Skip navigation.

Irc backdoor / botnet backdoor.litmus

This looks like some kind of irc trojan. Some of it matches w32/litmus or backdoor.litmus but I'm not sure yet if its just various tools rolled together or all one entity. More analysis needed. Some of the dll's are not really dlls but rather code / text files.

I just made one giant zip for everything. I was able to unpack two of the thre files that were packed. I really need some generic unpacking tools because while I have some stuff to unpack UPX I keep finding modified UPXs. Or if someone wants to post a tutorial on dealing with this that would be cool too.


Threat: Backdoor.Litmus
File: C:\malware\ColdLife Bot Section\Gt-coldlife4\patch.exe
Date found: Sunday, December 11, 2005 12:48:39 AM
packing/encoding: patch.exe :: UPX-Scrambler RC1.x -> ©OnT®oL [Overlay]
sha1sum: ffb31fd2a85dd58463ce0fd7035c9ca1cc99f023 patch.exe
md5sum: 7651ceb43ba38045dfa96d9c49573d22 *patch.exe
info: 20512 Apr 12 2002 patch.exe
file: patch.exe: MS Windows PE 32-bit Intel 80386 GUI executable not relocatable

packing/encoding: keybord.dll :: Microsoft Visual C++ 6.0 DLL
sha1sum: dc358b6a87bef525282849f2246a24822c2c093c keybord.dll
md5sum: 0295da1235c572320224e82d45dedea9 *keybord.dll
info: 94208 Sep 11 2001 keybord.dll
file: keybord.dll: MS-DOS executable (EXE), OS/2 or MS Windows

packing/encoding: msicon.exe :: UPX 0.89.6 - 1.02 / 1.05 - 1.24 -> Markus & Laszlo [Overlay]
sha1sum: 6d56582c04d05df648b227a14524742a2a30bef4 msicon.exe
md5sum: 16ea63a73c8dc206d16ec83fc075659d *msicon.exe
info: 22016 Apr 11 2002 msicon.exe
file: msicon.exe: MS-DOS executable (EXE), OS/2 or MS Windows

Threat: IRC Trojan
File: C:\malware\ColdLife Bot Section\Gt-coldlife4\w98s.dll
Date found: Sunday, December 11, 2005 12:47:57 AM
sha1sum: c2354f860222ad8968fd683b0cdb1e2cfee8abca w98s.dll
md5sum: 3a5c558e3ab986cc42f355fc3261dd94 *w98s.dll
info: 2992 Apr 23 2002 w98s.dll
file: w98s.dll: ASCII text, with CRLF line terminators

Threat: IRC Trojan
File: C:\malware\ColdLife Bot Section\Gt-coldlife4\Systray.exe
Date found: Sunday, December 11, 2005 12:48:12 AM
packing/encoding: Systray.exe :: UPX 0.89.6 - 1.02 / 1.05 - 1.24 (Delphi) stub -> Markus & Laszlo
sha1sum: 74cbe3fb9dba4a74f931b9d76a0b9e9f82685b39 Systray.exe
md5sum: 2b5792d211339a78469f00023e2cb0a3 *Systray.exe
info: 598016 Apr 19 2002 Systray.exe
file: Systray.exe: MS-DOS executable (EXE), OS/2 or MS Windows

sha1sum: 6b79f88c8c3594b3103f842bd7d6c8b74f8650dd Ciscos.txt
md5sum: 64f85e9581d5f07c5bf81f5a5150815a *Ciscos.txt
info: 41271 Apr 19 2002 Ciscos.txt
file: Ciscos.txt: ASCII text

sha1sum: 3c68d4b1f764d331354756a9c98c22e5924772f8 dvd.dll
md5sum: 464d08586c5e4b54730bbc783d38d194 *dvd.dll
info: 46094 Apr 21 2002 dvd.dll
file: dvd.dll: data

sha1sum: f857fb5ff4fe91e4d6b599e8911c5978e4313be5 index.html
md5sum: b84e92bbf220aadee069b4f29195a819 *index.html
info: 10709 Apr 18 2002 index.html
file: index.html: HTML document text

sha1sum: e8ac5248ff510238f8227bc113028301bbc08ae5 scsaver.dll
md5sum: 3d7a3285fdf481ea0298b17fa79a3a01 *scsaver.dll
info: 991 Apr 23 2002 scsaver.dll
file: scsaver.dll: data (actually a text file)

Modified UPXs

You may want to try the following forum:

You should be able to find decent help and tutorials there in regards to different packing utilities.


ill check it out.