hackfix-virusnews: WARNING: Computer hackers mass-mailing trojans Tr/Mastaz
- From: "Mike" <mikebike@xxxxxxxxx>
- To: hackfix-virusnews@xxxxxxxxxxxxx
- Date: Wed, 13 Nov 2002 17:44:12 -0800
From; VirusEye 'MessageLabs' Virus Alert
12 Nov 2002
*Computer hackers mass-mailing trojans*
MessageLabs is currently intercepting hackers who are mass-mailing trojans
to unsuspecting users. The spread of this new threat suggests that
infected machines could potentially be used in some kind of large-scale
coordinated Internet hacking activity
The details of the trojan are as follows:
Trojan name: Maz
Aliases: W32/Maz.A, Downloader-BO
Number of copies seen so far: 280
Time & Date first Captured: 10 Nov 2002, 14:58 GMT
Origin of first intercepted copy: UK
Number of countries seen active: 32
Top five most active countries:
United States 60.7%
Canada 9.3%
Korea (South) 5.0%
Great Britain 3.2%
Mexico 2.1%
*Technical Details*
The Maz trojan connects to a URL, which has since been closed down, to
register the location of the machine which has been compromised. It then
proceeds to download a further component. Currently, this additional
component is a backdoor Trojan (Backdoor-AML), but this may readily change
if the website is updated or changed.
Amongst other things, Backdoor-AML allows the remote hacker to use the
compromised machine as an SMTP relay using TCP port 4668, from which
further attacks may be launched.
By analysing the pattern of IP addresses from which MessageLabs have
intercepted this Trojan to date, it is likely that the hacker is
compromising PCs and then using these machines to send more copies of the
Trojan. It is possible that the hacker may also be using open-relay mail
servers.
It appears that the hacker, or group of hackers, is trying to amass a
virtual army of trojans to perform some kind of coordinated hacking
activity in the future.
*Behaviour*
In the copies of e-mails that we have stopped, the mail created seems to
have been generated from a poorly configured Ratware mailer. It seems as
though the replaceable parameters have not been replaced. For example:
Subject: mail (space) (space)
Text:
(space) Hello! (space) check (space) out (space) (space),
the best (space) FREE (space) site!
(space)
Message ID: (variable number) (space) MessageNumber: (variable number)
(space)
Attachment: masteraz.exe
The e-mail utilises the well-documented Microsoft MS01-020 vulnerability to
automatically execute the attachment on un-patched systems.
In copies that we have intercepted, it appears to have a website download
component, and contains several encoded URLs XORed with 0x4D, for example:
(link to website removed)/country/get.pl
(link to website removed)/counter.c
NB: counter.c is actually a backdoor program, which it downloads.
_______________________________________
From; Central Command
<http://support.centralcommand.com/cgi-bin/command.cfg/php/enduser/std_adp.ph
p?p_refno=3D021112-000007>
VIRUS ADVISORY ISSUED BY CENTRALCOMMAND
on November 12, 2002
for Tr/Mastaz
VIRUS ADVISORY The Central Command Emergency Virus Response Team=99
(EVRT=99) has received virus infection reports for the trojan Tr/Mastaz. Due
to increased customer inquires the EVRT is issuing a VIRUS ADVISORY.
[ EVRT=99 Virus advisory issued for Tr/Mastaz ]
Name: Tr/Mastaz
Alias: Troj/Maz.A
Type: Trojan Downloader
Discovered: November 11, 2002
Size: 4.096 KB
Platform: Microsoft Windows 95/98/Me/NT/2000/XP
Description:
Tr/Mastaz is a trojan downloader that downloads the file "Msrexe. exe
(30.720KB)" from a specified website and installs it in the users
\windows\system\ directory.
So that it gets run each time a user restart their computer the following
registry key gets added:
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run "System
Service"=3D"C:\\WINDOWS\\SYSTEM\\MSREXE. EXE"
It also adds the key:
HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\Swartax
"ImagePath"=3D"C:\\WINDOWS\\SYSTEM\\MSREXE. EXE"
~~~~~~~~~~~~
Mike ~ It is a good day if I learned something new.
Editor MikesWhatsNews see ~ http://www.mwn.ca
<mikeswhatsnews-request@xxxxxxxxxxxxx?Subject=3Dsubscribe>
See my Anti-Virus pages ~ http://virusinfo.hackfix.org
A Technical Support Alliance Charter Member
http://groups.yahoo.com/group/techsupportalliance/
~*~*~*~*~
To unsubscribe from our list send an email
to hackfix-virusnews-request@xxxxxxxxxxxxx?Subject=unsubscribe.
For a complete list of email commands for our list send
an email to ecartis@xxxxxxxxxxxxx with a subject line of
"info hackfix-virusnews" without the quotes.
~*~*~*~*~
Other related posts:
- » hackfix-virusnews: WARNING: Computer hackers mass-mailing trojans Tr/Mastaz
