SYNOPSIS:
An unknown programmer has released a Windows95/Windows98 trojan horse program named "Deep Throat." Deep Throat consists of a client program called "Deep Throat Remote Control" which is run on a remote computer to gain access to any computer connected to a TCP/IP network or the internet. An executable server program is required to be installed on the victim's computer to permit the remote site access to the victim's computer in a manner similar to Netbus, Back Orifice and other internet "Remote administration" trojan horses. This program exploits security vulnerabilities in the Windows95 and Windows98 platforms. It fails to operate on NT machines in this release. Reported delivery modes include transfer through IRC and AOL chat rooms, email file attachments, exploits of security holes in browsers and email programs and physical installation on machines. Despite the limited functions and apparent poor quality of this program, it is becoming WIDESPREAD and proliferating rapidly in both home and institutional environments and has become a "second choice" among computer crackers in gaining access to sites which now block Netbus, Master's Paradise and Back Orifice attacks.
The server program for the Deep Throat trojan horse can be given any name by the party who places it on the victim's machine which makes it difficult, but not impossible to identify after it has been installed. The server is provided under the name of SYSTEMPATCH.EXE but it will function and place itself into a system using any filename given it thus the filename should not be expected to be consistent in any given infestation.
Privacy Software Corporation's BOClean 2.01 software, designed to detect and defeat trojan horse programs, is fully effective in removing the Deep Throat server regardless of the filename or manner of delivery and, as is the case with other trojans, can also disable this program instantly upon detection. BOClean will also remove the files and registry hooks without the need to disconnect from the internet or reboot the victim's machine. This precludes the risks of registry editing and possible loss of data and permits the victim to remove the program and continue their use of a TCP/IP connection without loss of work or time.
While the server is a completely different design from other trojans,
its behaviors are similar as is the means of exploitation of the victim's
machine. This program will elude antivirus and signature detection because
it is delivered in a compressed mode leaving no visible "strings" for
comparison. Reports have also been received of copies of this program
carrying the "CIH virus" as well however the virus does not appear until
after the program has installed itself and decompressed its contents. In
addition to the use of BOClean, we highly recommend routine virus scanning
if your machine is capable of being exposed to trojan horse programs.
CAPABILITIES:
The Deep Throat server permits anyone using the Deep Throat "Remote control" client on their end to remotely control the victim's machine. The capabilities of Deep Throat are highly limited and the program is of extremely poor quality. It does however perform the claimed operations on Windows95 and Windows98 machines but does NOT pose a risk to WindowsNT as of release 1.00 shown above.
Because the Deep Throat trojan has an FTP server built in, once it does find its way onto a computer, the perpetrator is able to download files from any portion of the compromised computer. The Deep Throat trojan allows the perpetrator to "ping" a subnetwork looking for other machines which may contain this trojan and Deep Throat also provides the means to invoke a program remotely on the victim's machine and then extract files which may have been created or modified by the remotely controlled program.
Deep Throat can also annoy the victim with windows message boxes containing text provided by the perpetrator as well as start a web browser and send the victim to another site. If this is a rogue site which contains ActiveX controls and the system uses the Internet Explorer browser, further infestations of the machine can possibly occur. In addition, the Deep Throat client watches keystrokes that are involved with passwords and stores them waiting for a connection to occur from the perpetrator.
They are also able to determine system information on the victim's machine and can annoy the victim by turning the screen on and off at their whim as well as hide or restore the traybar including the windows start button. When the traybar is hidden, it is difficult to access many parts of the victim's machine and the only means by which to shut down the machine is the task manager.
The "steal passwords" function does not function at all and places a plea for help from the "author" of the program on the perpetrator's screen seeking assistance in making it function. Privacy Software Corporation has already received reports of this and similar trojan horse programs from BOClean customers in actual operation on their machines. We quote from the documentation shipped with Deep Throat below verbatim:
MANUAL REMOVAL OF DEEP THROAT SERVER:
The Deep Throat server will install its program in the registry under the HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run key with a string value of "SystemDLL32" with data pointing to the file which was installed.
It is necessary to remove the registry subkey first. It will not be possible to remove the program file while the server is running and you may also be prevented from shutting down the computer. A reboot will be required in order to restart the machine without the Deep Throat" server being reloaded at which time the file pointed to in the registry can be removed without further risk.
As a result, care should be taken to back up your registry first as
well as your programs and files in the event that removal of the registry
entry results in damage to your system. Use of Privacy Software Corporation's
BOClean 3.01
program will safeguard against this possibility by removing the program
and its registry entries automatically without risk of damage, or the need
to disconnect the infected machine or reboot.
COPYRIGHTED MATERIAL:
Copyright (c) 1998 by Privacy Software Corporation.
Permission is granted for the retransmission of this advisory by electronic means. It is not to be edited in any way without the express consent of Privacy Software Corporation. Requests to reprint this information in whole or in part should be directed to technology@privsoft.com.
Disclaimer: The information within this advisory may change without notice and is provided by Privacy Software Corporation AS IS. No warrantees, express or implied, are provided with respect to this information nor should any be construed by the transmission of this information. Any use of this information or its recommendations is solely at the risk of the user.
Contact Privacy Software Corporation at http://www.privsoft.com, http://www.nsclean.com,
email to technology@privsoft.com. Copies of the Deep Throat distribution as
captured by Privacy Software Corporation will only be provided to recognized
security interests and responsible, recognized members of the press with
the technical capability to conduct independent research on this trojan
horse program or in the alternative, we will provide the URL where the
programs can be obtained independently. Copies will NOT be provided by
us to any other parties. Privacy Software Corporation reserves the right
to refuse transmission without further explanation. Under the provisions
of Privacy Software Corporation's customer and website privacy policies,
we cannot divulge email from our customers regarding their experiences
with these trojan horse programs nor can we divulge their identities under
any circumstances.