Imagine, if you will, a new user who just heard about the DirectConnect network and downloaded a NMDC client (may that be DC++, StrongDC++, Greylink++ or other client). The client is started and the user clicks the "Public hublists" button. A new normal user, of course, would join the first few biggest hubs. A few file lists are downloaded and.. what's next? A search. A search for something Google can't find. What if there are no results from all hubs the new user is in ? Well.. there are! Search for any random string and you get at least one result from a bot that has a file named by your searched string which ends with ".exe"!
You can notice that there is no path for the shared executable file. An attempt to get a bot's file list will get your IP blocked and all further connection requests to it rejected. The bot can provide an .exe and that's it. Currently, its IP in all hubs is 220.127.116.11 , and it can be reported to firstname.lastname@example.org and to email@example.com .
But, the big question is, what does the trojan do?
The trojan is a WinRAR self extracting archive that executes the following install script:
Setup=ncmd.exe exec hide "dep.bat"
The archive contains the following files:
02/20/2014 10:46 PM 248,980 32.rar
02/20/2014 10:46 PM 239,972 64.rar
02/20/2014 10:47 PM 1,382,636 at.rar
02/17/2014 11:24 PM 969 dep.bat
01/23/2014 07:16 PM 77 ms.vbs
08/11/2013 03:41 PM 44,032 ncmd.exe
02/20/2014 10:48 PM 2,836,268 nv.rar
12/01/2013 02:08 PM 306,776 svchost.exe
8 File(s) 5,059,710 bytes
All the .rar archives are password protected. The password to extract files from them is 12345 . Each archive contains a coin mining tool (minerd 32/64, cgminer and CudaMiner). By default, they use the mining server from eu.wafflepool.com:3333 and they update the BitCoin wallet 1KGE8qgbR7mafVtvt2YsS5hYau9YLRXJx4 using the password x . Svchost.exe (306776 bytes) is the renamed command line RAR, ncmd.exe (44032 bytes) is the NirSoft command line utility that can hide the console, dep.bat (969 bytes) is the actual installer that extracts files from password protected archives to %APPDATA%\WinUpdate\, and ms.vbs (77 bytes) is a command line message box popup generator.
Set objArgs = WScript.Arguments
messageText = objArgs(0)
Ms.vbs is used by dep.bat, after installing all the svchost.exe's and winlogon.exe's from the password protected archives to show a message box with the following string: "Error loading dll.".
If you are infected with this trojan, your overall system performance is decreased because your system resources are used to generate money for the trojan spreader.
How much money did this trojan make for its owner? You can check its infection stats here: http://wafflepool.com/miner/1KGE8qgbR7mafVtvt2YsS5hYau9YLRXJx4 (in case you need a password, you can use "x").
Do not download anything from these bots and use the +report command to report them to the operators that are online in the hubs you found them!
Posted by Vektor on 28/02 -14 23:18 | 0 comments
Finally I had some time to re-add good old hub voting system to hublist engine. The voting is made two ways, good votes and bad votes, it's up to you which to choose. Remember, you can only vote for a hub once a day and voting for banned hubs is forbidden. You should also know that all votes are logged using your IP address, and if we find out that you're trying to cheat by using different IP addresses, your hub will get banned. Good luck.
Posted by RoLex on 28/01 -14 22:08 | 0 comments