-
July 15th, 2003, 04:00 PM
#1
hackertool virus
hi!
first i would like to thank everyone for giving so good answers on lot of our questions.
i am new here and would like to try to solve this little probllem if possible:
after running antivirus program (symantec) i found 14 viruses on my files.
after scan i was able to delete all except this one- hackertool one.
i have nt station at work and it is part of 1000 pc connected to network in our company.
i tried spybot and adaware and virus scan but still was not able to get rid of it.
when scaned it said it has found 1 file infected but possibly running so i cant delete it.when i click on that file it said it contains 0 bytes.
any suggestion what can i try.
i can go in registry and delete entry but maybe will delete that file too.
i can remember excatly what it said but think its file in winnt/32/curent user/idhelp.exe
scan indentified it as hacking try to take over my browser which is ie 4.
any help would be appriciated.
may you please suggest what is best browser and best e-mail around(most secure).
this is for my home computer which has zone alarm pro and norton antivirus 2003.
thanks
-
July 15th, 2003, 04:05 PM
#2
what is it infected with?? You identified the file you think is infected, but we can help easier with a virus name. I would also upgrade IE.
West of House
You are standing in an open field west of a white house, with a boarded front door.
There is a small mailbox here.
-
July 15th, 2003, 04:12 PM
#3
What did you use to scan and find the last infected file? If it was the antivirus app, then surely the app tells you what the name of the virus is? If so, then search online for steps to get rid of it...
Otherwise, start windows in safe mode or even better, MS-Dos mode. Then just navigate to the file and delete it... hopefully Dos won't recognise the file as locked/in use. Bit of a pain if it's a required system file, but if the antivirus app can't clean it, then it's doomed anyway...
If that doesn't work (and nobody here more experienced has better advice than me), then you might have to reformat. Hope you backed up... :P
-
July 15th, 2003, 04:42 PM
#4
Member
Best basic browser you can use rite now (although some pple are gonna disagree) is IE 6.0. Also, if it is a vital system file that's infected...go online, download one directly into a floppy or something. Then manually delete the file, and copy the file from teh floppy to the right directory. Now u said it was a hackertool virus. Perhaps sum1 in your network downloaded some tools to experiment around the network. Sometimes the antivirus will scan it, verify that its a virus but it wont touch it since its standalone. in that case just delete the file. Did your antivirus quarantine it? GL
[gloworange]\"Imagine a school with children that can read and write, but with teachers who cannot, and you have a metaphor of the Information Age in which we live.\" — Peter Cochrane[/gloworange]
-
July 15th, 2003, 04:57 PM
#5
*Moved from AntiOnline: How do I?*
-
July 16th, 2003, 10:45 AM
#6
thanks guys.now will be more specific as brought some details from work:
virus name is hackertool
it can not be deleted by norton antivirus(current update)
it can not be quarantined
file infected c:\winnt\system 32\ntservice.exe
did not notice anything unusual at this stage when work with that computer
will try to do some search work thanks for your suggestions
-
July 17th, 2003, 04:33 PM
#7
Junior Member
OK, I found some info on your virus. I found that this virus originates from a brute force attack. A batch file malware creates simultaneous threads that connects to a remote machines IPC$ and launch's a brute-force password guessing attack for the administrator account using the following passwords (as listed in the file IPCpass.txt):
%null%
%username%
%username%12
%username%123
%username%1234
123
1234
12345
123456
1234567
12345678
654321
54321
1
111
11111
111111
11111111
000000
00000000
888888
88888888
5201314
pass
passwd
password
sql
database
admin
root
secret
oracle
sybase
test
server
computer
Internet
super
user
manager
security
public
private
default
1234qwer
123qwe
abcd
abc123
123abc
abc
123asd
asdf
asdfgh
!@#$
!@#$%
!@#$%^
!@#$%^&
!@#$%^&*
!@#$%^&*(
!@#$%^&*()
After carrying out a successful attack and then gaining administrator rights, it proceeds with its system infection routines.
