Ok What have I found this time..
Page 1 of 2 12 LastLast
Results 1 to 10 of 19

Thread: Ok What have I found this time..

  1. #1
    The Doctor Und3ertak3r's Avatar
    Join Date
    Apr 2002
    Posts
    2,744

    Ok What have I found this time..

    Hi Guy's back at work again..

    Have this one on my bench at this moment..

    Win XP he.. with SP1 installed.. not sure of patches installed .. I know we have rpc-dcom covered but not sure since..
    removed a little from the system sofar

    nachi
    d/l swizzer
    spybot.worm
    Randex.gen


    have some crap random that look like a Bugbear type infection.. but are not fitting the information available..

    did a netstat -a while connected to a test network..

    and had ports listening in the 3000-3039, 4000.. 13000...

    btw: whle NOT connected to a lan or internet I deleted the random named entries in the registry aswell as the same named in the system32 only for a different named file to return..
    Also a quick HJT scan returned a few regular crap.. trying to remove them is interesting.. besides being denied access to the hosts file (now empty) ,
    one is "Hijacked Internet access by New.Net
    and "Broken Internet access because of LSP provider ösmim.dll"missing

    ticking these to allow hjt to do its stuff results in a message box with three lines of "boxes" then the message "to fix these items will require a restart" needless they remain..

    next step is to scann the hdd in another machine and see what it finds..

    but first I recheck the cleans I have done.. just in case..

    Cheers
    "Consumer technology now exceeds the average persons ability to comprehend how to use it..give up hope of them being able to understand how it works." - Me http://www.cybercrypt.co.nr

  2. #2
    Just Another Geek
    Join Date
    Jul 2002
    Location
    Rotterdam, Netherlands
    Posts
    3,403
    Did you try fport to see which process has these ports opened?
    Oliver's Law:
    Experience is something you don't get until just after you need it.

  3. #3
    The Doctor Und3ertak3r's Avatar
    Join Date
    Apr 2002
    Posts
    2,744
    actually no I haven't..

    but here is a extra hint.. SVCHOST.EXE? should you find a copy in the
    c:\Windows\System32\drivers ?

    I'll give it ago.. once I finish a external scann
    "Consumer technology now exceeds the average persons ability to comprehend how to use it..give up hope of them being able to understand how it works." - Me http://www.cybercrypt.co.nr

  4. #4
    Senior Member
    Join Date
    Mar 2004
    Posts
    139

    Hi,
    New.Net rings a bell. Wasn't that one of the spybots that was on the list of Spybot S&D, recently discussed in this thread:

    http://www.antionline.com/showthread...0&pagenumber=2

    http://www.antionline.com/showthread...865#post747529

  5. #5
    Just Another Geek
    Join Date
    Jul 2002
    Location
    Rotterdam, Netherlands
    Posts
    3,403
    Originally posted here by Und3ertak3r
    but here is a extra hint.. SVCHOST.EXE? should you find a copy in the
    c:\Windows\System32\drivers ?
    This directory should only contain .sys files so this is definitely a suspect.
    Oliver's Law:
    Experience is something you don't get until just after you need it.

  6. #6
    AntiOnline n00b
    Join Date
    Feb 2004
    Posts
    665
    Originally posted here by Und3ertak3r

    but here is a extra hint.. SVCHOST.EXE? should you find a copy in the
    c:\Windows\System32\drivers ?
    hi

    Hmmm My first guess will be NACHI.B.....You said you removed nachi... it might be that your AV has already removed the infection and file is clean but it is hardly unlikely....You AV shoued have deleted or Quarintened the File Depending upon your Choice... Cleaning the file is highly unlikely.....

    Have you tried the Nachi.B removel Tool..... Try it if you havent Already W32.Welchia.Worm Removal Tool

  7. #7
    The Doctor Und3ertak3r's Avatar
    Join Date
    Apr 2002
    Posts
    2,744
    hmm looks different.. certainly not a ms product.. and not the normal group.. not detected on Stinger, NAV, AVG, etrust..

    normaly detcted as Nachi.b?

    looks like a submission.. to symantec and co..

    not sure I have fixed all the probs.. but all the listening ports are gone or seem to be..

    Sry: didn't refresh before posting this reply.. BTW.. the file has been removed from the machine, it seem I need to fiddle with various security setting.. .. and yes I thought that Nachi was removed..

    Don't trust the initial removal of a virus.. and more importantly.. when multiple malware are involved.. don't trust any one method.. look scan, sniff.. don't trust..

    Remember that Gaobot Does run while the PC is in safe mode.. (this machine seem clean.. but gaobot varients accounts for over 50% of all removals in the past 2 months)

    Cheers
    "Consumer technology now exceeds the average persons ability to comprehend how to use it..give up hope of them being able to understand how it works." - Me http://www.cybercrypt.co.nr

  8. #8
    The Doctor Und3ertak3r's Avatar
    Join Date
    Apr 2002
    Posts
    2,744
    Anyone want a look at this little baby? the sus svchost.exe that is..

    If you want a look I will post a copy as a passworded zip..in the morning my time.. for those interested..


    Cheers
    "Consumer technology now exceeds the average persons ability to comprehend how to use it..give up hope of them being able to understand how it works." - Me http://www.cybercrypt.co.nr

  9. #9
    The Doctor Und3ertak3r's Avatar
    Join Date
    Apr 2002
    Posts
    2,744
    I thought all was ok.. with the sick machine.. that was untill I had a very close look at the output from Fport..

    I must be going blind and paranoid...

    I have found an Un-named process with a process ID of 1332 on TCP port 3001 and UDP 2234

    Have never noticed this before on a system.. certainly not the case on any of my own boxes.. there are 4 xp boxes that I was able to check..

    At this point I have Installed Outpost firewall on the machine.. no strange activities thus far..

    I am tempted to connect it to a RH machine and run etheral and see what transpires..

    cheers
    "Consumer technology now exceeds the average persons ability to comprehend how to use it..give up hope of them being able to understand how it works." - Me http://www.cybercrypt.co.nr

  10. #10
    Senior Member OverdueSpy's Avatar
    Join Date
    Nov 2002
    Posts
    556
    This could be the Phatbot worm.

    Refernece NAI: http://vil.nai.com/vil/content/v_101100.htm

    Remote Access Component: The worm opens random ports on the system. During testing the following ports were observed : 3001, 22156

    This variant belongs to a family of IRC bots based on W32/Gaobot.worm group. The worm bears the following characteristics:

    Spreads through shares
    Stealthy and hides itself in memory. The file is deleted.
    Connects to IRC servers to perform various functions
    Terminates security services
    Carries out Denial of Service attack
    Modifies hosts file on infected system
    May spread through MS03-026 vulnerability

    The worm contains a list of common user-names and passwords, which attempts to exploit Administrative shares.

    Once successful the following actions can then be performed:

    - connects to IRC server and joins channel
    - enable/disable DCOM process on remote machine
    - obtain system info
    - download/upload/execute files on the remote system
    - infected machine behaves like an FTP server
    - manipulates file shares on infected machine
    - creates a shell on the remote machine
    - Updates itself with newer version
    - shutdown/reboots the computer
    - Kills a process or services on the victim's machine
    - Flooders: phatwonk, phaticmp, HTTP, SYN, UDP
    - Proxy server redirects HTTPS, SOCKS, GRE, TCP traffic
    The mentally handicaped are persecuted in this great country, and I say rightfully so! These people are NUTS!!!!

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •