• Announcements

    • Rodion Nagornov

      Недоступность форума // Forum maintenance   08/16/2017

      В связи с техническими работами форум будет недоступен с 20.00 (МСК) 18.08.2017. Максимальное время недоступности - до 20.00 (МСК) 20.08.2017. *** Due to maintenance forum will be unavailable since 8pm (+3 GMT) 18-Aug-2017. The longest possible time of maintenance - till 8.pm (+3 GMT) 20-Aug-2017.
savatage

Fake MJ12bot v1.0.8

46 posts in this topic

I noticed that there's a suspicious network traffic in my PC a few days ago, I closed all network related programs but something is going to download from port 80 of various IPs

 

After a little search over internet, I found that there is a fake bot named MJ12bot v1.0.8

 

There is an information page about this which is prepared by orginal MJ12bot developers here

 

There is no exact solution for this right now as I know, anybody has information about this?

 

Kaspersky AV 6.x with newest update cannot find anything...

 

Other discussion abot this problem:

 

http://forums.whirlpool.net.au/

http://www.majestic12.co.uk/forum/

http://www.unixadmintalk.com/

 

 

Share this post


Link to post
Share on other sites
hello

send the file for analysis: http://forum.kaspersky.com/index.php?showtopic=13881

 

Same problem.

What to send? You (Kaspersky, McAfee) don't know this malware. We (users) too. :-)

I have tried all above vendors.

 

Process Explorers from SysInternal utilities show:

I have traffic from

1) svchost.exe (DCOM Server Process Launcher)

2) winlogon.exe

 

Traffic is like:

---

GET /index.php?option=com_zoom&Itemid=35&page=view&catid=10&PageNo=1&key=0&hit=1 HTTP/1.1

Accept: */*

Accept-Language: en

User-Agent: MJ12bot/v1.0.8 (http://majestic12.co.uk/bot.php?+)

Host: www.tangozadar.com

Connection: close

 

HTTP/1.1 200 OK

Date: Fri, 28 Dec 2007 22:54:58 GMT

Server: Apache/1.3.39 (Unix) mod_log_bytes/1.2 mod_bwlimited/1.4 mod_auth_passthrough/1.8 FrontPage/5.0.2.2635 mod_ssl/2.8.30 OpenSSL/0.9.8b

Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0

Expires: Mon, 26 Jul 1997 05:00:00 GMT

Pragma: no-cache

X-Powered-By: PHP/4.4.7

Set-Cookie: 2c1f10a576ac90244a1bd00f8d488cd7=-; path=/

Last-Modified: Fri, 28 Dec 2007 22:54:58 GMT

Connection: close

Transfer-Encoding: chunked

Content-Type: text/html

 

ee7

<?xml version="1.0" encoding="windows-1250"?><!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">

<html xmlns="http://www.w3.org/1999/xhtml">

<head>

...

---

captired with WireShark.

 

At now I have blocked outgoing tcp connections on 80 port for svchost.exe and winlogon.exe with Agnitum Outpost firewall (Stupid McAfee create read-only rules for these applications :-)).

 

Agnitum firewall show

"20:11:40 SVCHOST.EXE: 872 TCP connection with 78.84.71.113:3335 blocked Block incoming RPC (TCP)"

from time to time..

 

There is another user case:

http://www.wirelessforums.org/alt-computer...ried-31663.html

And another

http://forums.whirlpool.net.au/forum-repli...cfm/879242.html

 

Problem is very serious:

http://www.majestic12.co.uk/projects/dsearch/mj12bot.php

web admins create rules for this _fake_ bot.

 

I can do all for problem solving: ask any questions, request any actions.

At now I do Agnitum Antispyware check. One malware item is found...

 

P.S.: my native is russian (if you write emails), but I don't want to multiply topics in forum.

 

Share this post


Link to post
Share on other sites

I'm presuming you've sent mute32.dll to the VirusLab.

Please also send the files below to Kaspersky's Viruslab

C:\WINDOWS\TEMP\4FF0E7B9.dll

C:\WINDOWS\system32\icwres32.dll

Instructions of how to send files to the Lab are shown here: http://forum.kaspersky.com/index.php?showtopic=13881

 

 

Also, download, extract and run IceSword: http://mail.ustc.edu.cn/%7Ejfpan/download/IceSword122en.zip

(You may have a few "Suspicious Driver Installation" warnings from Kaspersky about IceSword. Allow them)

Click "SSDT" (on the left).

Are there any filenames in red other than kilf.sys? If there are, what directory are they in and what filename do they have? Posting a screenshot of it will also do, as long as its clear what the file is.

 

 

Edit: Also, uninstall McAfee and keep Kaspersky installed. It is NEVER a good idea to have 2 AntiViruses installed at the same time, and seeing as help is being requested on the Kaspersky forum, it makes sense to keep it as the running AntiVirus.

Edited by dawgg

Share this post


Link to post
Share on other sites

Here another 'victim' of this bot, generating lot's of http-requests to several url's with ascending portnumbers used. Is there a solution available yet?

