Dark Shadow

Discussion in 'Windows Desktop Systems' started by Shamus MacNoob, Feb 24, 2003.

  1. Shamus MacNoob

    Shamus MacNoob Moderator Political User

    Messages:
    4,199
    Location:
    L'Ile Perrot Quebec
    Ok this is a real brain buster .. its not on my puter its a friends .. as soon as she logs on the internet ( well we are still testing this ) somewhere along the way boom its starts her NIS 2002 starts flashing and is getting probed from all over . ie vancouver bc canada , new york , taiwan , vaginia , and its always Dark Shadow trojan ( back door ) .. ok so NIS blocks this of course and after a port scan NIS blocks all incoming for next 30 minutes ... but of course I need to find out why? I have run a full system scan ( anti virus NAV 2002 ) I have ran full scan with The Cleaner 3 ( trojan proggy ) have not found anything ? This is very annoying to say the least ... trying to narrow it down as best I can by lets say connecting and not going anywhere ... then I will ask her to open icq ... wait a while nothing ...next open msn messenger wait a while ... you get the idea yes I am thinking someone might have her as a target and when she logs onto a certain program maybe thats where it starts?

    Ok so for now any input on Dark Shadow will be of help to me

    I will keep this updated as I troubleshoot later today

    thanks in advance for any help
    ;)
     
  2. Nick M

    Nick M Moderator

    Messages:
    3,961
    -=-=-=-=-=-=-=-=-=-
    Name: Dark Shadow
    Aliases: N/A
    Ports: 911
    Files: Darkshadow.zip - 87,119 bytes Darkshadow.trojan.exe - 180,321 bytes Winfunctions.exe -
    Created: Match 2000
    Requires: N/A
    Actions: Remote Access
    The trojan is encrypted.
    Versions: N/A
    Registers: HLM\SOFTWARE\Microsoft\Windows\CurrentVersion\RunServices \
    Notes: Works on Windows. Password = UHA. Compatible with the Back Orifice server.
    Country: written in the USA (??)
    Program: Written in Turbo Pascal Encrypted.
    -=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-

    Removal

    First click Start, and go to Run. In the box, type regedit and click OK.

    When regedit starts, you will see a file-like tree on the left hand panel. Open the folders to follow the path:

    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunServices\

    Click on 'RunServices' and the righthand panel will change.

    Look for an item titled:

    winfunctions="winfunctions.exe" and delete it (Right click and choose delete)

    Close regedit and reboot your computer to remove the trojan from memory.

    Now you can use explorer to go to C:\windows\system\ and delete the file 'winfunctions.exe'

    Your now disinfected!

    -=-=-=-=-=-=-=-=-=-=-=-


    Enjoy :) Hope it helps.

    - Nick
     
  3. Shamus MacNoob

    Shamus MacNoob Moderator Political User

    Messages:
    4,199
    Location:
    L'Ile Perrot Quebec
    Thanks nick


    But strange as this sounds I went through that last night and never found the so called reg entries or .exe

    So I am wondering is it possible there is another variation of this?

    but thanks for taking the time to help.

    I dont see any strange reg entries under

    HKEY_LOCAL_MACHINE\SOFTWARE\Mi
    crosoft\Windows\CurrentVersion
    \RunServices\


    which is what is bothering me because I cant see why her computer is getting probed and I even think I saw ( need to read the logs later again ) her computer sending out or attempting to send out to an unknown ip... ok so again thanks and I am still looking .....
     
  4. Nick M

    Nick M Moderator

    Messages:
    3,961
    Allright, now that's strange. I know it's a bad suggestion, but I could just clean install windows. Then again, it's no big deal for me, I just did it yesterday, but for others it may be a pain.

    I looked for variations of dark shadow, couldn't find a thing.

    However " dark avenger " comes in about 50 different flavors, sure this isn't the name? I know it's a stupid question.
     
  5. Shamus MacNoob

    Shamus MacNoob Moderator Political User

    Messages:
    4,199
    Location:
    L'Ile Perrot Quebec
    No such thing as a stupid question !

    And of course if needed I will do the full format / clean install

    but I like a challenge LOL and yes I saw lots of info about the dark avengers ...ok so for now I am going to keep troubleshooting to see if I can narrow it down to an appliction ie IRC , ICQ, MSN messenger... if not I dont see how I will find something that NAV2002 fully updated and The Cleaner 3 does not find ... so again thanks for the help and I will get back with info if I do find something .......:eek:
     
  6. Nick M

    Nick M Moderator

    Messages:
    3,961
    Sure, glad to provide useless known information :p

    Really though, I'm curious, once you get to the bottom of it, post and say what it was :)
     
  7. Shamus MacNoob

    Shamus MacNoob Moderator Political User

    Messages:
    4,199
    Location:
    L'Ile Perrot Quebec
    you bet I will , and I wont rest till I find it lol I am obsessed .. no seriously it really bothers her and it happens so often it is bogging down her pc :(

    So yes I will post what ever I find



    thanks again Nick ;)
     
  8. Shamus MacNoob

    Shamus MacNoob Moderator Political User

    Messages:
    4,199
    Location:
    L'Ile Perrot Quebec
    Well did a little more troubleshooting last night and still no real news ...but I do find this as one of the main sources for the probes



    NeoTrace Version 3.2 Trace Results
    Target: 63.237.147.10
    Date: Tue Feb 25 14:27:45 2003
    Nodes: 14


    Node Data
    Node Net Reg IP Address Location Node Name
    14 1 1 63.237.147.10 Unknown net.bluemoon.net


    Packet Data
    Node High Low Avg Tot Lost
    14 258 258 258 1 0


    Network Data
    Network id#: 1
    Qwest Communications NET-QWEST-BLKS2 (NET-63-236-0-0-1)
    63.236.0.0 - 63.239.255.255
    BLUE MOON ONLINE SYSTEMS QWST-63-237-147-0 (NET-63-237-147-0-1)
    63.237.147.0 - 63.237.147.255

    ARIN WHOIS database, last updated 2003-02-23 20:00


    Registrant:
    Blue Moon Online System (BLUEMOON2-DOM)
    P.O. Box 651
    Buffalo
    NY,14207-0651
    US

    Domain Name: BLUEMOON.NET

    Administrative Contact, Technical Contact:
    Priebe, J Henry (HP102) sysop@NET.BLUEMOON.NET
    Blue Moon Internet Corp
    P.O. Box 651
    Buffalo, NY 14207-0651
    US
    716-517-6666 (MOON)

    Record expires on 18-Aug-2003.
    Record created on 17-Aug-1995.
    Database last updated on 24-Feb-2003 14:40:12 EST.

    Domain servers in listed order:

    NS1.BLUEMOON.NET 63.237.147.10
    _____
    NeoTrace Copyright ©1997-2000 NeoWorx Inc


    And when I open in browser I end up here

    http://www.bluemoon.net/ ....

    Dont kno what to make of this I ran a spybot search and destroy and removed everything it listed ...

    still working on this will be back with more info later
     
  9. Shamus MacNoob

    Shamus MacNoob Moderator Political User

    Messages:
    4,199
    Location:
    L'Ile Perrot Quebec
    After alot of looking around and nothing found I decieded to format that machine and give it a fresh start .... less trouble really but would have liked to find what was causeing the trouble , after format of C ( not d and e ) seems everything is fine now ...

    Thanks for the help just the same ;)