Page 1 of 2 12 LastLast
Results 1 to 10 of 14

Thread: hackertool virus

  1. #1
    Senior Member
    Join Date
    Jun 2003
    Posts
    349

    hackertool virus

    hi!
    first i would like to thank everyone for giving so good answers on lot of our questions.
    i am new here and would like to try to solve this little probllem if possible:
    after running antivirus program (symantec) i found 14 viruses on my files.
    after scan i was able to delete all except this one- hackertool one.
    i have nt station at work and it is part of 1000 pc connected to network in our company.
    i tried spybot and adaware and virus scan but still was not able to get rid of it.
    when scaned it said it has found 1 file infected but possibly running so i cant delete it.when i click on that file it said it contains 0 bytes.
    any suggestion what can i try.
    i can go in registry and delete entry but maybe will delete that file too.
    i can remember excatly what it said but think its file in winnt/32/curent user/idhelp.exe
    scan indentified it as hacking try to take over my browser which is ie 4.
    any help would be appriciated.
    may you please suggest what is best browser and best e-mail around(most secure).
    this is for my home computer which has zone alarm pro and norton antivirus 2003.
    thanks

  2. #2
    Senior Member RoadClosed's Avatar
    Join Date
    Jun 2003
    Posts
    3,834
    what is it infected with?? You identified the file you think is infected, but we can help easier with a virus name. I would also upgrade IE.
    West of House
    You are standing in an open field west of a white house, with a boarded front door.
    There is a small mailbox here.

  3. #3
    What did you use to scan and find the last infected file? If it was the antivirus app, then surely the app tells you what the name of the virus is? If so, then search online for steps to get rid of it...

    Otherwise, start windows in safe mode or even better, MS-Dos mode. Then just navigate to the file and delete it... hopefully Dos won't recognise the file as locked/in use. Bit of a pain if it's a required system file, but if the antivirus app can't clean it, then it's doomed anyway...

    If that doesn't work (and nobody here more experienced has better advice than me), then you might have to reformat. Hope you backed up... :P

  4. #4
    Best basic browser you can use rite now (although some pple are gonna disagree) is IE 6.0. Also, if it is a vital system file that's infected...go online, download one directly into a floppy or something. Then manually delete the file, and copy the file from teh floppy to the right directory. Now u said it was a hackertool virus. Perhaps sum1 in your network downloaded some tools to experiment around the network. Sometimes the antivirus will scan it, verify that its a virus but it wont touch it since its standalone. in that case just delete the file. Did your antivirus quarantine it? GL
    [gloworange]\"Imagine a school with children that can read and write, but with teachers who cannot, and you have a metaphor of the Information Age in which we live.\" — Peter Cochrane[/gloworange]

  5. #5
    Banned
    Join Date
    Aug 2001
    Location
    Yes
    Posts
    4,424
    *Moved from AntiOnline: How do I?*

  6. #6
    Senior Member
    Join Date
    Jun 2003
    Posts
    349
    thanks guys.now will be more specific as brought some details from work:
    virus name is hackertool
    it can not be deleted by norton antivirus(current update)
    it can not be quarantined
    file infected c:\winnt\system 32\ntservice.exe
    did not notice anything unusual at this stage when work with that computer
    will try to do some search work thanks for your suggestions

  7. #7
    Junior Member
    Join Date
    Jul 2003
    Posts
    5
    OK, I found some info on your virus. I found that this virus originates from a brute force attack. A batch file malware creates simultaneous threads that connects to a remote machines IPC$ and launch's a brute-force password guessing attack for the administrator account using the following passwords (as listed in the file IPCpass.txt):

    %null%
    %username%
    %username%12
    %username%123
    %username%1234
    123
    1234
    12345
    123456
    1234567
    12345678
    654321
    54321
    1
    111
    11111
    111111
    11111111
    000000
    00000000
    888888
    88888888
    5201314
    pass
    passwd
    password
    sql
    database
    admin
    root
    secret
    oracle
    sybase
    test
    server
    computer
    Internet
    super
    user
    manager
    security
    public
    private
    default
    1234qwer
    123qwe
    abcd
    abc123
    123abc
    abc
    123asd
    asdf
    asdfgh
    !@#$
    !@#$%
    !@#$%^
    !@#$%^&
    !@#$%^&*
    !@#$%^&*(
    !@#$%^&*()

    After carrying out a successful attack and then gaining administrator rights, it proceeds with its system infection routines.

