Win32.Turkojan.jv

Also known as: 7b5a07d18d2ae6641db64cec28607da7

AntiVir     TR/Spy.Agent.AHAB
AVG    PSW.Delf
BitDefender    GenPack:Trojan.Agent.AHAB
DrWeb    BACKDOOR.Trojan
eSafe    suspiciousTrojan/Worm
F-Prot    W32/Threat-Backdoor-Silly-based!Maximus
F-Secure    Turkojan.gen1
Ikarus    Generic.Agent.AHAB
Kaspersky    Backdoor.Win32.Turkojan.jv
Microsoft    VirTool:Win32/DelfInject.gen!L
NOD32v2    Win32/Cakl.NAF
Norman    Turkojan.gen1
Panda    Suspiciousfile
Prevx1    Heuristic:Suspicious File With Mass Email Capabilities
Rising    Trojan.Win32.Undef.dhp
Sophos    Troj/Agent-GMF
VBA32    Backdoor.Win32.Turkojan.a
Webwasher-Gateway    Trojan.Spy.Agent.AHAB
Packer    UPX_LZMA

Very interesting control channel. High port, turkish ascii commands. All in the clear. Here's a sample interaction, connection initiated by the client:

ams
MINFOMINFO|AresCiler|192.168.1.30|HOME-LG9MLMX7MI|WinXP|ENU|
BAGLI
....BAGLI
BAGLANTI?
LOGS1
....LOGS1.[]
KEYL1
....KEYL1
UZMAS

(following all to server, keepalive?)
BAGLANTI?
BAGLANTI?
BAGLANTI?
BAGLANTI?


Drives 
...Drives   C: Fixed
   D: CD-ROM

BROWSD:\

....metin
:
BROWSC:\
9...metin

FOUND.000
FOUND.001
Documents and Settings
Program Files
System Volume Information
Recycled
WINDOWS
CONFIG.SYS?0.--a-
AUTOEXEC.BAT?0.--a-
IO.SYS?0.rhas
MSDOS.SYS?0.rhas
ntdtcstp.dll?7168.--a-
cmsetac.dll?33280.--a-
PAGEFILE.SYS?201326592.-has
ntldr?250032.rhas
NTDETECT.COM?47564.rhas
boot.ini?194.-h-s
hiberfil.sys?268029952.-has

BAGLANTI?
BROWSC:\Program Files\

....metin
.
..
Common Files
Windows NT
MSN Gaming Zone
MSN
Messenger
Online Services
WindowsUpdate
ComPlus Applications
Internet Explorer
Outlook Express
NetMeeting
Windows Media Player
Movie Maker
microsoft frontpage
xerox
Uninstall Information
Java

:BAGLANTI?
BAGLANTI?
DISCNSHELL|DESACTIVARBAGLI
....BAGLI
BAGLANTI?
IMPWD
....PLUGNc:\twmsico.dll
ULFC:\Program Files\Turkojan\twmsico.dll|c:\
HAYDI
BAGLANTI?
BAGLANTI?
WLIST
....WLIST|
BAGLANTI?
WLIST
....WLIST|
WLIST
....WLIST|
WLIST
....WLIST|
WLIST
....WLIST|
BAGLANTI?
BAGLANTI?
UZMAS
BAGLANTI?
BAGLANTI?
BAGLANTI?
BAGLANTI?
BAGLANTI?
BAGLANTI?
BAGLANTI?
BAGLANTI?
BAGLANTI?
BAGLANTI?
BAGLANTI?
BAGLANTI?

Some translation help is here: http://www.seslisozluk.com/?word=baglanti&go_seslisozluk_search=Search

Rather interesting one. First Turkish language C&C I recall seeing.

Sigs 2008021, 2008022, 2008023, 2008024, 2008025, 2008026, 2008027, 2008028. 2008029. and 2008030 should cover this well.

-- MattJonkman - 19 Mar 2008

Topic revision: r2 - 2008-07-11 - MattJonkman
 
This site is powered by the TWiki collaboration platform Powered by Perl This site is powered by the TWiki collaboration platformCopyright © Emerging Threats