Hi Guy's back at work again..

Have this one on my bench at this moment..

Win XP he.. with SP1 installed.. not sure of patches installed .. I know we have rpc-dcom covered but not sure since..
removed a little from the system sofar

nachi
d/l swizzer
spybot.worm
Randex.gen


have some crap random that look like a Bugbear type infection.. but are not fitting the information available..

did a netstat -a while connected to a test network..

and had ports listening in the 3000-3039, 4000.. 13000...

btw: whle NOT connected to a lan or internet I deleted the random named entries in the registry aswell as the same named in the system32 only for a different named file to return..
Also a quick HJT scan returned a few regular crap.. trying to remove them is interesting.. besides being denied access to the hosts file (now empty) ,
one is "Hijacked Internet access by New.Net
and "Broken Internet access because of LSP provider ösmim.dll"missing

ticking these to allow hjt to do its stuff results in a message box with three lines of "boxes" then the message "to fix these items will require a restart" needless they remain..

next step is to scann the hdd in another machine and see what it finds..

but first I recheck the cleans I have done.. just in case..

Cheers

Did you try fport to see which process has these ports opened?

actually no I haven't..

but here is a extra hint.. SVCHOST.EXE? should you find a copy in the
c:\Windows\System32\drivers ?

I'll give it ago.. once I finish a external scann

:)
Hi,
New.Net rings a bell. Wasn't that one of the spybots that was on the list of Spybot S&D, recently discussed in this thread:

http://www.antionline.com/showthread.php?s=&threadid=257865&perpage=10&pagenumber=2

http://www.antionline.com/showthread.php?threadid=257865#post747529

Originally posted here (http://www.AntiOnline.com/showthread.php?threadid=258274#post752207) by Und3ertak3r
but here is a extra hint.. SVCHOST.EXE? should you find a copy in the
c:\Windows\System32\drivers ?

This directory should only contain .sys files so this is definitely a suspect.

Originally posted here (http://www.AntiOnline.com/showthread.php?threadid=258274#post752207) by Und3ertak3r

but here is a extra hint.. SVCHOST.EXE? should you find a copy in the
c:\Windows\System32\drivers ?


hi

Hmmm My first guess will be NACHI.B.....You said you removed nachi... it might be that your AV has already removed the infection and file is clean but it is hardly unlikely....You AV shoued have deleted or Quarintened the File Depending upon your Choice... Cleaning the file is highly unlikely.....

Have you tried the Nachi.B removel Tool..... Try it if you havent Already W32.Welchia.Worm Removal Tool (http://securityresponse.symantec.com/avcenter/venc/data/w32.welchia.worm.removal.tool.html)

hmm looks different.. certainly not a ms product.. and not the normal group.. not detected on Stinger, NAV, AVG, etrust..

normaly detcted as Nachi.b?

looks like a submission.. to symantec and co..

not sure I have fixed all the probs.. but all the listening ports are gone or seem to be..

Sry: didn't refresh before posting this reply.. BTW.. the file has been removed from the machine, it seem I need to fiddle with various security setting.. .. and yes I thought that Nachi was removed..

Don't trust the initial removal of a virus.. and more importantly.. when multiple malware are involved.. don't trust any one method.. look scan, sniff.. don't trust..

Remember that Gaobot Does run while the PC is in safe mode.. (this machine seem clean.. but gaobot varients accounts for over 50% of all removals in the past 2 months)

Cheers

Anyone want a look at this little baby? the sus svchost.exe that is..

If you want a look I will post a copy as a passworded zip..in the morning my time.. for those interested..


Cheers

I thought all was ok.. with the sick machine.. that was untill I had a very close look at the output from Fport..

I must be going blind and paranoid...

I have found an Un-named process with a process ID of 1332 on TCP port 3001 and UDP 2234

Have never noticed this before on a system.. certainly not the case on any of my own boxes.. there are 4 xp boxes that I was able to check..

At this point I have Installed Outpost firewall on the machine.. no strange activities thus far..

I am tempted to connect it to a RH machine and run etheral and see what transpires..

cheers

This could be the Phatbot worm.

Refernece NAI: http://vil.nai.com/vil/content/v_101100.htm

Remote Access Component: The worm opens random ports on the system. During testing the following ports were observed : 3001, 22156

This variant belongs to a family of IRC bots based on W32/Gaobot.worm group. The worm bears the following characteristics:

Spreads through shares
Stealthy and hides itself in memory. The file is deleted.
Connects to IRC servers to perform various functions
Terminates security services
Carries out Denial of Service attack
Modifies hosts file on infected system
May spread through MS03-026 vulnerability

The worm contains a list of common user-names and passwords, which attempts to exploit Administrative shares.

