~ Essays ~
         to malware    essays
(Courtesy of fravia's advanced searching lores)

(`. Teleport Pro V1.29 (Build 1107) .)
by Faulpelz
published at fravia's searchlores in January 2001

Slightly edited by fravia+

See also Noos' Delving deeper into Teleport Pro 1.29 (October 2000) and Faulpelz's Teleport Pro 1.29, malware galore which is replaced and completed by this essay.

"Teleport Pro V1.29 (Build 1107)"

by Faulpelz

TARGET: Teleport Pro V1.29 (Build 1107)

After reading NOOS essay I re-checked my findings today (late, but who cares...)
First I have to apologize for my 'false' (not so false at all) warning.
Everything what Noos wrote in Delving deeper into Teleport Pro 1.29 (October 2000) was correct, so I asked Fravia+ to remove my old essay.
I was a little bit to 'voreilig' - sorry guys... Anyway, I want to made some
additions to Noos's essay:

1)
TENMAX does not retrieve any data about you (except your IP) , but there are several hidden triggers inside the code i.e. look at this:

:0041A110 50 push eax
:0041A111 8D4DEC lea ecx, dword ptr [ebp-14]
:0041A114 E89267FFFF call 004108AB
:0041A119 81382C010000 cmp dword ptr [eax], 0000012C <- 300 connections?
:0041A11F 0F8EF5010000 jle 0041A31A <- skip if lower or equal
:0041A125 51 push ecx
:0041A126 8B8E96100000 mov ecx, dword ptr [esi+00001096]
:0041A12C 8BC4 mov eax, esp
:0041A12E 8965E4 mov dword ptr [ebp-1C], esp
:0041A131 8908 mov dword ptr [eax], ecx
:0041A133 8D45E4 lea eax, dword ptr [ebp-1C]
:0041A136 50 push eax
:0041A137 8D4DEC lea ecx, dword ptr [ebp-14]
:0041A13A E86C67FFFF call 004108AB
:0041A13F 8138F0000000 cmp dword ptr [eax], 000000F0 <- 240 connections?
:0041A145 0F8ECF010000 jle 0041A31A <- skip if lower or equal
:0041A14B 389E95100000 cmp byte ptr [esi+00001095], bl
:0041A151 0F843D010000 je 0041A294 <- get update.txt from tenmax.com

as you can see the 'call 4108AB' returns a counter in EAX so let's take a look at it.

* Referenced by a CALL at Addresses:0040919E, :0040E748, :0040FC53, :0041089D
:00411B05, :00419F00, :0041A114, :0041A13A, :0041A34D, :0041A42C, :00426165
:004108AB 8B09 mov ecx, dword ptr [ecx]
:004108AD 8B442404 mov eax, dword ptr [esp+04]
:004108B1 2B4C2408 sub ecx, dword ptr [esp+08]
:004108B5 8908 mov dword ptr [eax], ecx
:004108B7 C20800 ret 0008
quite a lot references ...

ok, now let's take a look at some of them...

:0041A114 <- do something (what?) after >300 connections

:0041A13A <- get update.txt after >240 connections

:0041A34D <- do something (what?) after >60 connections

Ok, some of the references are just to display the progress etc.,
but others should be worth to take a closer look at... Unfortunatly
I don't have the time to do this now. I just wanted to show you some
of the *obvious* triggers (if they would use random numbers it
wouldn't be SO obvious - maybe there are allready some random's inside...)
I am still not sure if Teleport is so harmless as it seems to be...
Take a closer look at ALL references, if you have the time! I bet that one
of those references is near to the 'registered?' check because AFAIK Teleport
has some internal fetch-limits, but as we don't want to cr*ck this target you
should ignore it (if you can ;) - we are just looking for sniffing actions...

2)
We can remove these checks (to speed up Teleport) with an Hex-Editor
and modify the trigger-values to i.e 0xffffffff OR change the jle's
etc., but if you do it you have to remove the silly selfcheck of
Teleport:

* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:0040B4C8(U)
|
:0040B4CC 3BFB cmp edi, ebx
:0040B4CE 5F pop edi
:0040B4CF 741C je 0040B4ED
:0040B4D1 A1EC964700 mov eax, dword ptr [004796EC]
:0040B4D6 3B30 cmp esi, dword ptr [eax]
:0040B4D8 7413 je 0040B4ED <- i.e change '74' to 'EB' (jmps)
:0040B4DA 53 push ebx (of course there are other ways, too)
:0040B4DB 53 push ebx

* Possible StringData Ref from Data Obj ->"This program has been altered, "
->"possibly by a virus; program execution "
->"will stop now."
|
:0040B4DC 68FC964700 push 004796FC
:0040B4E1 E83BE20300 call 00449721

3)
If you don't want to modify Teleport, but want it to stop to connect to
tenmax.com (and try to retrieve the non-existing update.txt, giving them
your IP - btw: the tenmax server responses with 'access forbidden')
you can simply add "127.0.0.1 www.tenmax.com" to your Windows HOSTS file...
that's it... bye, faulpelz (thx to Noose for correcting me... ;)
-cut-

- 'Faulpelz', January 2001



Petit image

(c) 1952-2032: [fravia+], all rights reserved