endellion.me.uk postcard.gif.exe (Mssvc.exe and svchost.exe)
An email arrives telling you that someone has sent you a e-card of sorts. Happy happy! Of course you read it, and are presented with a link to click. Of course you click it. And the next couple of warning things about it being an executable and whatnot. Maybe Internet Explorer keeps schtumm? Not tried that.
My first postcard
Excitingly, this is the very first virus I've seen that has a GUI (graphical user interface) built in -- it's just been switched off in the ini file. Easy peasy to get it back on. Have to choose different colours for the fonts, because black on black is not too visible, but the GUI has options for that.
Also noticeable is the fact that whilst the icon for mIRC (for it is them) has been blanked out, the space for it is visible in the task bar. Hmm... They think that nobody will notice? You can right click on it to get the GUI up (after turning it on in the ini).
 |
Beautiful, isn't it. I could get used to that, not having to grep through endless packet sniffings anymore... Never mind.
Backdoors
A virus wouldn't be a good virus without some backdoors. Actually I am using the word virus wrong here, as this is merely a trojan. It has not yet done anything as far as I can tell to infect any other computer. Its distribution method I suppose is called "social engineering" although that does seem to be rather big words for a misspelt spam-email. But hey, maybe let's not knock it, as my little bot is not the only little bot in the room.
Anyways, the back doors. The postcard.gif.exe is a self-extracting archive containing all the files needed to run mIRC with scripts (running as svchost.exe), and also our good friend ServU and all its configuration files (running as Mssvc.exe). ServU opened port 43958 for listening, but in a whole week there's been no attempts at connecting and getting or placing files.. Usually such high port numbers are random. Perhaps something went wrong when the bot tried to report the open port?
When telnetting localhost on port 43958 it says: 220 Serv-U FTP Server v4.0 for WinSock ready...
Which doesn't seem right, really, normally a stony cnt 0wnz j0, but this seems a little tame really. Perhaps my meddling caused this to go this way. Obviously I had a go at interfering with the thing to see if I could make out who the users were going to be (and whether I could become one too -- which was so easy with the Austrian Serv-U).
What is actually going on?
The botherders are Romanian. My Romanian is below par. My temporary Babylon trial has run out. I am at a loss to explain what these people could possibly want. And over the past couple of weeks they themselves seem to have lost interest in it too, as not many real people seem present in the default channels anymore. What was the original plan? I do not know.