Once successful the following actions can then be performed:

- connects to IRC server and joins channel
- enable/disable DCOM process on remote machine
- obtain system info
- download/upload/execute files on the remote system
- infected machine behaves like an FTP server
- manipulates file shares on infected machine
- creates a shell on the remote machine
- Updates itself with newer version
- shutdown/reboots the computer
- Kills a process or services on the victim's machine
- Flooders: phatwonk, phaticmp, HTTP, SYN, UDP
- Proxy server redirects HTTPS, SOCKS, GRE, TCP traffic

hmm interesting...

While I have checked for the gaobot family, and the automated scan showed nothing and a visual check of the registry has drawn a blank.. I just had an interesting event..

I had also run another check for CooWebSearch .. yep now i have found the mscconfig varient.. missed on HJT/ cwshredder, and visual scanns.. earlier..

While switching users on the machine Regprot poped up telling me that a startup registry item was being added a program called "eamnfed.exe" Strange I had removed it from startup as well as from the windows folder , but it seems that I didn't clear the prefetch..
/Note to self: Clear the prefetch folder on future virus removals

Also interesting..
Used Spybot s&d to clear out the trash.. a series of DSO exploites 5 in total.. the little buggers came back..just edited them manualy out of the registry and restarting the machine.... yep gone ..for now..

Adaware is also comming up clean..

Found a Reg key..
HKLM\SOFTWARE\Microsoft\Shared Tools\ MSConfig\stsrtupreg\Microsoft Update ... and the Value "eamnfed.exe"
While this key seems to be a listing for the disabled startup items. and would be mostly harmless . it is now a deleted entry..


BTW no reply yet from any of the Av co's I submitted the sample file to...


Cheers


For those who wish to look and play.. the zipped file is the file in question.. The password is "und3rtak3r" with out the quotes.. ONLY D/L IF YOU ARE AWARE OF THE DANGERS. Do so at your own risk (pity I got rid of the original eamnfed.exe would have been interesting to look at)

Und3ertak3r

Thanks for the info... I always like to hear on how people clean machines...cause when I ask a user "you got backups"...they usually have that deer in the headlights look and I end up instead of formatting...trying to clean the machine


although I have one question about the "prefetch" folder.

I was wondering if you or someone could explain this folder to me, what it is, and where its located as I have never heard of it and lately I have alot of XP machines getting infected...I use tools to clean...but I like to confirm the infection is cleared as we all know those little buggers come back and they seem harder and harder to clean these days.

TIA
MLF

Windows XP monitors the files that are used when the computer starts and when you start applications. By monitoring these files, Windows XP can prefetch them. Prefetching data is the process whereby data that is expected to be requested is read ahead into the cache. Prefetching boot files and applications decreases the time needed to start Windows XP and start applications.

from google..

99.99999999999999999% of the virus's that I remove are known.. someone else has encountered it.. and most likley has written something to a website somewhere.. or is listed on a AV co's website.. so when I see a file I am not so sure about..www.google.com and back come a series of hints..

And why do I mention this...(again)

When I am working on a job.. I need answers 10 minutes ago if not sooner.. posting a help request on any forum may bring an answer up quickly.. but then to do any good you will need to post on 20 or more forums.. not good.. A good Google will find the answers from 100+ forums sites and in just a few seconds..

/end Rant


Cheers

Found this in a google for another problem.. Check out this guys HJT log and the O2 entries (theBHO's) now that it is a list and 3/4's..

Got a possitive from Tds3, =Scan Control Dumped @ 15:27:56 05-06-04
Positive identification: Worm.Welchia.b
File: c:\documents and settings\anthony\desktop\sus-svchost\sus-svchost.exe

Funny thing is norton didn't pick it up.

Hell jinxy, you don't take prisoners do you?

TDS3...............Trojan Defence Suite...............DiamondCS................ :D

Norton is crap at trojans.......yes there are reviews........check them you non-believers, it is an AV product, basically.

Anyways, they let us win the World Cup, so be gentle on Undies will you?

:D

Hell jinxy, you don't take prisoners do you? TDS3...............Trojan Defence Suite...............DiamondCS

Best £40 i spent .

Used Spybot s&d to clear out the trash.. a series of DSO exploites 5 in total.. the little buggers came back..just edited them manualy out of the registry and restarting the machine.... yep gone ..for now..


That is a current known bug with Spybot....they are false positives, that's why they keep coming back :D Hope they weren't important ;)

Explained here (http://forums.net-integration.net/index.php?showtopic=15308)

Ok Thanks for the info groovicus,

A simple bug in Spybot 1.3 with it not corrrectly resetting the registry values in this case for how win deals with unsigned activeX controles... hmm not a good move my deleting those keys.. won't kill it but taken a little house door and changed it into a hanger door..


cheers

Undertaker, Please keep posting these odd ones! I am learning a lot from them. I usually get begged to help fix friends computers and always run into weird stuff.