Which trojan?
Results 1 to 13 of 13

Thread: Which trojan?

  1. #1
    Flabooble! ilovetheusers's Avatar
    Join Date
    Nov 2000
    Location
    Downtown Banglaboobia
    Posts
    6,403

    Which trojan?

    OK, I did something stupid. I DLed and ran a file that installed a trojan (I'm pretty sure).

    I run Win 2000 on this machine.

    A file named wincfg.exe tries to send to 199.44.44.199 on port 6667 - over and over and over and over and.... About every 15 seconds.

    I have run AVG - found nothing. Ran Trojan Cleaner - found nothing - it did find a trojan in the original file (I'll post it's name tonight when I get home - like sdon or something) and I deleted it.

    My firewall is blocking the trojan from communicating right now and I can not ping, scan or tracert to 199.44.44.199. There is a servername but I can't remember it right now - again, will post later (something.something.wu).

    I have looked it up and several trojans send over the 6667 port but none seems to use wincfg.exe. The trojan that uses wincfg.exe is "Matrix" but it uses port 1269.

    My question - have I discovered a new trojan and should delete wincfg.exe and any associated registry entriies or is wincfg.exe a legitimate program?

  2. #2
    Registered User drewmaztech's Avatar
    Join Date
    Jul 2002
    Location
    Holyoke, Ma. USA
    Posts
    946
    You got yerself a bug.

    Check out:

    http://www.hackfix.org/miscfix/matrix.shtml

    OR

    http://www.titan.co.nz/clint/page58.html


    I would just clean it out than risk any potential damage. It's some sort of variation, it seems.
    Vote DrewmazTech for President!

    "tis better to remain silent and be thought of as a fool then open your mouth and remove all doubt" Mark Twain

  3. #3
    Driver Terrier NooNoo's Avatar
    Join Date
    Dec 2000
    Location
    UK
    Posts
    31,824
    Port 6667 is a standard irc port... I get no dns name for that IP, but I suggest its reporting to a chatroom bot.
    Never, ever approach a computer saying or even thinking "I will just do this quickly."

  4. #4
    Registered User geoscomp's Avatar
    Join Date
    Apr 2002
    Location
    Minnesota
    Posts
    2,340
    Computer Rescue Service

    "those who do not remember history are condemned to repeat it."

  5. #5
    Flabooble! ilovetheusers's Avatar
    Join Date
    Nov 2000
    Location
    Downtown Banglaboobia
    Posts
    6,403
    These are all close but they all use ports different than 6667. Well, it's prolly a variant so I'm gonna remove the registry entries and delete the file (It's not present on other 2000 machines - I was able to look at a few others now that I'm at work).

    If anyone finds the exact trojan - let me know because i couldn't find it.

    Thanks guys!

  6. #6
    Registered User geoscomp's Avatar
    Join Date
    Apr 2002
    Location
    Minnesota
    Posts
    2,340
    Computer Rescue Service

    "those who do not remember history are condemned to repeat it."

  7. #7
    Flabooble! ilovetheusers's Avatar
    Join Date
    Nov 2000
    Location
    Downtown Banglaboobia
    Posts
    6,403
    I deleted it, killed the regestry entry and it ain't bootin' or hammerin' my firewall any more.

  8. #8
    Driver Terrier NooNoo's Avatar
    Join Date
    Dec 2000
    Location
    UK
    Posts
    31,824
    Just for the sake of interest, while tracking down a few port questions in chat today I found this list of trojans sorted by the port they use

    Hope someone finds it useful.
    Never, ever approach a computer saying or even thinking "I will just do this quickly."

  9. #9
    Flabooble! ilovetheusers's Avatar
    Join Date
    Nov 2000
    Location
    Downtown Banglaboobia
    Posts
    6,403
    It's a nice list. I still don't see my trojan. Poopy.

  10. #10
    Registered User geoscomp's Avatar
    Join Date
    Apr 2002
    Location
    Minnesota
    Posts
    2,340
    Well, the only one on my list that wasn't on NooNOo's was a function of the PrettyPark virus..but remember..ports are default only and can be changed..so you probably had a variant of a subseven or something..did you ever submit it? It may be new
    Computer Rescue Service

    "those who do not remember history are condemned to repeat it."

  11. #11
    Registered User
    Join Date
    Dec 2001
    Location
    Mountain Home, AR
    Posts
    143
    On the subject of trojans, I've been using a free scanner program called "Swat-it" for a few months now. Not sure how good it is, but it seems to do the job (found a couple I had on my system).

    http://lockdowncorp.com/bots/downloadswatit.html
    Danyll

    If we live in an insane world, how can I be normal if I'm sane?
    "I'm reminded of the immortal words of Socrates who said-'I drank what?'"-Val Kilmer (Real Genius)

  12. #12
    Driver Terrier NooNoo's Avatar
    Join Date
    Dec 2000
    Location
    UK
    Posts
    31,824
    I have been chasing I.Qaaz around my 9x boxes (its the one that changes notepad.exe) Darn thing is a like a cartoon chest of draws - close it off in one an it pops up in another - grrrr, interestingly AVG says its there, housecall online doesn't find it.
    Never, ever approach a computer saying or even thinking "I will just do this quickly."

  13. #13
    Flabooble! ilovetheusers's Avatar
    Join Date
    Nov 2000
    Location
    Downtown Banglaboobia
    Posts
    6,403
    Originally posted by geoscomp
    Well, the only one on my list that wasn't on NooNOo's was a function of the PrettyPark virus..but remember..ports are default only and can be changed..so you probably had a variant of a subseven or something..did you ever submit it? It may be new
    I think it is new and is a variant of Mandrake Matrix. 2 trojan scanners and AVG fail to find it.

    Haven't tried Swat It yet but I will. Thanks!

Bookmarks

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •