Today we had a few machines dumping 4,000 events a minute at our domain controllers. Upon analysis, we found that an executable named CTFMON.EXE (replaced the real one) in the c:\winnt\system32 folder and a reg key setup in the HKLM/Software/Microsoft/Windows/CurrentVersion/Run.

Though preliminary, we have seen it attempt to disable AD accounts and report information back to an IRC channel. More testing is gonna be done but in the mean time, a sample has been sent to Symantec. It appears that they don't know what this is yet.

Stay tuned...


**EDIT**

Here is the IRC server it connects up to:

Trying 217.70.149.22 at ARIN
Trying 217.70.149 at ARIN

OrgName: RIPE Network Coordination Centre
OrgID: RIPE
Address: Singel 258
Address: 1016 AB
City: Amsterdam
StateProv:
PostalCode:
Country: NL

This is the KingMaster.org clowns. GRRRRRR.

**EDIT 2*

This thing is pretty slick. It fires up (infected CTFMON.EXE is 54kb) and then copies the real one (8kb) back and remains resident in memory. Another HEX edit of the infected CTFMON.DLL shows all the IRC commands and associated commands. If anyone wants a sample, please let me know via PM.


**EDIT 3**
CERT contacted me about this so here is the link where I have a sample published for them and a few other folks. The DLL has most of the meat so fire up a hex editor and you'll see the guts of this thing.

http://www.citlink.net/~sdiscini/download/ircbot.zip

**EDIT 4**
No surprise here, it tries to propigate via netbios shares.


-TH13