SYNOPSIS:

Two programmers known as "KillBoy" and "ExCon" have released a particularly insidious Windows95/98/NT internet trojan horse program named "GateCrasher." GateCrasher is the first of what appears to be an ominous new method of infecting machines with a trojan horse. In addition to the normal means of installation, GateCrasher is designed to be handed to victims as a MICROSOFT WORD97 DOCUMENT. By the simple act of opening a Word97 document, this trojan will take up residence on a computer connected to a TCP/IP network or the internet by similar means to other internet trojan horses.

This program exploits security vulnerabilities in Windows95, Windows98 and Windows NT platforms. Reported delivery modes include transfer through IRC and AOL chat rooms, email file attachments, exploits of security holes in browsers and email programs and physical installation on machines as well as the new infection method of providing a Word97 document with the trojan horse embedded within the document which is executed as a macro as soon as the document is opened by the victim. This program has just surfaced in the United States. It is NOT widespread at this time but it is expected to be very soon owing to the nature and spread of macro viruses by Microsoft Office software and its widespread use. This is an EXTREMELY dangerous trojan.

The server program for the GateCrasher trojan horse consists of three files of which the perpetrator is to select two of them depending on their desired means of attack. The actual trojan horse server is contained in a file called PORT.DAT which the perpetrator can choose PORT.EXE in which case the method of infestation would be by providing an executable file which can be delivered by standard means OR they can combine PORT.DAT with a Word97 document called PORT.DOC which permits delivery of the trojan horse as a Microsoft Office/Microsoft Word97 document which will install the trojan horse file (PORT.DAT) as soon as the document is opened. Either case will install the end result trojan horse file called EXPLORE.EXE which sounds close in name to the legitimate EXPLORER.EXE used by the windows operating system as the desktop. The original files delivered then are destroyed after the installation is complete. GateCrasher can operate on any TCP/IP port.

Privacy Software Corporation's BOClean 2.01 software, designed to detect and defeat trojan horse programs, is fully effective in removing the GateCrasher server regardless of the filename or manner of delivery and, as is the case with other trojans, can also disable this program instantly upon detection. BOClean will also remove the files and registry hooks without the need to disconnect from the internet or reboot the victim's machine. This precludes the risks of registry editing and possible loss of data and permits the victim to remove the program and continue their use of a TCP/IP connection without loss of work or time.

While the server is a completely different design from other trojans, its behaviors are similar as is the means of exploitation of the victim's machine. Where this trojan horse is installed, it is capable of doing serious damage to a machine or the network it's on. GateCrasher will appear on the task manager's list of running programs.
 

CAPABILITIES:

 The GateCrasher server permits anyone using the GateCrasher "GC - client.exe" client on their end to remotely control the victim's machine. GateCrasher is a risk to all Win32 platforms including Windows95, Windows98 and Windows NT. When received as a document, any machine running Word97 will install the infestation on the victim's machine as soon as it is opened.

 It can be configured to run on any port but the default version is configured to listen on port 6969 and respond on port 139 unless changed. Privacy Software Corporation has already received reports of this and similar trojan horse programs from BOClean customers in actual operation on their machines. We quote from the documentation shipped with GateCrasher below verbatim:

• Connect - Find someones IP and put it in the 'Host:' box then press 'Connect'
• Disconnect - Simply press the 'Disconnect' button

• Hide/Show
• Hide Mouse - Hides the servers mouse pointer
• Show Mouse - Shows the servers mouse pointer
• Hide Taskbar - Hides the servers taskbar
• Show Taskbar - Shows the servers taskbar

• Open/Start
• Start Program - Start a program
• Open WebBrowser - Opens the default Browser
• Open Control Panel - Opens Comtrol Panel
• Open Date/Time - Opens the Date/Time
• Open Appearance - Doesn't work yet
• Start Screen Saver - Starts the screensaver
• Open CD - Opens the CD
• Close CD - Closes the CD
• Get Owner - Gets the username of the person logged into Windows
• Get Computer Name - Gets the computer name
• List Files in Directory - List the files in the specified dirctory

• Delete
• Delete File - Deletes the file in the 'Extra Data...' bar
• Reboot Computer - Reboots the server
• Delete Directory - Deletes the directory in the 'Extra Data...' bar
• Clear Recent Folder - Clears the recent folder.

• Close
• Close Windows - Shuts down server
• Shutdown! - Shuts down the server
• Log Off - Logs off Windows if there are multiple users

• Misc
• Read From Drive A: - Shows the files on Drive A
• PING! - Pings the server
• Send Text - Sends text
• Make Directory - Creates a directory on the server
• Get OS - Tells you the operating system on the server
• Get Free Space - Tells you how much free space is on the servers Hadr Drive
• Get Disk Serial # - Tells you the serial of the specified disk

• Send/Get
• Send Message - Sends the server a message
• Get Windows Directory - Shows the contents of the Windows Directory
• Get Temp Dir - Shows the Temp Directory
• Search for file - Searches for a file on the server
• Get HD Letter - Tells you the servers hard drive letter
• Get Local time - Shows the servers local time
• Get Active Windows - Shows all active windows on the server
• Switch Window - Makes the selected window the active one
• Get System Directory - Shows the contents of the Windows\System directory
• Set Computer Name - Sets the computer name
• Get User - Shows the name of the current user
• Crazy Mouse Start - Makes the mouse pointer move by itself
• Crazy Mouse Stop - Stops the mouse pointer moving by itself
• Get Organisation - Gets the organization of the server
• Kill Window - Closes the specified window
• Set Volume Label for C: - Renames drive C

MANUAL REMOVAL OF GATECRASHER SERVER:

The GateCrasher server will install its program in the registry under the HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run key with a string value of "Explore" with data pointing to the file which was installed, which will usually be Explore.exe.

It is necessary to remove the registry subkey first. It will not be possible to remove the program file while the server is running and you may also be prevented from shutting down the computer. A reboot will be required in order to restart the machine without the GateCrasher" server being reloaded at which time the file pointed to in the registry can be removed without further risk.

As a result, care should be taken to back up your registry first as well as your programs and files in the event that removal of the registry entry results in damage to your system. Use of Privacy Software Corporation's BOClean 3.01 program will safeguard against this possibility by removing the program and its registry entries automatically without risk of damage, or the need to disconnect the infected machine or reboot.
 

COPYRIGHTED MATERIAL:

Copyright (c) 1998 by Privacy Software Corporation.

Permission is granted for the retransmission of this advisory by electronic means. It is not to be edited in any way without the express consent of Privacy Software Corporation. Requests to reprint this information in whole or in part should be directed to technology@privsoft.com.

Disclaimer: The information within this advisory may change without notice and is provided by Privacy Software Corporation AS IS. No warrantees, express or implied, are provided with respect to this information nor should any be construed by the transmission of this information. Any use of this information or its recommendations is solely at the risk of the user.

Contact Privacy Software Corporation at http://www.privsoft.com, http://www.nsclean.com, email to technology@privsoft.com. Copies of the GateCrasher distribution as captured by Privacy Software Corporation will only be provided to recognized security interests and responsible, recognized members of the press with the technical capability to conduct independent research on this trojan horse program or in the alternative, we will provide the URL where the programs can be obtained independently. Copies will NOT be provided by us to any other parties. Privacy Software Corporation reserves the right to refuse transmission without further explanation. Under the provisions of Privacy Software Corporation's customer and website privacy policies, we cannot divulge email from our customers regarding their experiences with these trojan horse programs nor can we divulge their identities under any circumstances.



TOP