 

Is there a way I can contribute to help to neutralize this botnet??

Edited by eNaSnI

Share this post


Link to post
Share on other sites

I am sent zipped and passworded

C:\WINDOWS\TEMP\4FF0E7B9.dll

C:\WINDOWS\system32\icwres32.dll

C:\qoobox\Quarantine\C\WINDOWS\system32\mute32.dll.vir

 

IceSword (SSDT) in red:

\SystemRoot\system32\DRIVERS\SandBox.sys

mute2x.sys

sptd.sys

 

See attachment too.

 

 

I'm don't use Kaspersky soft at this moment. Just because

1. "It is NEVER a good idea to have 2 AntiViruses installed at the same time".

2. I am know nothing about Kaspersky firewall, but Agnitum Outpost firewall is already installed and working:

block svchost.exe and winlogon.exe for outgoing connection to 80 port.

And Kaspersky and Agnitum Outpost don't working together. :-)

3. I have not license for Kaspersky (used 30 day trial for test), but have McAfee.

4. Kaspersky did not found anything.

 

"help is being requested on the Kaspersky forum" because:

1. I know your response time.

2. availability to discussing in russian.

 

P.S.: I'll install Kaspersky if it will be needed to solve a problem.

post-74841-1199007698_thumb.png

Share this post


Link to post
Share on other sites

Used this combofixtool as mentioned earlier and this is the result:

 

combofix.txt

 

And some IceSword:

 

6yy93c7.jpg

Edited by Lucian Bara

Share this post


Link to post
Share on other sites

Seems I am already bought Kaspersky Security:

SoftKey.ru:

Поступили средства по заказу N 1014105 от 30.12.2007 14:11:19 на сумму 1600 руб. Заказ принят к обработке.

SoftKey.ru (translated by Google):

"There were a means to order N 1014105 dated 30.12.2007 14:11:19 in the amount of 1600 rubles. Order accepted for processing."

 

:supercool:

Share this post


Link to post
Share on other sites
only that mute2x.sys is unkown, yo should send it as well.

 

Sent.

 

Interesting: smtp server respond "illegal attachment" while I was using zip (with password).

Outpost and Mcafee email scanning was OFF.

 

Found solution:

Sent rar with password AND "encrypt filenames" option.

 

Share this post


Link to post
Share on other sites

Lucian Bara,

 

I noticed this extra network traffic last week, but maybe it was here longer. I will send the files now.

Share this post


Link to post
Share on other sites
Interesting: smtp server respond "illegal attachment" while I was using zip (with password).

Found solution:

Sent rar with password AND "encrypt filenames" option.

Some mail servers do that such as Gmail to prevent all *.exe files from being sent to prevent users getting e-mails with malicious attachments.

encrypting file names prevents the mail server from seeing what format the attachment is, so it'll send it.

 

Perfectly normal :)

Share this post


Link to post
Share on other sites

Answers from Kaspersky Lab: found 2 new malicious softwares (I was sent three files for analyze).

Trojan.Win32.Agent.dqy

Trojan.Win32.Zapchast.dv

"It's detection will be included in the next update."

 

I am install KIS's last version and download last update.

Start full system scan. 2 new malicious software found:

Trojan.Win32.Agent.dqy

Trojan.Win32.Zapchast.dv

and removed with a system restart.

 

Result:

1. No unwanted traffic. I am allow port 80 for svchost.exe and perform windows update without problems.

2. No "svchost.exe file is modified" message from KAV (was before full system scan).

3. No attack to KAV process (was before full system scan).

 

Seems "Fake MJ12bot v1.0.8" problem is solved in a very short time (~24h). :bravo:

 

dawgg,

Lucian Bara:

Thank You very much!

 

P.S.: McAfee and Outpost are removed (no comments) from my system. Awaiting already bought license for KIS...

Edited by vitals

Share this post


Link to post
Share on other sites

Good to hear and thank you for your patience rather than trying every single AV scanner hopeing one will remove it... that method normally takes longer than simply asking for assistance and sometimes causes more problems :)

 

To all others, if you are using Kaspersky, make sure in scan settings, "Enable Rootkit Detection" is enabled and you perform an update before you scan.

Edited by dawgg

Share this post


Link to post
Share on other sites

Hi all!

 

I am the original creator of MJ12bot, which was impersonated by this terrible virus.

 

I'd like to say big thanks to everyone and especially good people of Kaspersky Labs for efforts that resulted in positive identification of this virus and cure I hope is on the way!

 

Even though we were not infected ourselves, this virus faked our legit bots user-agent and people thought we were at fault :(

 

But I hope now that the truth is uncovered everyone will be able to breath a sigh of relief!

 

Happy New Year to everyone, lets hope this virus will be eliminated completely!

 

cheers,

 

Alex

 

P.S. Given fast reaction time by Kaspersky I think I will switch away from AVG to it...

Share this post


Link to post
Share on other sites
Good to hear and thank you for your patience rather than trying every single AV scanner hopeing one will remove it... that method normally takes longer than simply asking for assistance and sometimes causes more problems :)

...

