 12 12 12 12 ................
000000E0 12 12 12 12 12 12 12 12 12 12 12 12 12 12 12 12 ................
000000F0 12 12 12 12 12 12 12 12 12 12 12 12 12 12 12 12 ................
00000100 12 12 12 12 12 12 12 12 12 12 12 12 12 12 12 12 ................
00000110 12 12 12 12 12 12 12 12 12 12 12 12 12 12 12 12 ................
00000120 12 12 12 12 12 12 12 12 12 12 12 12 12 12 12 12 ................
00000130 12 12 12 12 12 12 12 12 12 12 12 12 12 12 12 12 ................
00000140 12 12 12 12 12 12 12 12 D4 C7 DF BA AD DF A9 B5 ................
00000150 C5 FB 12 12 12 12 12 12 12 12 12 12 12 12 12 12 ................
00000160 12 12 12 12 12 12 12 12 12 12 12 12 12 12 12 12 ................
00000170 12 12 12 12 12 12 12 12 12 12 12 12 12 12 12 12 ................
00000180 12 12 12 12 12 12 12 12 A9 F3 C6 A3 A2 F4 A3 AC ................
00000190 49 20 22 22 25 23 23 20 27 4F 12 12 12 12 12 12 I ""%## 'O......
000001A0 12 12 12 12 12 12 12 12 12 12 12 12 12 12 12 12 ................
000001B0 12 12 12 12 12 12 12 12 12 12 12 12 12 12 12 12 ................
000001C0 12 12 12 12 12 12 12 12 12 12 12 12 12 12 12 12 ................
Subsequent Data Received :
Code:
Receive: Return Code: 0x00000000
00000000 48 54 54 50 2F 31 2E 31 20 32 30 30 20 4F 4B 0D HTTP/1.1 200 OK.
00000010 0A 44 61 74 65 3A 20 54 20 47 4D 54 0D 0A 43 6F .Date: T GMT..Co
00000020 6E 74 65 6E 74 2D 4C 65 6E 67 74 68 3A 20 38 0D ntent-Length: 8.
00000030 0A 43 6F 6E 6E 65 63 74 69 6F 6E 3A 20 4B 65 65 .Connection: Kee
00000040 70 2D 41 6C 69 76 65 0D 0A 43 61 63 68 65 2D 43 p-Alive..Cache-C
00000050 6F 6E 74 72 6F 6C 3A 20 6E 6F 2D 63 61 63 68 65 ontrol: no-cache
00000060 0D 0A 0D 0A 4D 1F 00 00 00 00 00 00 ....M.......
[ Trojan Detection Methods ]
• Method I (Anti-Virus Protection) - ClamWin Anti-Virus quickly detected the DLL and SYS file, so I am certain that other Anti-Virus programs would detect them as well.
• Method II (Manual System Scan) - Should you not wish to put your account in the hands of your Anti-Virus, I would suggest downloading AutoRuns (http://technet.microsoft.com/en-us/s.../bb963902.aspx).
- When you initially run the program, it will begin a scan. Tap the Escape button once and it will cancel the scan. Make sure that 'Verify Code Signatures' and 'Hide Signed Microsoft Entries' are selected in the 'Options' menu of the program, then execute another scan by clicking the Refresh icon. If you find the items in the image below that are selected in the red, you are infected. Areas of text marked with blue means that the file name is randomly generated and may be different than what appears in the screen shot.
http://www.moofah.com/temp/media/ima...i-trojan-c.jpg
- You can also search for the KEY and INI files manually within Windows Explorer or through Search.
http://www.moofah.com/temp/media/ima...i-trojan-d.jpg