HackfixNews: WARNING: Computer hackers mass-mailing trojans Tr/Mastaz

  • From: "Mike" <virusinfo@xxxxxxxxxxx>
  • To: hackfixnews@xxxxxxxxxxxxx
  • Date: Tue, 12 Nov 2002 15:13:37 -0800



From; VirusEye 'MessageLabs' Virus Alert 

12 Nov 2002

*Computer hackers mass-mailing trojans*

MessageLabs is currently intercepting hackers who are mass-mailing
trojans
to unsuspecting users.  The spread of this new threat suggests
that
infected machines could potentially be used in some kind of
large-scale
coordinated Internet hacking activity
The details of the trojan are as follows:


     Trojan name: Maz 
     Aliases:  W32/Maz.A, Downloader-BO 
     Number of copies seen so far: 280 
     Time & Date first Captured: 10 Nov 2002, 14:58 GMT 
     Origin of first intercepted copy: UK 
     Number of countries seen active: 32 
     Top five most active countries: 
          United States   60.7%
          Canada           9.3%
          Korea (South)    5.0%
          Great Britain    3.2%
          Mexico           2.1%
 

*Technical Details*
The Maz trojan connects to a URL, which has since been closed
down, to
register the location of the machine which has been compromised.
It then
proceeds to download a further component.  Currently, this
additional
component is a backdoor Trojan (Backdoor-AML), but this may
readily change
if the website is updated or changed.  

Amongst other things, Backdoor-AML allows the remote hacker to use
the
compromised machine as an SMTP relay using TCP port 4668, from
which
further attacks may be launched.

By analysing the pattern of IP addresses from which MessageLabs
have
intercepted this Trojan to date, it is likely that the hacker is
compromising PCs and then using these machines to send more copies
of the
Trojan.  It is possible that the hacker may also be using
open-relay mail
servers.  

It appears that the hacker, or group of hackers, is trying to
amass a
virtual army of trojans to perform some kind of coordinated
hacking
activity in the future.


*Behaviour*
In the copies of e-mails that we have stopped, the mail created
seems to
have been generated from a poorly configured Ratware mailer.  It
seems as
though the replaceable parameters have not been replaced.  For
example:

Subject:  mail (space) (space)
Text:       
          (space) Hello! (space) check (space) out (space)
(space), 
          the best (space) FREE (space) site!
          (space)

Message ID: (variable number) (space) MessageNumber: (variable
number)
(space)

Attachment: masteraz.exe
 

The e-mail utilises the well-documented Microsoft MS01-020
vulnerability to
automatically execute the attachment on un-patched systems. 

In copies that we have intercepted, it appears to have a website
download
component, and contains several encoded URLs XORed with 0x4D, for
example:

(link to website removed)/country/get.pl 
(link to website removed)/counter.c

NB:  counter.c is actually a backdoor program, which it downloads.

_______________________________________

From; Central Command
<http://support.centralcommand.com/cgi-bin/command.cfg/php/enduser/
std_adp.ph
p?p_refno=3D021112-000007>

VIRUS ADVISORY ISSUED BY CENTRALCOMMAND 
on November 12, 2002
for Tr/Mastaz


VIRUS ADVISORY The Central Command Emergency Virus Response
Team=99
(EVRT=99) has received virus infection reports for the trojan
Tr/Mastaz. Due
to increased customer inquires the EVRT is issuing a VIRUS
ADVISORY.


[  EVRT=99 Virus advisory  issued for  Tr/Mastaz   ]

Name: Tr/Mastaz
Alias: Troj/Maz.A
Type: Trojan Downloader
Discovered: November 11, 2002
Size: 4.096 KB
Platform: Microsoft Windows 95/98/Me/NT/2000/XP

Description:

Tr/Mastaz is a trojan downloader that downloads the file "Msrexe.
exe
(30.720KB)" from a specified website and installs it in the users
\windows\system\ directory.

So that it gets run each time a user restart their computer the
following
registry key gets added:

HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run
"System
Service"=3D"C:\\WINDOWS\\SYSTEM\\MSREXE. EXE"

It also adds the key:

HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\Swartax
"ImagePath"=3D"C:\\WINDOWS\\SYSTEM\\MSREXE. EXE"

~~~~~~~~~~~~

Mike ~ It is a good day if I learned something new.
Editor MikesWhatsNews see ~ http://www.mwn.ca 
<mikeswhatsnews-request@xxxxxxxxxxxxx?Subject=3Dsubscribe>
See my Anti-Virus pages ~ http://virusinfo.hackfix.org
A Technical Support Alliance Charter Member 
http://groups.yahoo.com/group/techsupportalliance/




~*~*~*~*~
To unsubscribe from our list send an email 
to hackfixnews-request@xxxxxxxxxxxxx?Subject=unsubscribe.

For a complete list of email commands for our list send 
an email to ecartis@xxxxxxxxxxxxx with a subject line of 
"info hackfixnews" without the quotes.
~*~*~*~*~

Other related posts:

  • » HackfixNews: WARNING: Computer hackers mass-mailing trojans Tr/Mastaz