Note: NT Null session (IPC$) attack is a very common vulnerability
Its component file named HACK.BAT connects to a target system with administrator rights and copies the listed files below in the Windows system32 folder:
10.BAT
HACK.BAT
HFIND.EXE
IPC.BAT
IPCPASS.TXT
MUMA.BAT
NWIZE.EXE
NWIZE.INI
NTSERVICE.BAT
NTSERVICE.EXE
NTSERVICE.INI
NWIZE.INI
PCMSG.DLL
PSEXEC.EXE
RANDOM.BAT
REP.EXE
REPLACE.BAT
SS.BAT
START.BAT
TIHUAN.TXT
NEAR.BAT
This malware then calls and executes the file START.BAT on the compromised system, which in turn calls the file, MUMA.BAT. The last file is assigned to search through the compromised system for its infection marker file, MUMU.LOG. If found, the malware exits and proceeds to look for another target system to infect. If not found, it executes the Trojan component file named, NWIZE.EXE, which is listed as TROJ_PCGHOST.413 by Panda Anti virus. Then, it initializes this Trojan to send an email to a remote malicious user that it has successfully infected the system.
The batch file called NTSERVICE.BAT is used to deliver and install a spyware Trojan called (NTSERVICE.EXE) that Panda detects and lists as TROJ_NTSERV.A. The batch file also installs creating TROJ_NTSERV.A by adding the following registry entry, which allows the Trojan to load every time Windows starts:
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\NtService
Imagepath = <path where the file is executed>
Also, if it does not find this infection marker, it proceeds to call the file, 10.BAT. This file (10.BAT) deletes the text file, IPCFind.txt, which contains the infected system's IP address.
Then, it calls the file, HFIND.EXE, to search for a new system to infect. When it finds the said file (HFIND.EXE), it calls the file REPLACE.BAT which lists the newly infected IP address in IPCFind.txt. Then, it calls the file, IPC.BAT, with parameter IPCFind.txt. IPC.BAT will execute HACK.BAT and the infection routine restarts.
In fear for your entire systems security I would recommend not only looking for the registry entries, but also trying to use a Panda tool to remove the virus. I would consider this infection to more than likely be wide spread throughout your network. There is a possibility that person responsible for the infection could still be connecting to your network as the client side to the Trojan. Thus allowing your company to possibly track and find the attacker.
-Ogre1010
"Peace, Love, and Booty Grease"
Also, considering you use symantec try going to: http://securityresponse.symantec.com...alinstructions
Panda is my preferred anti virus, however your company may not want to have to buy a 1000 PC licence just because I like it )
Also, try going to:
http://securityresponse.symantec.com...alinstructions
-
July 18th, 2003, 04:44 AM
#8
looks like the muma virus. symantic has a tool to clean it up a bit but the problem with it is that some of the files it runs are legit and therefore not seen as a virus. like mirc although its been renamed. if you do a netstat you'll see a connection is established to some irc server.
if all computers on your network are configured the same they all have it. it uses net use and psexec. the whole thing is done with batch files...what a waste of some good thinking
Bukhari:V3B48N826 “The Prophet said, ‘Isn’t the witness of a woman equal to half of that of a man?’ The women said, ‘Yes.’ He said, ‘This is because of the deficiency of a woman’s mind.’”
-
July 18th, 2003, 05:07 AM
#9
Its definitely the muma virus. What u can do is go to the Symantec website or any other anti virus website and get the fix for it. Symantec has a fixmuma.exe or something like that that will supposedly remove all traces of the virus. Maybe you should try downloading and running it and then running the scan again. If there is somewhere I can send this fix to, I'll be happy to help u out as I have the fix in my HDD.
-
July 18th, 2003, 05:24 AM
#10
Banned
try MOZILLA !! Need i say more??Mozilla 1.4
Posting Permissions
- You may not post new threads
- You may not post replies
- You may not post attachments
- You may not edit your posts
-
Forum Rules
|
|