savatage

Fake MJ12bot v1.0.8

62 posts in this topic

I noticed that there's a suspicious network traffic in my PC a few days ago, I closed all network related programs but something is going to download from port 80 of various IPs

 

After a little search over internet, I found that there is a fake bot named MJ12bot v1.0.8

 

There is an information page about this which is prepared by orginal MJ12bot developers here

 

There is no exact solution for this right now as I know, anybody has information about this?

 

Kaspersky AV 6.x with newest update cannot find anything...

 

Other discussion abot this problem:

 

http://forums.whirlpool.net.au/

http://www.majestic12.co.uk/forum/

http://www.unixadmintalk.com/

 

 

Share this post


Link to post
Share on other sites
hello

send the file for analysis: http://forum.kaspersky.com/index.php?showtopic=13881

 

Same problem.

What to send? You (Kaspersky, McAfee) don't know this malware. We (users) too. :-)

I have tried all above vendors.

 

Process Explorers from SysInternal utilities show:

I have traffic from

1) svchost.exe (DCOM Server Process Launcher)

2) winlogon.exe

 

Traffic is like:

---

GET /index.php?option=com_zoom&Itemid=35&page=view&catid=10&PageNo=1&key=0&hit=1 HTTP/1.1

Accept: */*

Accept-Language: en

User-Agent: MJ12bot/v1.0.8 (http://majestic12.co.uk/bot.php?+)

Host: www.tangozadar.com

Connection: close

 

HTTP/1.1 200 OK

Date: Fri, 28 Dec 2007 22:54:58 GMT

Server: Apache/1.3.39 (Unix) mod_log_bytes/1.2 mod_bwlimited/1.4 mod_auth_passthrough/1.8 FrontPage/5.0.2.2635 mod_ssl/2.8.30 OpenSSL/0.9.8b

Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0

Expires: Mon, 26 Jul 1997 05:00:00 GMT

Pragma: no-cache

X-Powered-By: PHP/4.4.7

Set-Cookie: 2c1f10a576ac90244a1bd00f8d488cd7=-; path=/

Last-Modified: Fri, 28 Dec 2007 22:54:58 GMT

Connection: close

Transfer-Encoding: chunked

Content-Type: text/html

 

ee7

<?xml version="1.0" encoding="windows-1250"?><!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">

<html xmlns="http://www.w3.org/1999/xhtml">

<head>

...

---

captired with WireShark.

 

At now I have blocked outgoing tcp connections on 80 port for svchost.exe and winlogon.exe with Agnitum Outpost firewall (Stupid McAfee create read-only rules for these applications :-)).

 

Agnitum firewall show

"20:11:40 SVCHOST.EXE: 872 TCP connection with 78.84.71.113:3335 blocked Block incoming RPC (TCP)"

from time to time..

 

There is another user case:

http://www.wirelessforums.org/alt-computer...ried-31663.html

And another

http://forums.whirlpool.net.au/forum-repli...cfm/879242.html

 

Problem is very serious:

http://www.majestic12.co.uk/projects/dsearch/mj12bot.php

web admins create rules for this _fake_ bot.

 

I can do all for problem solving: ask any questions, request any actions.

At now I do Agnitum Antispyware check. One malware item is found...

 

P.S.: my native is russian (if you write emails), but I don't want to multiply topics in forum.

 

Share this post


Link to post
Share on other sites

it would have been best to post it here so others could see it as well.

 

i'll check it tommorow. in the mean time. combofix removed and backed up: C:\WINDOWS\system32\mute32.dll the folder it uses is c:\qoobox (if you explore it you will that the structue is also similar to that of the hard disk).

you should send that dll for analysis at newvirus@kaspersky.com and post the analysis results.

Edited by Lucian Bara

Share this post


Link to post
Share on other sites

I'm presuming you've sent mute32.dll to the VirusLab.

Please also send the files below to Kaspersky's Viruslab

C:\WINDOWS\TEMP\4FF0E7B9.dll

C:\WINDOWS\system32\icwres32.dll

Instructions of how to send files to the Lab are shown here: http://forum.kaspersky.com/index.php?showtopic=13881

 

 

Also, download, extract and run IceSword: http://mail.ustc.edu.cn/%7Ejfpan/download/IceSword122en.zip

(You may have a few "Suspicious Driver Installation" warnings from Kaspersky about IceSword. Allow them)

Click "SSDT" (on the left).

