Fake MJ12bot v1.0.8, This fake bot creates enourmous unknown traffic Options

[SaVaTaGe]

I noticed that there's a suspicious network traffic in my PC a few days ago, I closed all network related programs but something is going to download from port 80 of various IPs

After a little search over internet, I found that there is a fake bot named MJ12bot v1.0.8

There is an information page about this which is prepared by orginal MJ12bot developers here

There is no exact solution for this right now as I know, anybody has information about this?

Kaspersky AV 6.x with newest update cannot find anything...

Other discussion abot this problem:

http://forums.whirlpool.net.au/
http://www.majestic12.co.uk/forum/
http://www.unixadmintalk.com/

[Lucian Bara]

hello
send the file for analysis: http://forum.kaspersky.com/index.php?showtopic=13881

[vitals]

hello
send the file for analysis: http://forum.kaspersky.com/index.php?showtopic=13881

Same problem.
What to send? You (Kaspersky, McAfee) don't know this malware. We (users) too. :-)
I have tried all above vendors.

Process Explorers from SysInternal utilities show:
I have traffic from
1) svchost.exe (DCOM Server Process Launcher)
2) winlogon.exe

Traffic is like:
---
GET /index.php?option=com_zoom&Itemid=35&page=view&catid=10&PageNo=1&key=0&hit=1 HTTP/1.1
Accept: */*
Accept-Language: en
User-Agent: MJ12bot/v1.0.8 (http://majestic12.co.uk/bot.php?+)
Host: www.tangozadar.com
Connection: close

HTTP/1.1 200 OK
Date: Fri, 28 Dec 2007 22:54:58 GMT
Server: Apache/1.3.39 (Unix) mod_log_bytes/1.2 mod_bwlimited/1.4 mod_auth_passthrough/1.8 FrontPage/5.0.2.2635 mod_ssl/2.8.30 OpenSSL/0.9.8b
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Expires: Mon, 26 Jul 1997 05:00:00 GMT
Pragma: no-cache
X-Powered-By: PHP/4.4.7
Set-Cookie: 2c1f10a576ac90244a1bd00f8d488cd7=-; path=/
Last-Modified: Fri, 28 Dec 2007 22:54:58 GMT
Connection: close
Transfer-Encoding: chunked
Content-Type: text/html

ee7
<?xml version="1.0" encoding="windows-1250"?><!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head>
...
---
captired with WireShark.

At now I have blocked outgoing tcp connections on 80 port for svchost.exe and winlogon.exe with Agnitum Outpost firewall (Stupid McAfee create read-only rules for these applications :-)).

Agnitum firewall show
"20:11:40 SVCHOST.EXE: 872 TCP connection with 78.84.71.113:3335 blocked Block incoming RPC (TCP)"
from time to time..

There is another user case:
http://www.wirelessforums.org/alt-computer...ried-31663.html
And another
http://forums.whirlpool.net.au/forum-repli...cfm/879242.html

Problem is very serious:
http://www.majestic12.co.uk/projects/dsearch/mj12bot.php
web admins create rules for this _fake_ bot.

I can do all for problem solving: ask any questions, request any actions.
At now I do Agnitum Antispyware check. One malware item is found...

P.S.: my native is russian (if you write emails), but I don't want to multiply topics in forum.

[Lucian Bara]

if you are fond of posting in russian, i'll move the wole topic to the rusian section so you can continue there.
meanwhile could you post a combofix log: http://download.bleepingcomputer.com/sUBs/ComboFix.exe

This post has been edited by Lucian Bara: 29.12.2007 22:38

[vitals]

if you are fond of posting in russian, i'll move the wole topic to the rusian section so you can continue there.
meanwhile could you post a combofix log: http://download.bleepingcomputer.com/sUBs/ComboFix.exe

I am send log to you.
Intresting, I can't see sent message in "Sent Items" (in forum mailbox). Do you receive it?

[Lucian Bara]

it would have been best to post it here so others could see it as well.

i'll check it tommorow. in the mean time. combofix removed and backed up: C:\WINDOWS\system32\mute32.dll the folder it uses is c:\qoobox (if you explore it you will that the structue is also similar to that of the hard disk).
you should send that dll for analysis at newvirus@kaspersky.com and post the analysis results.

This post has been edited by Lucian Bara: 30.12.2007 00:12

[vitals]

here's the log
 combofix.txt ( 17.53K ) Number of downloads: 7


This post has been edited by Lucian Bara: 30.12.2007 17:17

[dawgg]

I'm presuming you've sent mute32.dll to the VirusLab.
Please also send the files below to Kaspersky's Viruslab
C:\WINDOWS\TEMP\4FF0E7B9.dll
C:\WINDOWS\system32\icwres32.dll
Instructions of how to send files to the Lab are shown here: http://forum.kaspersky.com/index.php?showtopic=13881


Also, download, extract and run IceSword: http://mail.ustc.edu.cn/%7Ejfpan/download/IceSword122en.zip
(You may have a few "Suspicious Driver Installation" warnings from Kaspersky about IceSword. Allow them)
Click "SSDT" (on the left).
Are there any filenames in red other than kilf.sys? If there are, what directory are they in and what filename do they have? Posting a screenshot of it will also do, as long as its clear what the file is.


Edit: Also, uninstall McAfee and keep Kaspersky installed. It is NEVER a good idea to have 2 AntiViruses installed at the same time, and seeing as help is being requested on the Kaspersky forum, it makes sense to keep it as the running AntiVirus.

This post has been edited by dawgg: 30.12.2007 02:54

[eNaSnI]

Here another 'victim' of this bot, generating lot's of http-requests to several url's with ascending portnumbers used. Is there a solution available yet?

