Win32.Turkojan.jv
Also known as: 7b5a07d18d2ae6641db64cec28607da7AntiVir TR/Spy.Agent.AHAB AVG PSW.Delf BitDefender GenPack:Trojan.Agent.AHAB DrWeb BACKDOOR.Trojan eSafe suspiciousTrojan/Worm F-Prot W32/Threat-Backdoor-Silly-based!Maximus F-Secure Turkojan.gen1 Ikarus Generic.Agent.AHAB Kaspersky Backdoor.Win32.Turkojan.jv Microsoft VirTool:Win32/DelfInject.gen!L NOD32v2 Win32/Cakl.NAF Norman Turkojan.gen1 Panda Suspiciousfile Prevx1 Heuristic:Suspicious File With Mass Email Capabilities Rising Trojan.Win32.Undef.dhp Sophos Troj/Agent-GMF VBA32 Backdoor.Win32.Turkojan.a Webwasher-Gateway Trojan.Spy.Agent.AHAB Packer UPX_LZMAVery interesting control channel. High port, turkish ascii commands. All in the clear. Here's a sample interaction, connection initiated by the client:
ams MINFOMINFO|AresCiler|192.168.1.30|HOME-LG9MLMX7MI|WinXP|ENU| BAGLI ....BAGLI BAGLANTI? LOGS1 ....LOGS1.[] KEYL1 ....KEYL1 UZMAS (following all to server, keepalive?) BAGLANTI? BAGLANTI? BAGLANTI? BAGLANTI? Drives ...Drives C: Fixed D: CD-ROM BROWSD:\ ....metin : BROWSC:\ 9...metin FOUND.000 FOUND.001 Documents and Settings Program Files System Volume Information Recycled WINDOWS CONFIG.SYS?0.--a- AUTOEXEC.BAT?0.--a- IO.SYS?0.rhas MSDOS.SYS?0.rhas ntdtcstp.dll?7168.--a- cmsetac.dll?33280.--a- PAGEFILE.SYS?201326592.-has ntldr?250032.rhas NTDETECT.COM?47564.rhas boot.ini?194.-h-s hiberfil.sys?268029952.-has BAGLANTI? BROWSC:\Program Files\ ....metin . .. Common Files Windows NT MSN Gaming Zone MSN Messenger Online Services WindowsUpdate ComPlus Applications Internet Explorer Outlook Express NetMeeting Windows Media Player Movie Maker microsoft frontpage xerox Uninstall Information Java :BAGLANTI? BAGLANTI? DISCNSHELL|DESACTIVARBAGLI ....BAGLI BAGLANTI? IMPWD ....PLUGNc:\twmsico.dll ULFC:\Program Files\Turkojan\twmsico.dll|c:\ HAYDI BAGLANTI? BAGLANTI? WLIST ....WLIST| BAGLANTI? WLIST ....WLIST| WLIST ....WLIST| WLIST ....WLIST| WLIST ....WLIST| BAGLANTI? BAGLANTI? UZMAS BAGLANTI? BAGLANTI? BAGLANTI? BAGLANTI? BAGLANTI? BAGLANTI? BAGLANTI? BAGLANTI? BAGLANTI? BAGLANTI? BAGLANTI? BAGLANTI?Some translation help is here: http://www.seslisozluk.com/?word=baglanti&go_seslisozluk_search=Search Rather interesting one. First Turkish language C&C I recall seeing. Sigs 2008021, 2008022, 2008023, 2008024, 2008025, 2008026, 2008027, 2008028. 2008029. and 2008030 should cover this well. -- MattJonkman - 19 Mar 2008
Edit | Attach | Print version | History: r2 < r1 | Backlinks | Raw View | WYSIWYG | More topic actionsTopic revision: r2 - 2008-07-11 - MattJonkman
Main Web
Create New Topic
Index
Search
Changes
Preferences- User Reference
- ATasteOfTWiki
- TextFormattingRules
- Signature Reference
- WebRss Feed
- EmergingFAQ
 |
|
Copyright © Emerging Threats