Are there any filenames in red other than kilf.sys? If there are, what directory are they in and what filename do they have? Posting a screenshot of it will also do, as long as its clear what the file is.

 

 

Edit: Also, uninstall McAfee and keep Kaspersky installed. It is NEVER a good idea to have 2 AntiViruses installed at the same time, and seeing as help is being requested on the Kaspersky forum, it makes sense to keep it as the running AntiVirus.

Edited by dawgg

Share this post


Link to post
Share on other sites

Here another 'victim' of this bot, generating lot's of http-requests to several url's with ascending portnumbers used. Is there a solution available yet?

 

Is there a way I can contribute to help to neutralize this botnet??

Edited by eNaSnI

Share this post


Link to post
Share on other sites

I am sent zipped and passworded

C:\WINDOWS\TEMP\4FF0E7B9.dll

C:\WINDOWS\system32\icwres32.dll

C:\qoobox\Quarantine\C\WINDOWS\system32\mute32.dll.vir

 

IceSword (SSDT) in red:

\SystemRoot\system32\DRIVERS\SandBox.sys

mute2x.sys

sptd.sys

 

See attachment too.

 

 

I'm don't use Kaspersky soft at this moment. Just because

1. "It is NEVER a good idea to have 2 AntiViruses installed at the same time".

2. I am know nothing about Kaspersky firewall, but Agnitum Outpost firewall is already installed and working:

block svchost.exe and winlogon.exe for outgoing connection to 80 port.

And Kaspersky and Agnitum Outpost don't working together. :-)

3. I have not license for Kaspersky (used 30 day trial for test), but have McAfee.

4. Kaspersky did not found anything.

 

"help is being requested on the Kaspersky forum" because:

1. I know your response time.

2. availability to discussing in russian.

 

P.S.: I'll install Kaspersky if it will be needed to solve a problem.

post-74841-1199007698_thumb.png

Share this post


Link to post
Share on other sites

Used this combofixtool as mentioned earlier and this is the result:

 

combofix.txt

 

And some IceSword:

 

6yy93c7.jpg

Edited by Lucian Bara

Share this post


Link to post
Share on other sites

Seems I am already bought Kaspersky Security:

SoftKey.ru:

Поступили средства по заказу N 1014105 от 30.12.2007 14:11:19 на сумму 1600 руб. Заказ принят к обработке.

SoftKey.ru (translated by Google):

"There were a means to order N 1014105 dated 30.12.2007 14:11:19 in the amount of 1600 rubles. Order accepted for processing."

 

:supercool:

Share this post


Link to post
Share on other sites

vitals,

sptd.sys - scsi pass through direct driver (daemon tools/achool 120%) (ok)

SystemRoot\system32\DRIVERS\SandBox.sys - it should belong to outpost

 

only that mute2x.sys is unkown, yo should send it as well.

 

eNaSnI,

since when do you get that?

can you locate and send this files:

c:\windows\system32\panmap32.dll

C:\WINDOWS3474_.tmp

C:\WINDOWS\system32\ansi13.sys

Edited by Lucian Bara

Share this post


Link to post
Share on other sites
only that mute2x.sys is unkown, yo should send it as well.

 

Sent.

 

Interesting: smtp server respond "illegal attachment" while I was using zip (with password).

Outpost and Mcafee email scanning was OFF.

 

Found solution:

Sent rar with password AND "encrypt filenames" option.

 

Share this post


Link to post
Share on other sites

Lucian Bara,

 

I noticed this extra network traffic last week, but maybe it was here longer. I will send the files now.

Share this post


Link to post
Share on other sites
Interesting: smtp server respond "illegal attachment" while I was using zip (with password).

Found solution:

Sent rar with password AND "encrypt filenames" option.

Some mail servers do that such as Gmail to prevent all *.exe files from being sent to prevent users getting e-mails with malicious attachments.

encrypting file names prevents the mail server from seeing what format the attachment is, so it'll send it.

 

Perfectly normal :)

Share this post


Link to post
Share on other sites

Answers from Kaspersky Lab: found 2 new malicious softwares (I was sent three files for analyze).

