Using Argus or tcpdump to detect Pretty Park trojan

Bugs Brouillard bb1 at humboldt.edu
Wed Mar 1 12:40:36 EST 2000 

On Wed, 1 Mar 2000, Russell Fulton wrote:

->HI All,
->	I am posting this to both unisog and argus lists, apologies to 
->those of you who get two copies.
->
->There has recently been some discussion on the Security Focus Incidents 
->list about perceived recent increase in Pretty Park (PP) infections.  
->PP is a trojan and a good description can be found at:
->
->http://europe.datafellows.com/v-descs/prettyp.htm
->
->One characteristic of PP is that infected machines try an contact 
->various IRC servers so I ran an filter over our Argus logs for February 
->dumping all traffic to these servers (see web page for full list of 
->servers).  I found several machines regularly trying these servers and 
->also that some of these server are no longer active.  I have since 
->confirmed that these machine are infected with PP.
->
->So I have constructed a filter that will work with argus or tcpdump to 
->look for connection attempts to these non active servers.  Any machines 
->triggering these filters have a high chance of being infected by PP.  
->If they keep on triggering it then they are almost certainly infected.
->
->tcp and dst port ircd and (
->   host         irc.twiny.net
->or host         irc.grolier.net
->or host         irc.club-internet.fr
->or host         irc.emn.fr
->or host         irc.insat.com
->or host         irc.ncal.verio.net
->or host         irc.skybel.net
->or host         irc.easynet.co.uk
->)
->
->There is also some evidence that what we are seeing is a new strain of 
->PP which is not detected by current AV packages.  Several of the 
->machines infected here were running NAV with recent definitions.
->
->Cheers, Russell
->
->
->


Here is how i filter virii in using my sendmail.cf file with sendmail 8.9.3
  
#check for possible Happy99.exe message
HX-Spanska: $>CheckHappy99
SCheckHappy99
R$*     $: $#error $: "554 Access Denied, mail item possibly Happy99.exe virus
infected."


#check for virus
HSubject:                       $>local_check_virus_spam
D{virus_mesg_park}"553 Access Denied, mail item possibly Prettypark virus
infected."
D{virus_mesg_melissa}"553 Access Denied, mail item possibly Melissa virus
infected."
D{virus_mesg_fix2000}"553 Access Denied, mail item possibly Fix2000 virus
infected."
D{virus_mesg_bubble}"553 Access Denied, mail item possibly Bubbleboy virus
infected."
D{spam_mesg_laser}"553 Access Denied, mail contains unwanted laser spam."  

Slocal_check_virus_spam
RC:\CoolProgs\Pretty Park.exe $*        $#error $: ${virus_mesg_park}
RRe: C:\CoolProgs\Pretty Park.exe $*    $#error $: ${virus_mesg_park}
RImportant Message From $*      $#error $: ${virus_mesg_melissa}
RRe: Important Message From $*  $#error $: ${virus_mesg_melissa}
RInternet problem year 2000 $*  $#error $: ${virus_mesg_fix2000}
RBubbleBoy is back $*   $#error $: ${virus_mesg_bubble}
Rlaser printer toner $* $#error $: ${spam_mesg_laser}

NOTE: The whitespace after the $* must be a tab, not a space



Here is what the syslog entries look like:

Feb 29 10:50:59 axe sendmail[19760]: KAA19760: ruleset=CheckHappy99, arg1=Yes,
relay=lime.ease.lsoft.com [209.119.1.41], reject=554 Access Denied, mail item
possibly Happy99.exe virus infected.
Feb 29 10:51:00 axe sendmail[19760]: KAA19760:
from=<owner-comxv-l at UMDD.UMD.EDU>, size=15061, class=0, pri=45061, nrcpts=1,
msgid=<200002291824.NAA19335 at mail1.uts.ohio-state.edu>, bodytype=8BITMIME,
proto=ESMTP, relay=lime.ease.lsoft.com [209.119.1.41]
Feb 29 10:51:00 axe sendmail[19760]: KAA19760: done

Feb 29 12:43:27 axe sendmail[19656]: MAA19656: ruleset=local_check_virus_spam,
arg1=C:\CoolProgs\Pretty Park.exe, relay=smtp6.mindspring.com [207.69.200.110],
reject=553 Access Denied,mail item possibly Prettypark virus infected.
Feb 29 12:43:35 axe sendmail[19656]: MAA19656: from=<alzimmer at ix.netcom.com>,
size=83448, class=0, pri=113448, nrcpts=1,
msgid=<200002292002.PAA21603 at smtp6.mindspring.com>, proto=ESMTP,
relay=smtp6.mindspring.com [207.69.200.110]
Feb 29 12:43:35 axe sendmail[19656]: MAA19656: done


I hope someone can benefit from this code.

Bugs Brouillard		Unix system administrator
Humboldt State Univ.	707-826-6123
Arcata, Calif.

email bb1 at humboldt.edu

More information about the argus mailing list