? Jiadnik.exe

Reply

  #1  
Old 05-26-02, 09:14 PM
Member
Thread Starter
Join Date: Dec 2000
Posts: 1,019
? Jiadnik.exe

OS: Windows 98se
Concerning: JIADNIK.EXE

Background data:
File: C:\WINDOWS\APPLOG\JIADNIK.LGC

Open calls:
created w/DOS commands:
cd applog
type jiadnik.lgc | find "C:" | more

[code]

o c15938d0 28000 "C:\WINDOWS\SYSTEM\JIADNIK.EXE"
o c1595be0 12000 "C:\WINDOWS\SYSTEM\WS2_32.DLL"
o c1596560 44035 "C:\WINDOWS\SYSTEM\MSVCRT.DLL"
o c15966b0 6000 "C:\WINDOWS\SYSTEM\WS2HELP.DLL"
o c1596fb0 70110 "C:\WINDOWS\SYSTEM\WININET.DLL"
o c157cbc0 45110 "C:\WINDOWS\SYSTEM\SHLWAPI.DLL"
o c15978e0 35000 "C:\WINDOWS\SYSTEM\RASAPI32.DLL"
o c1597a50 5000 "C:\WINDOWS\SYSTEM\NETAPI32.DLL"
o c1597b80 7000 "C:\WINDOWS\SYSTEM\NETBIOS.DLL"
o c1597cf0 1e000 "C:\WINDOWS\SYSTEM\TAPI32.DLL"
o c1597e20 8000 "C:\WINDOWS\SYSTEM\SVRAPI.DLL"
o c1597f70 a000 "C:\WINDOWS\SYSTEM\SECUR32.DLL"
o c15980a0 43000 "C:\WINDOWS\SYSTEM\MSVCRT20.DLL"
o c15981f0 a000 "C:\WINDOWS\SYSTEM\WSOCK32.DLL"
o c1413740 73000 "C:\WINDOWS\SYSTEM\KERNEL32.DLL"
o c15742e0 86320 "C:\WINDOWS\SYSTEM\USER.EXE"
o c1576500 e000 "C:\WINDOWS\SYSTEM\MPR.DLL"
o c1590570 53000 "C:\WINDOWS\SYSTEM\RPCRT4.DLL"
o c15787b0 13000 "C:\WINDOWS\SYSTEM\MSNET32.DLL"
o c1598d90 15000 "C:\WINDOWS\SYSTEM\MSWSOCK.DLL"
o c1534530 9300 "C:\WINDOWS\SYSTEM\SHFOLDER.DLL"
o c157b110 156000 "C:\WINDOWS\SYSTEM\SHELL32.DLL"
o c1535f60 8000 "C:\WINDOWS\TEMPOR~1\CONTENT.IE5\INDEX.DAT"
o c15836e0 4000 "C:\WINDOWS\COOKIES\INDEX.DAT"
o c158a030 4000 "C:\WINDOWS\HISTORY\HISTORY.IE5\INDEX.DAT"
o c1570de0 b000 "C:\WINDOWS\SYSTEM\RNAAPP.EXE"


Regkey:
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run
Name: Microsoft Diagnostic (MS registration - none)
Value: C:\WINDOWS\SYSTEM\JIADNIK.EXE


File: C:\WINDOWS\SYSTEM\JIADNIK.EXE
Program excerpts:
Win32
NetCancelConnection2A NetAddConnection2A InternetCloseHandle
InternetReadFile InternetOpenUrlA InternetOpenA InternetGetConnectedState
Functions?
Ident Server Porporties: Nickname: File Path: FileSize: PING: Version:
Windows Path: Windows system Path: File name: Self Kill command:
Temp Self Kill command: sleep ping run update AcebotMainThread
download igmp RegisterServiceProcess
IDs?
Sygate Personal Firewall Tiny Personal Firewall ZoneAlarm Pro ZoneAlarm
Attack stoped. Attacking... IPreport.log IP: Amount: Fetchreport.log
IP/Hostname: userhost End of /NAMES list.

[/code]

Known/Obvious:
The disk has been defraged while JIADNIK.EXE was present.
Remote connect - true. Program is now disabled.
Deep net search: zip.
I'm not a VB wiz, nor do wish to obtain a decomplier.

Suspicions:
Open and pending.

My ?s:
File source. [Not Win98se setup, (unless created during), but "may have been" within dnload update].
[At the moment all possiblites are being entertained].

Have the same or similarly named file or the same open calls.
If so, filepathname/date & OS install date (if you don't mind).

Any information at all or comments.

Thanks, I appreciate your contribution.
 
Sponsored Links
  #2  
Old 05-28-02, 07:38 PM
Nashville_Guy
Visiting Guest
Posts: n/a
Jiadnik.exe

I did some looking at *.lgc files and see that they are related (frequently, at least) to two applications: WordPerfect and Defrag. I see that you have linked this issue to defrag.

If you have used the "Rearrange program files so my programs start faster" option, an lgc file will be created. If taskmon is running on your PC, you can disable it through MSCONFIG.

I saw that you mentioned some firewall programs. Did you notice this application trying to hit the web? I don't think it is a virus on a very quick first look, but we can get more in depth if need be.

Seems innocuous so far, but I am willing to track this thing down if you are!

 
  #3  
Old 05-29-02, 12:00 AM
Member
Thread Starter
Join Date: Dec 2000
Posts: 1,019
First, thanks for your input.

