Name: Bionet 2.8.1a

 

Main: ”anything”.exe    size 279 KB (285,926 bytes)

 

Keys:  Keys added:

HKEY_LOCAL_MACHINE\SOFTWARE\GCI

HKEY_LOCAL_MACHINE\SOFTWARE\GCI\BioNet

HKEY_LOCAL_MACHINE\SOFTWARE\GCI\BioNet\ICQ

 

Values Added:

HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\UserAssist\{75048700-EF1F-11D0-9888-006097DEACF9}\Count "HRZR_EHACNGU:P:\hamvccrq\Ovbarg2.8.1n\freire.rkr"

                        Type: REG_BINARY

                        Data: 7C, 00, 00, 00, 06, 00, 00, 00, E0, 79, EC, F8, HKEY_LOCAL_MACHINE\SOFTWARE\GCI\BioNet\ICQ

"Count"

                        Type: REG_SZ

                        Data: 0

HKEY_LOCAL_MACHINE\SOFTWARE\GCI\BioNet\ICQ

"NotifyUN0"

                        Type: REG_SZ

                        Data: 0

 

Version:  2.8.1a

 

Type: Remote access trojan

 

Port/s used: 12349 tcp

 

Files: none added

 

Modifies: none

 

Aliases:  none

 

Behaviour: The server is very configurable and may run in stealth once executed or may not, if it does not it is clearly visible and can be shut down by just closing the window. Once executed the server makes it difficult for the victim to shut windows down.

 

Removal: Open up regedit (go to run, type regedit and hit ok) and follow this path

HKEY_LOCAL_MACHINE\SOFTWARE\GCI

Right click on the GCI key and choose delete

 

It may be hard to reboot so hit ctrl alt del twice and you should reboot (make sure everything is shut down before you do the ctrl alt del thing)

This trojan does not auto load so you should be clean now

 

Special: The server has a built in denial of service attack, so a hacker can connect to his/her victim and then make his/her victim attack a third party with fragmented igmp packets (this causes windows 95/98 boxes to freeze up and crash)

 

The second interesting feature is the cgi notify option here is an excerpt from the trojans read me file:

 “When the server is online it may send data to execute a remote perl script file.

The format box will define what is posted to the CGI script.

if you use %i in the format box it will be replaced with the server ip.

e.g

  take the ip of the server as 127.0.0.1

  enter in the format box "TheIP=%i" (without quotes)

  the result posted to the script would then be "TheIP=127.0.0.1"

Lists of key variables currently available are as follows

 

%i = server ip address

%p = remote port

%m = mode  "Stealth" or "Visible"

%u = user name     (windows info)

%c = computer name (windows info)”

 

Author: ®ëZmØnd

 

Notes: it may be possible to find the hackers icq number by looking at the following registry entry:

HKEY_LOCAL_MACHINE\SOFTWARE\GCI\BioNet "NotifyUN"

The notifyUN value should show you the hackers UIN

This trojan did not seem to add any registry entries to allow auto loading on start up so after rebooting the infected machine the victim should be safe