Dark Shadow

Shamus MacNoob

OSNN Veteran Addict
Political Access
Joined
8 Jan 2002
Messages
4,199
Ok this is a real brain buster .. its not on my puter its a friends .. as soon as she logs on the internet ( well we are still testing this ) somewhere along the way boom its starts her NIS 2002 starts flashing and is getting probed from all over . ie vancouver bc canada , new york , taiwan , vaginia , and its always Dark Shadow trojan ( back door ) .. ok so NIS blocks this of course and after a port scan NIS blocks all incoming for next 30 minutes ... but of course I need to find out why? I have run a full system scan ( anti virus NAV 2002 ) I have ran full scan with The Cleaner 3 ( trojan proggy ) have not found anything ? This is very annoying to say the least ... trying to narrow it down as best I can by lets say connecting and not going anywhere ... then I will ask her to open icq ... wait a while nothing ...next open msn messenger wait a while ... you get the idea yes I am thinking someone might have her as a target and when she logs onto a certain program maybe thats where it starts?

Ok so for now any input on Dark Shadow will be of help to me

I will keep this updated as I troubleshoot later today

thanks in advance for any help
;)
 
-=-=-=-=-=-=-=-=-=-
Name: Dark Shadow
Aliases: N/A
Ports: 911
Files: Darkshadow.zip - 87,119 bytes Darkshadow.trojan.exe - 180,321 bytes Winfunctions.exe -
Created: Match 2000
Requires: N/A
Actions: Remote Access
The trojan is encrypted.
Versions: N/A
Registers: HLM\SOFTWARE\Microsoft\Windows\CurrentVersion\RunServices \
Notes: Works on Windows. Password = UHA. Compatible with the Back Orifice server.
Country: written in the USA (??)
Program: Written in Turbo Pascal Encrypted.
-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-

Removal

First click Start, and go to Run. In the box, type regedit and click OK.

When regedit starts, you will see a file-like tree on the left hand panel. Open the folders to follow the path:

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunServices\

Click on 'RunServices' and the righthand panel will change.

Look for an item titled:

winfunctions="winfunctions.exe" and delete it (Right click and choose delete)

Close regedit and reboot your computer to remove the trojan from memory.

Now you can use explorer to go to C:\windows\system\ and delete the file 'winfunctions.exe'

Your now disinfected!

-=-=-=-=-=-=-=-=-=-=-=-


Enjoy :) Hope it helps.

- Nick
 
Thanks nick


But strange as this sounds I went through that last night and never found the so called reg entries or .exe

So I am wondering is it possible there is another variation of this?

but thanks for taking the time to help.

I dont see any strange reg entries under

HKEY_LOCAL_MACHINE\SOFTWARE\Mi
crosoft\Windows\CurrentVersion
\RunServices\


which is what is bothering me because I cant see why her computer is getting probed and I even think I saw ( need to read the logs later again ) her computer sending out or attempting to send out to an unknown ip... ok so again thanks and I am still looking .....
 
Allright, now that's strange. I know it's a bad suggestion, but I could just clean install windows. Then again, it's no big deal for me, I just did it yesterday, but for others it may be a pain.

I looked for variations of dark shadow, couldn't find a thing.

However " dark avenger " comes in about 50 different flavors, sure this isn't the name? I know it's a stupid question.
 
No such thing as a stupid question !

And of course if needed I will do the full format / clean install

but I like a challenge LOL and yes I saw lots of info about the dark avengers ...ok so for now I am going to keep troubleshooting to see if I can narrow it down to an appliction ie IRC , ICQ, MSN messenger... if not I dont see how I will find something that NAV2002 fully updated and The Cleaner 3 does not find ... so again thanks for the help and I will get back with info if I do find something .......:eek:
 
Sure, glad to provide useless known information :p

Really though, I'm curious, once you get to the bottom of it, post and say what it was :)
 
you bet I will , and I wont rest till I find it lol I am obsessed .. no seriously it really bothers her and it happens so often it is bogging down her pc :(

So yes I will post what ever I find



thanks again Nick ;)
 
Well did a little more troubleshooting last night and still no real news ...but I do find this as one of the main sources for the probes



NeoTrace Version 3.2 Trace Results
Target: 63.237.147.10
Date: Tue Feb 25 14:27:45 2003
Nodes: 14


Node Data
Node Net Reg IP Address Location Node Name
14 1 1 63.237.147.10 Unknown net.bluemoon.net


Packet Data
Node High Low Avg Tot Lost
14 258 258 258 1 0


Network Data
Network id#: 1
Qwest Communications NET-QWEST-BLKS2 (NET-63-236-0-0-1)
63.236.0.0 - 63.239.255.255
BLUE MOON ONLINE SYSTEMS QWST-63-237-147-0 (NET-63-237-147-0-1)
63.237.147.0 - 63.237.147.255

ARIN WHOIS database, last updated 2003-02-23 20:00


Registrant:
Blue Moon Online System (BLUEMOON2-DOM)
P.O. Box 651
Buffalo
NY,14207-0651
US

Domain Name: BLUEMOON.NET

Administrative Contact, Technical Contact:
Priebe, J Henry (HP102) sysop@NET.BLUEMOON.NET
Blue Moon Internet Corp
P.O. Box 651
Buffalo, NY 14207-0651
US
716-517-6666 (MOON)

Record expires on 18-Aug-2003.
Record created on 17-Aug-1995.
Database last updated on 24-Feb-2003 14:40:12 EST.

Domain servers in listed order:

NS1.BLUEMOON.NET 63.237.147.10
_____
NeoTrace Copyright ©1997-2000 NeoWorx Inc


And when I open in browser I end up here

http://www.bluemoon.net/ ....

Dont kno what to make of this I ran a spybot search and destroy and removed everything it listed ...

still working on this will be back with more info later
 
After alot of looking around and nothing found I decieded to format that machine and give it a fresh start .... less trouble really but would have liked to find what was causeing the trouble , after format of C ( not d and e ) seems everything is fine now ...

Thanks for the help just the same ;)
 

Members online

No members online now.

Latest profile posts

Also Hi EP and people. I found this place again while looking through a oooollllllldddd backup. I have filled over 10TB and was looking at my collection of antiques. Any bids on the 500Mhz Win 95 fix?
Any of the SP crew still out there?
Xie wrote on Electronic Punk's profile.
Impressed you have kept this alive this long EP! So many sites have come and gone. :(

Just did some crude math and I apparently joined almost 18yrs ago, how is that possible???
hello peeps... is been some time since i last came here.
Electronic Punk wrote on Sazar's profile.
Rest in peace my friend, been trying to find you and finally did in the worst way imaginable.

Forum statistics

Threads
62,015
Messages
673,494
Members
5,621
Latest member
naeemsafi
Back