So, you noticed my back door to tracking programs & calls [defrag & rearrange]. I know it's a cheap trick, but Windows really sucks in the access to info. department. [I realize it's a trade-off by MS].

Jiadnik.exe is a UDP trojan. Every two minutes it would connect to irc.dalnet.com [cheap I know. but verified with ftp]. Exactly what is does from there, I don't know. I suspect it uses the caches to either gather info. or launch attacks. Dalnet.com has been notified. [Info gained with very deep research and dinking with it]. [My original researched lacked inverse search logic].

Had I looked closer I would have seen that Jiadnik.exe was written in visual c++ instead of VB. One thing I was able to determine was it installed its own ram disk on W:, then built imiia.exe. [Loaded smartdrv at boot to verify]. [I
thought about installing a ram disk on W: to see how well it was written, but opted out].

Jiadnik.exe has been killed, but today I noticed it's cousin hhkfvk.exe. It had the same registry entry "Microsoft Diagnostic", but this time it's more sophisticated [almost entirely machine language], but still the same calls. Currently hhkfvk.exe is disabled. Deletion is pending. I haven't dinked with it yet, but ASAP I'll falsify index.dats [multiple duplicate records] and try tracking it also. [I wish I knew of a way to falsify index.dats for upd instead of http... might be interesting].

MS is still on my suspect list, because the only unusual activity was a browser dnload update [not that they need to resort to cheap tricks]. Naturally, I'm hunting for other viruses, trojans, and scripts, and have temporally disabled hh.exe, wscript.exe, and csript.exe. I'm examining urls more closely for spoofing also. Please don't suggest a reinstall, because it's not my style. That is an absolute last resort. I intend to run sfc to abandon the disabled file .lgc, rerun the update, then defrag, and then recheck the for the .lgc again.

Now that I'm "into" the game I've decided to write a simplified DOS version of SFC, using slurppy old qbasic [relying on xcopy32 to build the lists in WinDOS, extract for WinDOS or DOS extraction, and regedit and win.com for registry probes]. Quick and easy.

I would be grateful for your assistance in debunking this thing and/or tracking its origin. Any and all thoughts or suggestions, less "reinstall" or illicit activity.

Thanks again for your reply.
 
  #4  
Old 05-29-02, 03:53 AM
Nashville_Guy
Visiting Guest
Posts: n/a
Trojan

2000, sounds like you are beating this thing up pretty good! I am not a programmer, but I do have a few thoughts on some things you could do that wouldn't be illicit but might still answer some of your questions.

First, I doubt that the source of the file is from your browser update. To my mind, it would be pretty hard to hijack MS' Windows Update process. Do you allow VBS scripts to run on incoming e-mails? That is an old Outlook/Outlook Express back door onto a system. Also, tagging a web site (ala Code Red) can get things onto your pc. Just some thoughts.

As to what this thing is doing, you have tracked it to Dalnet. Since your stateful firewall busted the executable trying to sneak out, you aren't really sure what else was going on. You might consider plopping jiadnik.exe and it's related components onto a separate, clean box (with no firewall installed), putting a sniffer on it, and see what kind of traffic and destinations it is going for. This sounds like a classic DoS type zombie.

The following link GRC DoS covers a DoS attack that sounds kind of similar to what you are seeing with jiadnik. The part of it that will be interesting to you are the steps he took to figure out where it came from, what it was doing (it tagged an IRC server also), and how he hardened his system.

Also, if you kept a copy, CIAC, Norton, McAfee, etc. will probably want to eval it.

Let me know what you find!
 
  #5  
Old 05-29-02, 05:11 AM
Member
Thread Starter
Join Date: Dec 2000
Posts: 1,019
I will add your suggestions to the arsenal. Thanks for the tip also. I'll be glad to share, when I know more.
 
  #6  
Old 05-29-02, 02:50 PM
BSB's Avatar
BSB
BSB is offline
Member
Join Date: Mar 2001
Location: GB, WI
Posts: 782
Unfortunatly since I am at work am unable to do much searching for these. I take it these are new trojans? Might explain why am unable to find any thing on any sites that the proxy is not restricting access to. But I would do a search on this site, may shed some light on the subject. http://www.infosyssec.org/infosyssec/

Brian
 
  #7  
Old 05-30-02, 10:23 PM
Member
Thread Starter
Join Date: Dec 2000
Posts: 1,019
BSB, thanks for the URL >cool site! Jiadnik.exe is fairly new. After about an hour on my second attempt I found one reference to it.

Nashville_Guy, hhkfvk.exe is another irc trogan. After some reseach and hacking I found a way to execute a batch file from the history cache. I crafted a batch to fdisk the primary partiton, renabled hhkfvk.exe, then connected. It's my sincere hope the server was Windows based, and the batch worked as expected [handle that err, good buddy!]. I'm submitting both as you suggested.
Thanks to both of you for your help and suggestions.
 
  #8  
Old 06-01-02, 01:50 AM
XhdFs
Visiting Guest
Posts: n/a
wauw, this thread is far from what I expected
do not shoot me! But on a general forum like this I didn't expect people to be able to work with the command line

Good job, 2000, I guess I could learn from you
 
Reply

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is On
HTML code is Off
Trackbacks are Off
Pingbacks are Off
Refbacks are Off


Thread Tools
Search this Thread
Display Modes