Trojan.Win32.Agent.dqy

Trojan.Win32.Zapchast.dv

"It's detection will be included in the next update."

 

I am install KIS's last version and download last update.

Start full system scan. 2 new malicious software found:

Trojan.Win32.Agent.dqy

Trojan.Win32.Zapchast.dv

and removed with a system restart.

 

Result:

1. No unwanted traffic. I am allow port 80 for svchost.exe and perform windows update without problems.

2. No "svchost.exe file is modified" message from KAV (was before full system scan).

3. No attack to KAV process (was before full system scan).

 

Seems "Fake MJ12bot v1.0.8" problem is solved in a very short time (~24h). :bravo:

 

dawgg,

Lucian Bara:

Thank You very much!

 

P.S.: McAfee and Outpost are removed (no comments) from my system. Awaiting already bought license for KIS...

Edited by vitals

Share this post


Link to post
Share on other sites

Good to hear and thank you for your patience rather than trying every single AV scanner hopeing one will remove it... that method normally takes longer than simply asking for assistance and sometimes causes more problems :)

 

To all others, if you are using Kaspersky, make sure in scan settings, "Enable Rootkit Detection" is enabled and you perform an update before you scan.

Edited by dawgg

Share this post


Link to post
Share on other sites

Hi all!

 

I am the original creator of MJ12bot, which was impersonated by this terrible virus.

 

I'd like to say big thanks to everyone and especially good people of Kaspersky Labs for efforts that resulted in positive identification of this virus and cure I hope is on the way!

 

Even though we were not infected ourselves, this virus faked our legit bots user-agent and people thought we were at fault :(

 

But I hope now that the truth is uncovered everyone will be able to breath a sigh of relief!

 

Happy New Year to everyone, lets hope this virus will be eliminated completely!

 

cheers,

 

Alex

 

P.S. Given fast reaction time by Kaspersky I think I will switch away from AVG to it...

Share this post


Link to post
Share on other sites
Good to hear and thank you for your patience rather than trying every single AV scanner hopeing one will remove it... that method normally takes longer than simply asking for assistance and sometimes causes more problems :)

...

 

dawgg, I was investigating inet for solution and fail. Other users was trying all without any result.

AFAIK: Kaspersky is first.

I was asking help from Kaspersky Lab because company where I am working and Kaspersky Lab (and others AV vendors) are partners: I know and like Kaspersky working style.

Edited by vitals

Share this post


Link to post
Share on other sites

Hi vitals, I sent you a PM, please check it - your email notification is probably off...

Share this post


Link to post
Share on other sites

Okay, I'm having the same virus that you all, but I didn't see any files here mentioned. I tried with NOD32 and Kaspersky 7 (not at the same time, obviously) and none detected anything.

 

I tried with IceSword, and I saw some "unknown" processes in red, with the names NtAllocateVirtualMemory, NtQueueApcThread, NtReadVirtualMemory, NtRenameKey, NtSetInformacionProcess, NtSetInformacionThread, NtSuspendProcess, NtTerminateThread.

 

HijackThis and Autoruns don't show anything useful, I think.

 

If you want me to do some test, just ask.

 

Thank you for your help, and happy new year.

Share this post


Link to post
Share on other sites

Hi post a combofix log too (see other posts)

Share this post


Link to post
Share on other sites

Martin, when did you scan using Kaspersky?

Edited by dawgg

Share this post


Link to post
Share on other sites

@dawgg: I scanned it this morning and again a couple of hours ago, aprox. Databases are from 15:51:25.

@Lucian: I uploaded the ComboFix log here. Curiously Kaspersky detects ComboFix.exe as Trojan.Win32.Inject.ph:

detected: Trojan program Trojan.Win32.Inject.ph    File: c:\documents and settings\martin\escritorio\combofix.exe//PE_Patch.UPX/catchme.cfexe//PE_Patch.UPX//#

 

Edit: I have just updated to 17:27:05 databases. I'm scanning right now.

Edit 2: okay, I have read about combofix here. Still scanning...

Edited by Martín M

Share this post


Link to post
Share on other sites

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!


Register a new account

Sign in

Already have an account? Sign in here.


Sign In Now