Passlog.log - Need Help!

GovernmentSecurity.org > System Security > Trojan & Virus Errata

Thom

Jan 5 2005, 07:51 PM

I was browsing through my brothers computer and was looking in his %WINDIR%\system32\.
I sorted the files after size and found out that the biggest file was called 'PassLog.Log'.
So, I took a look in it and it contained all his FTP connections and variuous IRC passwords since 2004/8/8. The look of the sniffs are like this

FTP Log

---------------------------------------------------------------------------
Performing Time: 8/8/2004 14:52:54
192.168.0.100:1096->SERVER.IP.IP.IP:21
USER login
PASS password
---------------------------------------------------------------------------

IRC Sniff

---------------------------------------------------------------------------
Performing Time: 8/8/2004 14:55:48
192.168.0.100:1119->IP.IP.IP.IP:6667
USER Thom "sagasg.org" "irc.homelien.no" :asgasg
PASS :boga
PROTOCTL NOQUIT TOKEN NICKv2 SJOIN SJOIN2 UMODE2 VL SJ3 NS SJB64 TKLEXT NICKIP CHANMODES=be,kfL,l,psmntirRcOAQKVGCuzNSMT
SERVER irc.server.com 1 :U2304-FinWXOoZE-1 FooNet Server
---------------------------------------------------------------------------

I'm very worried about this stuff... This computer cant be accessed from outside since the router blocks it. It can only be accessed through the two other computers on the LAN.

I googled this with alittle help from Gotisch & Elektro but unfortunely it didnt turn up much information. Maybe any of you have seen this before?

I just booted up EtherDetect to see if the file uploads itself to some kind of server upton new entry in the log - It doesnt. *Pheww*.

I've been looking through the task list and come to the conclusion the logger is not in it. Nor do I have any bogus system services that could be starting it or any entries in CurrentVersion\RUN in the registry.

My guess is that this 'trojan?' is injected as a DLL. I got no experience with this really. I hope someone of you can help me track this process so I can get further information about it.

!!EDIT!!
I suceeded in removing the trojan in safemode and scanned with trendmicro but I didnt back it up cus I'm not sure which one it was :\ sorry

This is a "lo-fi" version of our main content. To view the full version with more information, formatting and images, please click here.