Symantec

Symantec Security Response
http://securityresponse.symantec.com

Troj.Polyglot

Category 1

Troj.Polyglot is a Trojan horse program that comes as an email attachment Y2Kcount.exe. The email message is disguised as a message from Microsoft Support. This message is not from Microsoft. The attached Y2Kcount.exe program is a self-extracting Trojan horse program.
The message contains the following message:


    To All Microsoft Users,

    We are excited to announce Microsoft Year 2000 counter.
    Start the countdown now.  Let us all get in the 21
    Century. Let us lead the way to the future and we
    will get you there FASTER and SAFER.

    Thank you,
    Microsoft Corporation

Symantec AntiVirus Research Center's Scan and Deliver received this Trojan horse for the first time on September 15, 1999.

Also Known As: Count2K, Y2KCOUNT, Troj_Polyglot
Type: Trojan Horse, Virus
Infection Length: 124,885 bytes

protection
  • Virus Definitions (Intelligent Updater)

    • September 19, 1999

    threat assessment

    Wild

    Threat Metrics
    Low Low Low

    Wild:
    Low

    Damage:
    Low

    Distribution:
    Low

    technical details

    When Y2Kcount.exe is executed or launched, it extracts its contents:

      • Project1.exe
      • File002.dat
      • File003.dat
      • File004.dat
      • File001.dat
    Next, it executes the Project1.exe to install itself. Once it finishes its installation, it displays a fake error message: "Password protection error or invalid CRC32!"
      This Trojan horse makes the following modifications to the computer:
      1. It drops several files into the \Windows\System folder:
        • Proclib.exe
        • Proclib.dll
        • Proclib16.dll
        • Ntsvsrv.dll
      2. It appends Ntsvsrv.dll into the drivers= line in the [boot] section of the System.ini file. This modification loads the Trojan every time the system restarts.
      3. It modifies the registry entry ...\Shell\OpenHomePage\Command to @="C:\WINDOWS\SYSTEM\PROCLIB.EXE". This modification loads Proclib.exe upon Web/Internet access.
      4. Upon the next system reboot, it will also rename the Wsock32.dll file to Nlhvld.dll and replace it with Proclib16.dll. This allows the Trojan to hook network (specifically Internet) connection activity.

      This Trojan hooks four WSOCK32 API functions: connect, recv, send, and closesocket. It appears to search for user names, passwords and login ids. It is able to scan incoming and outgoing data through the Internet. The Trojan creates a temporary data file on the hard disk to store its information. The name of the file is MySharedFileNameForMyDLL. It also launches another process that reads this temporary data file. That process contains code to connect to mail.compuserve.com and send an email message to BTKBoss@usa.net. This process runs as a service. So it does not appear in the task list and remains running if the user logs off the system and logs on again.

      recommendations

      Symantec Security Response encourages all users and administrators to adhere to the following basic security "best practices":

      • Turn off and remove unneeded services. By default, many operating systems install auxiliary services that are not critical, such as an FTP server, telnet, and a Web server. These services are avenues of attack. If they are removed, blended threats have less avenues of attack and you have fewer services to maintain through patch updates.
      • If a blended threat exploits one or more network services, disable, or block access to, those services until a patch is applied.
      • Always keep your patch levels up-to-date, especially on computers that host public services and are accessible through the firewall, such as HTTP, FTP, mail, and DNS services (for example, all Windows-based computers should have the current Service Pack installed.). Additionally, please apply any security updates that are mentioned in this writeup, in trusted Security Bulletins, or on vendor Web sites.
      • Enforce a password policy. Complex passwords make it difficult to crack password files on compromised computers. This helps to prevent or limit damage when a computer is compromised.
      • Configure your email server to block or remove email that contains file attachments that are commonly used to spread viruses, such as .vbs, .bat, .exe, .pif and .scr files.
      • Isolate infected computers quickly to prevent further compromising your organization. Perform a forensic analysis and restore the computers using trusted media.
      • Train employees not to open attachments unless they are expecting them. Also, do not execute software that is downloaded from the Internet unless it has been scanned for viruses. Simply visiting a compromised Web site can cause infection if certain browser vulnerabilities are not patched.

      removal instructions

      To remove this Trojan horse from your computer:

      1. Click Start, and click Run.
      2. Type sysedit and click OK.
      3. Click the System.ini window.
      4. Click Search, and click Find.
      5. Type ntsvsrv.dll and then click Next. It should be at the end of the drivers= line.
      6. Remove the Ntsvsrv.dll entry.
      7. Restart Windows into MS-DOS mode. Restarting to MS-DOS mode ensures that Wsock32.dll is not loaded (Wsock32.dll is used for Internet connections).
      8. Type cd \windows\system to change to the \Windows\System folder.
      9. Type dir wsock32.dll to check the size of Wsock32.dll.
        • If the size is 14848 bytes, the Trojan horse program has replaced it with Proclib16.dll. To restore the original Wsock32.dll, type
          copy nlhvld.dll Wsock32.dll
          and then press Enter.
      10. Delete the following files from the \Windows\System folder:
        • Proclib.exe
        • Proclib.dll
        • Proclib16.dll
        • Ntsvsrv.dllL
        • Nlhvld.dll