Jeem

Description:
An interesting trojan in that it contains a mail server and a web proxy. Often installed by another ‘downloader’ trojan. Often pulled down from a website.

By default, opens three ports. The port number appears random but is based on the time zone and operating system number of the local OS. The lowest number will be a simple SMTP open relay which the attacker will often use to relay spam to the rest of the planet. This lowest port may contain the string ‘jeem.mail.pv’ in the banner if you telnet to the port.

The middle port number will listen for instructions to the trojan which can include direction to connect to a specific IP/port or to listen on port 9000 for further instructions. The higest number port has the ability to act as a HTTP proxy.

This can be a very annoying worm to be infected with. It has the ability to turn a lowly workstation into a spammer’s dream: an open mail relay.

Capture:

Telnet’ing to the trojan’s port, whatever it is, returns the following:

[root@intmgmtws1 root]# telnet 192.168.101.100 8281
Trying 192.168.101.100...
Connected to my.domain.com (192.168.101.100).
Escape character is '^]'.
220 jeem.mail.pv ESMTP
quit
221 jeem.mail.pv
Connection closed by foreign host.

Note the SMTP codes and the line ‘221 jeem.mail.pv’.

Sources:

Malicious code review

As a side project, I’m going to review various bits of malicious code (mostly worms and trojans) that I come across at work. Mostly it’ll be the “view from the outside” as I don’t have access to most of the systems other than what I can see via open ports. I’ll add shortcuts to each “review” to the menu (on the left). Hopefully, it’ll help someone out.

Note: Please bear with me while I get a standard form hammered out.