Automatic Removal:
PestPatrol detects this.
PestPatrol removes this.
|
· Overview ·
|
Overview |
|
Summary: |
The source code to the Windows trojan called 'Acid Shiver' that covered most of Efnet last year has been released. The source code is all Visual Basic 5.0 (SP3), and not much effort was put into organization. It had been distributed through 'WaReZ' DCC bots, and had over 7000 users within 2 months. It was diguised as a million different applications, the Setup.exe file in different programs was replaced by the trojan, which would install itself into the registry on first use. As soon as the program is run, it registers its process as a 'Windows Service', thus removing it from all task lists. It waits until an active internet conection is established (by attempting connections to an array of SMTP servers), and then e-mails the creator with the random TCP port number it listens on, the time, and a large amount of sensitive information resident on the victims hard drive. The creator then connects via telnet to the specified port and is given a prompt that looks like a DOS shell. Any command can be executed, with the results shot back across the tcp connection, network topology can be shown (net * comands), files may be downloaded, the deployer may "bounce" through the victim to another host, and system settings/registry entries can be changed. The victim can use a netstat to see the listening port/connections. It loads automatically through the HKLM/M$/Windows/Current Version/Run Services, Run, Run Once, and Run Services Once entries. If it detects another copy running it exits. The file size for the exe changed depending upon the exe-packer used, and any hex-editing done by the deployer. Among the IRC operators infected were _cls_ and saralee, along with some other high profiles on Efnet (among the hacking/warez community). - elessdee, Bugtraq List |
Vendor Notes: |
Author's summary: "Alright this trojen is pretty cool, it runs on a random tcp port each time it's started and it sends an email to the infector, telling them the info. To connect to it, you need to connect via telnet on the specified port. Everything is command line based but it's still a very good trojen. Btw if you add a cool feature please remeber this is an open source project..." Functions - Lists most of the commands (description of command) - Hide a task from control + alt + delete - Show a hidden task in control + alt + delete - List Contents of Current Directory - List Contents of Current Directory - Change To Specified Directory/Drive - Clear Screen - Kill Process by PID (Shown in PS) - Shows Running Processes - Deletes Specified Files - Change Port Acid Shiver Listens on (Until Next Reboot) - Change to default Windows Desktop folder - Change to Windows Recent folder - Change to default WS_FTP folder - Show Version Number of Acid Shiver - Show physical, RAM, CD-ROM, and Network drives - Relay connection to host on port, Control + C to abort - Sendkeys to active window - Show ethernet stats and physical address - Rename the users computer - Shows DOS Environment variables - Beeps the specified number of times - Type 'CDROM' for more informationv - Terminate Acid Shiver - Rename a specified disk drive - Type 'Shutdown' for more information - Retrives information on specified drive - Disconnect a session by socket index show in 'STATUS' - Shows users current system date - Shows some general system information about host and user - Show the state of all sockets used since last reboot - Retrieve specified file - Retrieve specified file in hex form - Run the specified shell command - Run the specified command and display results (may lock up) - Make a new directory - Remove a directory and all files and subdirectories inside - Copy file1 to file2 |
Alias: |
Acid Shiver, Acid Shiver [McAfee], Acid Shiver.c, Backdoor.AcidShiver.Kor [Kaspersky], Backdoor/AcidAhiver.Kor.B [Computer Associates], PWS-Shivers, security risk or a "backdoor" program [F-Prot], Trojan.PSW.AcidShiver, Win32.AcidShiver.Kor [Computer Associates], Win32/AcidShiver.Kor trojan [Eset] |
Category: |
RAT: A Remote Administration Tool, or RAT, is a Trojan that when run, provides an attacker with the capability of remotely controlling a machine via a ""client"" in the attacker's machine, and a ""server"" in the victim's machine. Examples include Back Orifice, NetBus, SubSeven, and Hack'a'tack. What happens when a server is installed in a victim's machine depends on the capabilities of the trojan, the interests of the attacker, and whether or not control of the server is ever gained by another attacker -- who might have entirely different interests. Infections by remote administration Trojans on Windows machines are becoming as frequent as viruses. One common vector is through File and Print Sharing, when home users inadvertently open up their system to the rest of the world. If an attacker has access to the hard-drive, he/she can place the trojan in the startup folder. This will run the trojan the next time the user logs in. Another common vector is when the attacker simply e-mails the trojan to the user along with a social engineering hack that convinces the user to run it against their better judgment. Backdoor: A secret or undocumented means of getting into a computer system, or software that uses such a means to penetrate a system. Some software has a backdoor placed by the programmer to allow them to gain access to troubleshoot or change the program. Software that is classified as a "backdoor" is designed to exploit a vulnerability in a system, and open it to future access by an attacker. Password Capture: A variant of the Key Logger that captures passwords as they are entered or transmitted. Some password capture trojans impersonate the login prompt, asking the user to provide their password. Trojan: Any program with a hidden intent. Trojans are one of the leading causes of breaking into machines. If you pull down a program from a chat room, new group, or even from unsolicited e-mail, then the program is likely trojaned with some subversive purpose. The word Trojan can be used as a verb: To trojan a program is to add subversive functionality to an existing program. For example, a trojaned login program might be programmed to accept a certain password for any user's account that the hacker can use to log back into the system at any time. Rootkits often contain a suite of such trojaned programs. |
Variants: |
|
Similar Pests: |
RAT · Backdoor · Password Capture · Trojan |
Origins |
|
Author: |
Green Applet, |
By This Author: |
Acid Shiver Release 5.00 (Public Open Source) · Acid Shivers e · Modified Acid Shiver Server · Modified Masters Paradise · NetBus Hack 1.1 |
Vendor: |
LEENTech Corporation |
Programming Language: |
Visual Basic. Requires MSwinsck.ocx, MSvbvm50.dll, and Comdlg32.ocx |
Date of Origin: |
Variants from November, 1998 to May, 2002 |
Distribution |
|
Prevalence: |
|
Clot Factor: |
The "Clot Factor" is a measure of how much a pest "gums up" a machine by adding registry entries, files, and directories. As more objects are placed in a machine, manual removal becomes more difficult and more error-prone. |
Operation |
|
Platform: |
Windows 95, 98 and NT |
Default Port: |
random (It is possible to adjust) More info about ports. |
Storage Required: |
|
Restart: |
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run Autostarting Pests |
ScreenShot: |
|
PestPatrol detects this.
PestPatrol removes this.