    Note: NT Null session (IPC$) attack is a very common vulnerability

    Its component file named HACK.BAT connects to a target system with administrator rights and copies the listed files below in the Windows system32 folder:

    10.BAT
    HACK.BAT
    HFIND.EXE
    IPC.BAT
    IPCPASS.TXT
    MUMA.BAT
    NWIZE.EXE
    NWIZE.INI
    NTSERVICE.BAT
    NTSERVICE.EXE
    NTSERVICE.INI
    NWIZE.INI
    PCMSG.DLL
    PSEXEC.EXE
    RANDOM.BAT
    REP.EXE
    REPLACE.BAT
    SS.BAT
    START.BAT
    TIHUAN.TXT
    NEAR.BAT
    This malware then calls and executes the file START.BAT on the compromised system, which in turn calls the file, MUMA.BAT. The last file is assigned to search through the compromised system for its infection marker file, MUMU.LOG. If found, the malware exits and proceeds to look for another target system to infect. If not found, it executes the Trojan component file named, NWIZE.EXE, which is listed as TROJ_PCGHOST.413 by Panda Anti virus. Then, it initializes this Trojan to send an email to a remote malicious user that it has successfully infected the system.

    The batch file called NTSERVICE.BAT is used to deliver and install a spyware Trojan called (NTSERVICE.EXE) that Panda detects and lists as TROJ_NTSERV.A. The batch file also installs creating TROJ_NTSERV.A by adding the following registry entry, which allows the Trojan to load every time Windows starts:

    HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\NtService
    Imagepath = <path where the file is executed>

    Also, if it does not find this infection marker, it proceeds to call the file, 10.BAT. This file (10.BAT) deletes the text file, IPCFind.txt, which contains the infected system's IP address.
    Then, it calls the file, HFIND.EXE, to search for a new system to infect. When it finds the said file (HFIND.EXE), it calls the file REPLACE.BAT which lists the newly infected IP address in IPCFind.txt. Then, it calls the file, IPC.BAT, with parameter IPCFind.txt. IPC.BAT will execute HACK.BAT and the infection routine restarts.

    In fear for your entire systems security I would recommend not only looking for the registry entries, but also trying to use a Panda tool to remove the virus. I would consider this infection to more than likely be wide spread throughout your network. There is a possibility that person responsible for the infection could still be connecting to your network as the client side to the Trojan. Thus allowing your company to possibly track and find the attacker.


    -Ogre1010

    "Peace, Love, and Booty Grease"

    Also, considering you use symantec try going to: http://securityresponse.symantec.com...alinstructions
    Panda is my preferred anti virus, however your company may not want to have to buy a 1000 PC licence just because I like it )

    Also, try going to:
    http://securityresponse.symantec.com...alinstructions

  8. #8
    Senior Member
    Join Date
    Nov 2001
    Posts
    4,785
    looks like the muma virus. symantic has a tool to clean it up a bit but the problem with it is that some of the files it runs are legit and therefore not seen as a virus. like mirc although its been renamed. if you do a netstat you'll see a connection is established to some irc server.

    if all computers on your network are configured the same they all have it. it uses net use and psexec. the whole thing is done with batch files...what a waste of some good thinking
    Bukhari:V3B48N826 “The Prophet said, ‘Isn’t the witness of a woman equal to half of that of a man?’ The women said, ‘Yes.’ He said, ‘This is because of the deficiency of a woman’s mind.’”

  9. #9
    Senior Member
    Join Date
    Jul 2003
    Posts
    217
    Its definitely the muma virus. What u can do is go to the Symantec website or any other anti virus website and get the fix for it. Symantec has a fixmuma.exe or something like that that will supposedly remove all traces of the virus. Maybe you should try downloading and running it and then running the scan again. If there is somewhere I can send this fix to, I'll be happy to help u out as I have the fix in my HDD.

  10. #10
    try MOZILLA !! Need i say more??Mozilla 1.4

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •