New Trojan-Worm?

[whytless physh]

Hello All,

I'm having a devil of a time with what appears to be a Trojan or worm running rampant on our network. The particulars are as follow:

1. An executable entitled "TASKMNGR.EXE" resides in the System32 directory.

2. An entry for RunDll32 is placed in " HKEY_LOCAL_MACHINE\SOFTWARE\Microso
ft\Windows\CurrentVersion\Run" which
points to the aforementioned executable.

3. The executable itself seems to be a bastardized copy of the mIRC client version 5.7.

4. Each time an infected machine boots, this executable spawns a command process which runs secedit.exe and apparently grants itself administrative rights on the local computer. It does, however, produce a telltale sign by placing a very small mIRC icon in the upper right of the screen for a few seconds.

5. It would appear to have the ability to copy itself to any attached network drives.

One of the infected machines on our network began transferring large amounts of data to an unknown location at approximately 2:30am local time. It held a steady transfer rate of 1.3mb/sec for almost 7 hours before I was able to trace the source. I have searched SARC, several newsgroups and numerous web resources for any information on this application to no avail. I suspect that it arrived through one of many chat clients (AIM, ICQ, Yahoo!, MSM, etc.) that I have repeated told users to not install. Does anyone have any information on this?

Thanks to all who respond,

the whytless physh

 

[VIPER_1069]

this sound similiar !?
sounds very much like this one here it is an irc trojan that makes a reg entry pointin to the taskmgr.exe

TROJ_JUNTADOR.G


Risk rating:




Virus type:

Trojan

Destructive:

No


Aliases:
Trojan.Dropper.Win32.Juntador.G, IRC_MIMIC.T

Description:
Upon execution, this Trojan, written in Borland Delphi, drops other Trojan files on the infected system. It does not have a destructive payload.

Solution:
Note: Do not delete all of the dropped files. Some of these are normal files. However, some of the dropped files are malwares and varies according to the user of the Trojan. Please use the Trend Micro antivirus software to automatically detect and removed these other malwares.

Click Start>Run, type Regedit then hit the Enter key.
In the left panel, double click the following:
HKEY_CURRENT_USER>Software>Microsoft
>Windows>CurrentVersion>Run
In the right panel, look for and then delete this registry entry:
taskmgr.exe="%SYSTEM%\taskmgr.exe"
In the left panel, double click the following:
HKEY_USERS>.DEFAULT>Software>Microsoft
>Windows>CurrentVersion>Run
In the right panel, look for and then delete this registry entry:
taskmgr.exe=%SYSTEM%\taskmgr.exe"
Restart your computer.
Scan your system with antivirus and delete all files detected as TROJ_JUNTADOR.G, BKDR_MIMIC.T, and IRC_MIMIC.T. To do this,
try the free online scanning here
h**p://housecall.antivirus.com/

if this is the same trojan then its disabled from booting by removing the entries in the registery above mentioned places its worth a try to see if these entries match !

 

[VIPER_1069]

found this also this sounds similar too

h**p://www.anticrack.de/fravia/remoex.htm

 

[whytless physh]

First, thank you both for your responses.

Looking at similar trojan profiles, I believe it to be a DoS application. I can find no evidence of actual files being transferred from an infected computer yet the amount of data transferred suggests the application was sending packets to somewhere in a rapid fashion. Our pipe provider, unfortunately, does not retain router logs for longer than 30 minutes. I was unable to contact them before the logs became invalid.

We are currently using Norton Corporate AV 7.6 in a managed scenario. All the effected machines had an active NAV client on them and nothing was intercepted or reported. I can find no evidence of infection other than what I have already outlined. Removal is quite simply a matter of deleting the TASKMNGR.EXE file and it's registry entry.

Of the 80 or so computers in our domain, I have found this trojan on 12. Each infected computer had a UNC share or administrative access to all the other infected machines. It does not appear to be able to spread by IP alone. I find the use of secedit most disturbing as one of the machines infected was logged in with domain admin rights at the time. I still have no conclusive evidence of this applications origin.