Content
NetSniff
- Type
- Trojan
- SubType
- -
- Discovery Date
- 12/05/2006
- Length
- Varies
- Minimum DAT
- 4911 (12/05/2006)
- Updated DAT
- 5224 (02/06/2008)
- Minimum Engine
- 5.1.00
- Description Added
- 12/05/2006
- Description Modified
- 06/11/2007 11:21 PM (PT)
Tab Navigation
Characteristics
This trojan uses winpcap drivers to monitor and capture network traffic and to carry out IP and DNS spoofing and man-in-the-middle attacks. For accomplishing this, it uses few tools like "Winpcap_3_1_beta4 Dos Installer" and "zxarps". It can potentially insert malicious html code into HTTP response packets returned from server; as well as sniffing passwords from the network.
(Winpcap is a popular tool that is often used in legitimate network monitoring.)
Upon installation this trojan installs legitimate packet filter libraries in %sysdir%.
- %WINDIR%\inf\netnm.pnf ( 14736 bytes )
- %WINDIR%\inf\netrasa.pnf ( 23504 bytes )
- %SYSTEMDIR%\wpcap.dll ( 221184 bytes )
- %SYSTEMDIR%\netmoninstaller.exe ( 6656 bytes )
- %SYSTEMDIR%\wanpacket.dll ( 61440 bytes )
- %SYSTEMDIR%\drivers\npf.sys ( 32000 bytes )
- %SYSTEMDIR%\pthreadvc.dll ( 53299 bytes )
- %SYSTEMDIR%\rpcapd.exe ( 86016 bytes )
- %SYSTEMDIR%\packet.dll ( 81920 bytes )
- %SYSTEMDIR%\daemon_mgm.exe ( 49152 bytes )
- %SYSTEMDIR%\npf_mgm.exe ( 49152 bytes )
Following tools are dropped in the same directory from which the trojan executes.
- wpc.dll - Winpcap_3_1_beta4 Dos Installer - Installs packet filtering libraries.
- cmd.dll - zxarps Build 01/17/2007 By LZX. - Tool to carry out DNS Spoofing Attack.
Following is the list of commands than can be issued by this tool - options:
-idx [index]
-ip [ip]
-sethost [ip]
-port [port]
-reset
-hostname
-logfilter [string]
-save_a [filename]
-save_h [filename]
-hacksite [ip]
-insert [html code
-postfix [string]
-hackURL [url]
-filename [name]
-hackdns [string]
-Interval [ms]
-spoofmode [1|2|3]
-speed [kb] - HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\ESENT\Process\CMD\DEBUG\Trace Level: ""
- HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\MS-DOS Emulation\DisplayParams
- HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\InternetEx
There are many registries created upon installation of the trojan, most of them are related to WinPCap installation. Registries unique to this trojan are mentioned below.
Registry responsible for restarting the trojan on reboot is
Symptoms
- Presence of aforementioned files and registry keys.
- Unusual network activity of ARP requests.
Method of Infection
Trojans do not self-replicate. They spread manually, often under the premise that the executable is something beneficial. Trojans may also be received as a result of poor security practices, or un-patched machines and vulnerable systems. Distribution channels include IRC, peer-to-peer networks, email, newsgroups postings, etc.
Removal
AVERT recommends to always use latest DATs and engine. This threat will be cleaned if you have this combination.
Variants
Variants
N/A
All Information
Overview -
This trojan uses winpcap drivers to monitor and capture network traffic and to carry out IP and DNS spoofing attacks. For accomplishing this, it uses few tools like "Winpcap_3_1_beta4 Dos Installer" and "zxarps". It can potentially insert malicious html code into data packets returned from server.
Characteristics
Characteristics -
This trojan uses winpcap drivers to monitor and capture network traffic and to carry out IP and DNS spoofing and man-in-the-middle attacks. For accomplishing this, it uses few tools like "Winpcap_3_1_beta4 Dos Installer" and "zxarps". It can potentially insert malicious html code into HTTP response packets returned from server; as well as sniffing passwords from the network.
(Winpcap is a popular tool that is often used in legitimate network monitoring.)
Upon installation this trojan installs legitimate packet filter libraries in %sysdir%.
- %WINDIR%\inf\netnm.pnf ( 14736 bytes )
- %WINDIR%\inf\netrasa.pnf ( 23504 bytes )
- %SYSTEMDIR%\wpcap.dll ( 221184 bytes )
- %SYSTEMDIR%\netmoninstaller.exe ( 6656 bytes )
- %SYSTEMDIR%\wanpacket.dll ( 61440 bytes )
- %SYSTEMDIR%\drivers\npf.sys ( 32000 bytes )
- %SYSTEMDIR%\pthreadvc.dll ( 53299 bytes )
- %SYSTEMDIR%\rpcapd.exe ( 86016 bytes )
- %SYSTEMDIR%\packet.dll ( 81920 bytes )
- %SYSTEMDIR%\daemon_mgm.exe ( 49152 bytes )
- %SYSTEMDIR%\npf_mgm.exe ( 49152 bytes )
Following tools are dropped in the same directory from which the trojan executes.
- wpc.dll - Winpcap_3_1_beta4 Dos Installer - Installs packet filtering libraries.
- cmd.dll - zxarps Build 01/17/2007 By LZX. - Tool to carry out DNS Spoofing Attack.
Following is the list of commands than can be issued by this tool - options:
-idx [index]
-ip [ip]
-sethost [ip]
-port [port]
-reset
-hostname
-logfilter [string]
-save_a [filename]
-save_h [filename]
-hacksite [ip]
-insert [html code
-postfix [string]
-hackURL [url]
-filename [name]
-hackdns [string]
-Interval [ms]
-spoofmode [1|2|3]
-speed [kb] - HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\ESENT\Process\CMD\DEBUG\Trace Level: ""
- HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\MS-DOS Emulation\DisplayParams
- HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\InternetEx
There are many registries created upon installation of the trojan, most of them are related to WinPCap installation. Registries unique to this trojan are mentioned below.
Registry responsible for restarting the trojan on reboot is
Symptoms
Symptoms -
- Presence of aforementioned files and registry keys.
- Unusual network activity of ARP requests.
Method of Infection
Method of Infection -
Trojans do not self-replicate. They spread manually, often under the premise that the executable is something beneficial. Trojans may also be received as a result of poor security practices, or un-patched machines and vulnerable systems. Distribution channels include IRC, peer-to-peer networks, email, newsgroups postings, etc.
Removal -
Removal -
AVERT recommends to always use latest DATs and engine. This threat will be cleaned if you have this combination.
Additional Windows ME/XP removal considerations
Variants
Variants -
N/A