 

dawgg, I was investigating inet for solution and fail. Other users was trying all without any result.

AFAIK: Kaspersky is first.

I was asking help from Kaspersky Lab because company where I am working and Kaspersky Lab (and others AV vendors) are partners: I know and like Kaspersky working style.

Edited by vitals

Share this post


Link to post
Share on other sites

Hi vitals, I sent you a PM, please check it - your email notification is probably off...

Share this post


Link to post
Share on other sites

Okay, I'm having the same virus that you all, but I didn't see any files here mentioned. I tried with NOD32 and Kaspersky 7 (not at the same time, obviously) and none detected anything.

 

I tried with IceSword, and I saw some "unknown" processes in red, with the names NtAllocateVirtualMemory, NtQueueApcThread, NtReadVirtualMemory, NtRenameKey, NtSetInformacionProcess, NtSetInformacionThread, NtSuspendProcess, NtTerminateThread.

 

HijackThis and Autoruns don't show anything useful, I think.

 

If you want me to do some test, just ask.

 

Thank you for your help, and happy new year.

Share this post


Link to post
Share on other sites

Martin, when did you scan using Kaspersky?

Edited by dawgg

Share this post


Link to post
Share on other sites

@dawgg: I scanned it this morning and again a couple of hours ago, aprox. Databases are from 15:51:25.

@Lucian: I uploaded the ComboFix log here. Curiously Kaspersky detects ComboFix.exe as Trojan.Win32.Inject.ph:

detected: Trojan program Trojan.Win32.Inject.ph    File: c:\documents and settings\martin\escritorio\combofix.exe//PE_Patch.UPX/catchme.cfexe//PE_Patch.UPX//#

 

Edit: I have just updated to 17:27:05 databases. I'm scanning right now.

Edit 2: okay, I have read about combofix here. Still scanning...

Edited by Martín M

Share this post


Link to post
Share on other sites
could you try to locate and send in:

C:\WINDOWS\system32\atmpvcno32.dll

C:\WINDOWS\system32\drivers\WP800USB.SYS

 

http://forum.kaspersky.com/index.php?showtopic=13881

I'm sending only the first one. The second one is not malware: it's a driver of a PIC programmer called WinPic800. At least is what I think, I could send it anyway if you think it's the problem!

 

Thanks!

Share this post


Link to post
Share on other sites

2 hours after sending the file you told me, I got an answer:

atmpvcno32.dll - Trojan.Win32.Agent.drn

New malicious software was found in this file. It's detection will be included in the next update. Thank you for your help.

In fact, after updating Kaspersky, it detected it!

detected: Trojan program Trojan.Win32.Agent.drn File: C:\WINDOWS\system32\atmpvcno32.dll//PE_Patch.UPX//UPX

 

Now I'm sending those other two, although the first one is only 143 bytes and contains some kind of encrypted string. Thanks for your help! Can you see any other suspicious thing?

Share this post


Link to post
Share on other sites
i can see you disabled a lot of stop (some malicious, some gone, like nod32) with msconfig.

Sorry, what do you mean with "a lot of stop"? I use to disable many services and autoboot programs, I like to have most free resources when booting Windows, but I'm not sure if you mean this.

 

By the way, that file (atmpvcno32.dll) was in Autoruns, after all. I should have seen it :lol:

Share this post


Link to post
Share on other sites

Hey everyone, happy new year first of all.

I just wanted to tell im also affected by this bot, i first noticed it on 31 December because of the heavy network traffic, but my backup from 27 December already has it, so i cant restore :( I also found the registry key it writes every minute, in my case HKLM/Software/f2/20 i guess its different for everyone, but my other PCs dont have any 2 letter key written every minute. The data in that key starts like this "01 0a 00 00" the rest behind that changes everytime it gets written.

 

I already searched on my system for hours by file modify or created date and of course virus scan but my scanner (Symantec) doesnt detect it. I also installed Kaspersky Antivirus 7.0 trial (uninstalled Symantec first) and it found a file directx.exe in system32 folder which i also stumbled upon earlier when i looked at the files manually, but that wasnt it, it was some backdoor thing.

 

The sites where it "boots" from eg. send/get that GIF image is mostly some .hk domains.

Another thing i noticed, its not always working. For the last 5 hours it hasnt done any traffic, but just a few minutes ago the traffic started again and i could stop it by killing that svchost.exe...

 

I really have no clue where this thing is hiding, it certainly ruined my new years eve. I wonder how many people have to get infected yet, until Symantec and other software detects this, arent they supposed to have test machines that log every change on the system and find everything instantly? Well probably the problem is they dont know how to get the machine infected with this little bugger :( i have also no clue where and when i got this, nothing in Event viewer that might give a hint...

 

I hope other people who are infected will also sign up here or get in touch with us, like that "covert" guy i saw in 2 boards, you can also contact me by ICQ 107546236.

Share this post


Link to post
Share on other sites

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!


Register a new account

Sign in

Already have an account? Sign in here.


Sign In Now