Dangerous new trojan on the loose
I'd thought I'd draw everyone's attention to this TDS-3 Advisory.
A further reason to keep your virus/trojandefinitions updated if ever there was one.
And maybe even to invest in a good antitrojan.
TDS-3, BOClean, The Cleaner, AVG-Kaspersky, and Trojan Remover seem to be the only ones that are recognizing it at this moment.
Others will follow, no doubt.
Diamond Computer Systems Security Advisory
===============================
RELEASE DATE: Fri, 5th April 2002
RISING THREAT: Optix Pro Trojan
This advisory is being released to help raise the awareness of a new trojan that is set to become a widespread attack tool of the underground in a matter of weeks. Optix Pro poses a great threat to the security of users worldwide, and it is already being hailed by underground users and those in the trojan "scene" as one of the best trojans ever created.
Being a full-featured trojan, Optix Pro weighs in at 889,344 bytes before compression. This may be one factor that will slow the spread of this trojan. However, it will most likely be used after initial stealth infection by the small Optix Lite, a very popular "uploader trojan".
DESCRIPTION
Optix Pro has all the features common in today's Remote Access Trojans, and many more. Highly praised by the underground are the screen capture and webcam capture which are very clear and fast. The first release of Optix Pro came just 2 days ago at the time of this writing, released on the night of Wednesday April 3, 2002. Due to the stability, speed, and features of Optix Pro (not to mention its growing userbase) we anticipate that it will become the trojan of choice for many trojan users.
Like Optix Lite, the Pro version has a security program terminator feature that, when activated, will close all popular security programs down every 60 seconds (Optix Lite cycled every 45 seconds). TDS-3 easily detects Optix Pro due to precision scanning techniques with advanced routines such as the critical Process Memory Space scanning. TDS-3 also has specific routines to target Optix Pro with file scanning, it would be extremely difficult (and probably not worth the hackers effort) to infect a TDS-3 system with all protection enabled, even with highly modified Optix Pro servers. TDS-3 Execution Protection will use the advanced signatures and block the execution of Optix Pro servers, preventing the infection from occurring in the first place.
In the unlikely event that a TDS-3 protected system is infected, users can simply rename TDS-3.EXE to be able to launch the application. Even a completely unknown trojan with this ability can be detected with the Process Memory Space scan as TDS-3 looks for such suspicious process terminating characteristics.
SPECIFICATIONS
Family Name Optix
Class Remote Access Trojan (RAT)
Compiler Borland Delphi 5
Author s13az3, Evil Eye Software
Known Variants 1.0
FileSize Client v1.0
381,952 bytes (Compressed - UPX 1.20)
EditServer v1.0
367,616 bytes (Compressed - UPX 1.20)
Server v1.0
889,344 bytes - Not Compressed (before editing, editor adds 2 bytes)
Server v1.0 UPX Compressed
336,384 bytes
Default Port TCP 3410 (Configurable)
Default Install Copies itself to %windir%\spooll32.exe (Configurable)
Default Autostart REGISTRY - HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\Curr
entVersion\Run "vscanner" (Configurable)
Other Autostarts Stealth method - copies itself as wmmiexe.exe to %WINDIR% and modifies the key at HKEY_CLASSES_ROOT\exefile\shell\open\command to read wmmiexe.exe "%1" %*
This will run the server when any executable file is run.
FEATURES
Server Options - Server info, System info, steal passwords. Restart, close, remove server. Power options include Shutdown, suspend, logoff, reboot, bluescreen.
File Options - Full file manager. New folder, upload/download, execute, delete, find, copy, paste, rename, view/set attributes, get size, set as wallpaper, play .wav file, display image.
Process manager. View processes, kill processes.
Window manager. View, close windows. Show/hide, bring to front, send to back.
Registry manager. Add/delete/modify registry keys and values.
Keyboard/Chat Options - Message boxes (any)
Keylogger
Client-Client chat (Multiple client connections available)
Client-Victim chat (Matrix window)
Send keys as if typed on remote keyboard
Spy Options - Screen capture
Webcam capture
Fun options - Show/Hide clock, start button. Flash keyboard lights, open/close CDROM, monitor on/off, screensaver on/off, swap/restore mouse buttons, enable/disable keyboard/mouse, set Internet Explorer start page, send to URL, beep PC speaker 200 times.
Notify Options - ICQ Notify, CGI online list, Email notify with inbuilt relay if selected. IRC notify.
Firewall and Antivirus killing - The trojan contains an astounding 209 process names (or registry keys in special cases*) which are hard-coded into the server file, effectively covering all well known and (and some not so well known) anti-virus programs, anti-trojan programs, firewalls, and process viewers/monitors. If the option to kill these programs is enabled, on execution of the trojan the users defences are killed, and every 60 seconds the program checks the process list again for and of the names. Essentially this means all security programs known to the trojan (estimated to be around 80 programs) can be shut down and they cannot run again as the trojan will recognise them in the next scan 60 seconds later.
*In some cases a process will not be terminated correctly. In this case, the trojan deletes the vital registry key that loads the program on startup, and there is an option to then force the PC to reboot.
Infected removal instructions - Rename the filenames of your main programs (eg. TDS-3.EXE), and use that to kill the server. Stay offline while you do this. Simply run a Process File scan and TDS should detect Optix Pro, even if modified. Process Memory scan will detect the server if this fails. To disinfect, simply Kill and Delete the process. Once you have done this, run a trace scan to find the leftover files, and possibly registry entry. Be sure to check if there is a file wmmiexe.exe in the Windows folder - if there is you'll need to change the above entry in the registry. DiamondCS Support can help with this by sending a registry file which fixes the association for EXE files, or download it here (cleanrun.reg).
