RAZOR has acquired a copy of the Trojan Trinoo. Here is a bit of
information about it. Sorry this isn't in official "advisory" style of
writing, but I really wanted to get this info out quickly.

The trojan is called service.exe, but could be renamed. It is 23145 bytes
in length. To remove it you must kill in in memory, remove its entry at
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run, and
delete the file from the hard drive. Make sure you delete the correct
file, and not services.exe.

It listens on udp port 34555, and will respond to pings on udp port 35555.
The password is "[]..Ks" (without the quotes). Therefore the following
will detect it:

Set up a netcat listener:
     nc -u -n -l -p 35555 -v -w 100

Send a trinoo ping:
     echo 'png []..Ks l44' | nc -u -n -v -w 3 192.168.1.5 34555

The listener will display PONG if a trinoo daemon is listening.

This will kill it:
     echo 'd1e []..Ks l44' | nc -u -n -v -w 3 192.168.1.5 34555

After it is killed, the udp port may still be bound until a reboot, at
least on Windows 95/98. Subsequent trinoo pings will return an ICMP
destination unreachable/port unreachable if it is down.

I've updated the unix version of Zombie Zapper to reflect this. You can
download it from http://razor.bindview.com/tools/ZombieZapper_form.shtml,
look for the Unix version 1.1 with Trinoo Trojan support near the bottom
of the page. Hopefully we'll have a Unix version available sometime
Monday.

Both Seth McGann and Todd Sabin of RAZOR contributed heavily to the info
above after disassembling the trojan. And special thanks to Gary Flynn at
James Madison University for supplying RAZOR with a sample for testing.


-         Simple Nomad          -  No rest for the Wicca'd  -
-      thegnome@nmrc.org        -        www.nmrc.org       -
-  thegnome@razor.bindview.com  -     razor.bindview.com    -