Is there a way I can contribute to help to neutralize this botnet??

This post has been edited by eNaSnI: 30.12.2007 13:59

[vitals]

I am sent zipped and passworded
C:\WINDOWS\TEMP\4FF0E7B9.dll
C:\WINDOWS\system32\icwres32.dll
C:\qoobox\Quarantine\C\WINDOWS\system32\mute32.dll.vir

IceSword (SSDT) in red:
\SystemRoot\system32\DRIVERS\SandBox.sys
mute2x.sys
sptd.sys

See attachment too.


I'm don't use Kaspersky soft at this moment. Just because
1. "It is NEVER a good idea to have 2 AntiViruses installed at the same time".
2. I am know nothing about Kaspersky firewall, but Agnitum Outpost firewall is already installed and working:
block svchost.exe and winlogon.exe for outgoing connection to 80 port.
And Kaspersky and Agnitum Outpost don't working together. :-)
3. I have not license for Kaspersky (used 30 day trial for test), but have McAfee.
4. Kaspersky did not found anything.

"help is being requested on the Kaspersky forum" because:
1. I know your response time.
2. availability to discussing in russian.

P.S.: I'll install Kaspersky if it will be needed to solve a problem.

Attached File(s)

 ice.PNG ( 64.2K ) Number of downloads: 15

 

[eNaSnI]

Used this combofixtool as mentioned earlier and this is the result:

 combofix.txt ( 17.24K ) Number of downloads: 5


And some IceSword:



This post has been edited by Lucian Bara: 30.12.2007 17:19

[vitals]

Seems I am already bought Kaspersky Security:
SoftKey.ru:
Поступили средства по заказу N 1014105 от 30.12.2007 14:11:19 на сумму 1600 руб. Заказ принят к обработке.
SoftKey.ru (translated by Google):
"There were a means to order N 1014105 dated 30.12.2007 14:11:19 in the amount of 1600 rubles. Order accepted for processing."

[Lucian Bara]

vitals,
sptd.sys - scsi pass through direct driver (daemon tools/achool 120%) (ok)
SystemRoot\system32\DRIVERS\SandBox.sys - it should belong to outpost

only that mute2x.sys is unkown, yo should send it as well.

eNaSnI,
since when do you get that?
can you locate and send this files:
c:\windows\system32\panmap32.dll
C:\WINDOWS3474_.tmp
C:\WINDOWS\system32\ansi13.sys

This post has been edited by Lucian Bara: 30.12.2007 17:26

[vitals]

only that mute2x.sys is unkown, yo should send it as well.

Sent.

Interesting: smtp server respond "illegal attachment" while I was using zip (with password).
Outpost and Mcafee email scanning was OFF.

Found solution:
Sent rar with password AND "encrypt filenames" option.

[eNaSnI]

Lucian Bara,

I noticed this extra network traffic last week, but maybe it was here longer. I will send the files now.

[dawgg]

Interesting: smtp server respond "illegal attachment" while I was using zip (with password).
Found solution:
Sent rar with password AND "encrypt filenames" option.

Some mail servers do that such as Gmail to prevent all *.exe files from being sent to prevent users getting e-mails with malicious attachments.
encrypting file names prevents the mail server from seeing what format the attachment is, so it'll send it.

Perfectly normal

[vitals]

Answers from Kaspersky Lab: found 2 new malicious softwares (I was sent three files for analyze).
Trojan.Win32.Agent.dqy
Trojan.Win32.Zapchast.dv
"It's detection will be included in the next update."

I am install KIS's last version and download last update.
Start full system scan. 2 new malicious software found:
Trojan.Win32.Agent.dqy
Trojan.Win32.Zapchast.dv
and removed with a system restart.

Result:
1. No unwanted traffic. I am allow port 80 for svchost.exe and perform windows update without problems.
2. No "svchost.exe file is modified" message from KAV (was before full system scan).
3. No attack to KAV process (was before full system scan).

Seems "Fake MJ12bot v1.0.8" problem is solved in a very short time (~24h).

dawgg,
Lucian Bara:
Thank You very much!

P.S.: McAfee and Outpost are removed (no comments) from my system. Awaiting already bought license for KIS...

This post has been edited by vitals: 31.12.2007 05:24

[dawgg]

Good to hear and thank you for your patience rather than trying every single AV scanner hopeing one will remove it... that method normally takes longer than simply asking for assistance and sometimes causes more problems

To all others, if you are using Kaspersky, make sure in scan settings, "Enable Rootkit Detection" is enabled and you perform an update before you scan.

This post has been edited by dawgg: 31.12.2007 12:47

[alexc]

Hi all!

I am the original creator of MJ12bot, which was impersonated by this terrible virus.

I'd like to say big thanks to everyone and especially good people of Kaspersky Labs for efforts that resulted in positive identification of this virus and cure I hope is on the way!

Even though we were not infected ourselves, this virus faked our legit bots user-agent and people thought we were at fault

But I hope now that the truth is uncovered everyone will be able to breath a sigh of relief!

Happy New Year to everyone, lets hope this virus will be eliminated completely!

cheers,

Alex

P.S. Given fast reaction time by Kaspersky I think I will switch away from AVG to it...

[vitals]

Good to hear and thank you for your patience rather than trying every single AV scanner hopeing one will remove it... that method normally takes longer than simply asking for assistance and sometimes causes more problems
...

dawgg, I was investigating inet for solution and fail. Other users was trying all without any result.
AFAIK: Kaspersky is first.
I was asking help from Kaspersky Lab because company where I am working and Kaspersky Lab (and others AV vendors) are partners: I know and like Kaspersky working style.

This post has been edited by vitals: 31.12.2007 16:15