• This site uses cookies. By continuing to use this site, you are agreeing to our use of cookies. Learn more.

Dark Shadow

Shamus MacNoob

Moderator
Political User
#1
Ok this is a real brain buster .. its not on my puter its a friends .. as soon as she logs on the internet ( well we are still testing this ) somewhere along the way boom its starts her NIS 2002 starts flashing and is getting probed from all over . ie vancouver bc canada , new york , taiwan , vaginia , and its always Dark Shadow trojan ( back door ) .. ok so NIS blocks this of course and after a port scan NIS blocks all incoming for next 30 minutes ... but of course I need to find out why? I have run a full system scan ( anti virus NAV 2002 ) I have ran full scan with The Cleaner 3 ( trojan proggy ) have not found anything ? This is very annoying to say the least ... trying to narrow it down as best I can by lets say connecting and not going anywhere ... then I will ask her to open icq ... wait a while nothing ...next open msn messenger wait a while ... you get the idea yes I am thinking someone might have her as a target and when she logs onto a certain program maybe thats where it starts?

Ok so for now any input on Dark Shadow will be of help to me

I will keep this updated as I troubleshoot later today

thanks in advance for any help
;)
 
#2
-=-=-=-=-=-=-=-=-=-
Name: Dark Shadow
Aliases: N/A
Ports: 911
Files: Darkshadow.zip - 87,119 bytes Darkshadow.trojan.exe - 180,321 bytes Winfunctions.exe -
Created: Match 2000
Requires: N/A
Actions: Remote Access
The trojan is encrypted.
Versions: N/A
Registers: HLM\SOFTWARE\Microsoft\Windows\CurrentVersion\RunServices \
Notes: Works on Windows. Password = UHA. Compatible with the Back Orifice server.
Country: written in the USA (??)
Program: Written in Turbo Pascal Encrypted.
-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-

Removal

First click Start, and go to Run. In the box, type regedit and click OK.

When regedit starts, you will see a file-like tree on the left hand panel. Open the folders to follow the path:

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunServices\

Click on 'RunServices' and the righthand panel will change.

Look for an item titled:

winfunctions="winfunctions.exe" and delete it (Right click and choose delete)

Close regedit and reboot your computer to remove the trojan from memory.

Now you can use explorer to go to C:\windows\system\ and delete the file 'winfunctions.exe'

Your now disinfected!

-=-=-=-=-=-=-=-=-=-=-=-


Enjoy :) Hope it helps.

- Nick
 

Shamus MacNoob

Moderator
Political User
#3
Thanks nick


But strange as this sounds I went through that last night and never found the so called reg entries or .exe

So I am wondering is it possible there is another variation of this?

but thanks for taking the time to help.

I dont see any strange reg entries under

HKEY_LOCAL_MACHINE\SOFTWARE\Mi
crosoft\Windows\CurrentVersion
\RunServices\


which is what is bothering me because I cant see why her computer is getting probed and I even think I saw ( need to read the logs later again ) her computer sending out or attempting to send out to an unknown ip... ok so again thanks and I am still looking .....
 
#4
Allright, now that's strange. I know it's a bad suggestion, but I could just clean install windows. Then again, it's no big deal for me, I just did it yesterday, but for others it may be a pain.

I looked for variations of dark shadow, couldn't find a thing.

However " dark avenger " comes in about 50 different flavors, sure this isn't the name? I know it's a stupid question.
 

Shamus MacNoob

Moderator
Political User
#5
No such thing as a stupid question !

And of course if needed I will do the full format / clean install

but I like a challenge LOL and yes I saw lots of info about the dark avengers ...ok so for now I am going to keep troubleshooting to see if I can narrow it down to an appliction ie IRC , ICQ, MSN messenger... if not I dont see how I will find something that NAV2002 fully updated and The Cleaner 3 does not find ... so again thanks for the help and I will get back with info if I do find something .......:eek:
 
#6
Sure, glad to provide useless known information :p

Really though, I'm curious, once you get to the bottom of it, post and say what it was :)
 

Shamus MacNoob

Moderator
Political User
#7
you bet I will , and I wont rest till I find it lol I am obsessed .. no seriously it really bothers her and it happens so often it is bogging down her pc :(

So yes I will post what ever I find



thanks again Nick ;)
 

Shamus MacNoob

Moderator
Political User
#8
Well did a little more troubleshooting last night and still no real news ...but I do find this as one of the main sources for the probes



NeoTrace Version 3.2 Trace Results
Target: 63.237.147.10
Date: Tue Feb 25 14:27:45 2003
Nodes: 14


Node Data
Node Net Reg IP Address Location Node Name
14 1 1 63.237.147.10 Unknown net.bluemoon.net


Packet Data
Node High Low Avg Tot Lost
14 258 258 258 1 0


Network Data
Network id#: 1
Qwest Communications NET-QWEST-BLKS2 (NET-63-236-0-0-1)
63.236.0.0 - 63.239.255.255
BLUE MOON ONLINE SYSTEMS QWST-63-237-147-0 (NET-63-237-147-0-1)
63.237.147.0 - 63.237.147.255

ARIN WHOIS database, last updated 2003-02-23 20:00


Registrant:
Blue Moon Online System (BLUEMOON2-DOM)
P.O. Box 651
Buffalo
NY,14207-0651
US

Domain Name: BLUEMOON.NET

Administrative Contact, Technical Contact:
Priebe, J Henry (HP102) sysop@NET.BLUEMOON.NET
Blue Moon Internet Corp
P.O. Box 651
Buffalo, NY 14207-0651
US
716-517-6666 (MOON)

Record expires on 18-Aug-2003.
Record created on 17-Aug-1995.
Database last updated on 24-Feb-2003 14:40:12 EST.

Domain servers in listed order:

NS1.BLUEMOON.NET 63.237.147.10
_____
NeoTrace Copyright ©1997-2000 NeoWorx Inc


And when I open in browser I end up here

http://www.bluemoon.net/ ....

Dont kno what to make of this I ran a spybot search and destroy and removed everything it listed ...

still working on this will be back with more info later
 

Shamus MacNoob

Moderator
Political User
#9
After alot of looking around and nothing found I decieded to format that machine and give it a fresh start .... less trouble really but would have liked to find what was causeing the trouble , after format of C ( not d and e ) seems everything is fine now ...

Thanks for the help just the same ;)
 

Members online

No members online now.

Latest posts

Latest profile posts

Electronic Punk wrote on Perris Calderon's profile.
All good still mate?
Hello, is there anybody in there? Just nod if you can hear me ...
Xie
What a long strange trip it's been. =)

Forum statistics

Threads
61,961
Messages
673,239
Members
89,014
Latest member
sanoravies