Ok What have I found this time..

Hi Guy's back at work again..

Have this one on my bench at this moment..

Win XP he.. with SP1 installed.. not sure of patches installed .. I know we have rpc-dcom covered but not sure since..
removed a little from the system sofar

nachi
d/l swizzer
spybot.worm
Randex.gen


have some crap random that look like a Bugbear type infection.. but are not fitting the information available..

did a netstat -a while connected to a test network..

and had ports listening in the 3000-3039, 4000.. 13000...

btw: whle NOT connected to a lan or internet I deleted the random named entries in the registry aswell as the same named in the system32 only for a different named file to return..
Also a quick HJT scan returned a few regular crap.. trying to remove them is interesting.. besides being denied access to the hosts file (now empty) ,
one is "Hijacked Internet access by New.Net
and "Broken Internet access because of LSP provider ösmim.dll"missing

ticking these to allow hjt to do its stuff results in a message box with three lines of "boxes" then the message "to fix these items will require a restart" needless they remain..

next step is to scann the hdd in another machine and see what it finds..

but first I recheck the cleans I have done.. just in case..

Cheers

Did you try fport to see which process has these ports opened?

actually no I haven't..

but here is a extra hint.. SVCHOST.EXE? should you find a copy in the
c:\Windows\System32\drivers ?

I'll give it ago.. once I finish a external scann

:)
Hi,
New.Net rings a bell. Wasn't that one of the spybots that was on the list of Spybot S&D, recently discussed in this thread:

http://www.antionline.com/showthread...0&pagenumber=2

http://www.antionline.com/showthread...865#post747529

Quote:

---

Originally posted here by Und3ertak3r
but here is a extra hint.. SVCHOST.EXE? should you find a copy in the
c:\Windows\System32\drivers ?

---

This directory should only contain .sys files so this is definitely a suspect.

Quote:

---

Originally posted here by Und3ertak3r

but here is a extra hint.. SVCHOST.EXE? should you find a copy in the
c:\Windows\System32\drivers ?

---

hi

Hmmm My first guess will be NACHI.B.....You said you removed nachi... it might be that your AV has already removed the infection and file is clean but it is hardly unlikely....You AV shoued have deleted or Quarintened the File Depending upon your Choice... Cleaning the file is highly unlikely.....

Have you tried the Nachi.B removel Tool..... Try it if you havent Already W32.Welchia.Worm Removal Tool

hmm looks different.. certainly not a ms product.. and not the normal group.. not detected on Stinger, NAV, AVG, etrust..

normaly detcted as Nachi.b?

looks like a submission.. to symantec and co..

not sure I have fixed all the probs.. but all the listening ports are gone or seem to be..

Sry: didn't refresh before posting this reply.. BTW.. the file has been removed from the machine, it seem I need to fiddle with various security setting.. .. and yes I thought that Nachi was removed..

Don't trust the initial removal of a virus.. and more importantly.. when multiple malware are involved.. don't trust any one method.. look scan, sniff.. don't trust..

Remember that Gaobot Does run while the PC is in safe mode.. (this machine seem clean.. but gaobot varients accounts for over 50% of all removals in the past 2 months)

Cheers

Anyone want a look at this little baby? the sus svchost.exe that is..

If you want a look I will post a copy as a passworded zip..in the morning my time.. for those interested..


Cheers

I thought all was ok.. with the sick machine.. that was untill I had a very close look at the output from Fport..

I must be going blind and paranoid...

I have found an Un-named process with a process ID of 1332 on TCP port 3001 and UDP 2234

Have never noticed this before on a system.. certainly not the case on any of my own boxes.. there are 4 xp boxes that I was able to check..

At this point I have Installed Outpost firewall on the machine.. no strange activities thus far..

I am tempted to connect it to a RH machine and run etheral and see what transpires..

cheers

This could be the Phatbot worm.

Refernece NAI: http://vil.nai.com/vil/content/v_101100.htm

Remote Access Component: The worm opens random ports on the system. During testing the following ports were observed : 3001, 22156

This variant belongs to a family of IRC bots based on W32/Gaobot.worm group. The worm bears the following characteristics:

Spreads through shares
Stealthy and hides itself in memory. The file is deleted.
Connects to IRC servers to perform various functions
Terminates security services
Carries out Denial of Service attack
Modifies hosts file on infected system
May spread through MS03-026 vulnerability

The worm contains a list of common user-names and passwords, which attempts to exploit Administrative shares.

Once successful the following actions can then be performed:

- connects to IRC server and joins channel
- enable/disable DCOM process on remote machine
- obtain system info
- download/upload/execute files on the remote system
- infected machine behaves like an FTP server
- manipulates file shares on infected machine
- creates a shell on the remote machine
- Updates itself with newer version
- shutdown/reboots the computer
- Kills a process or services on the victim's machine
- Flooders: phatwonk, phaticmp, HTTP, SYN, UDP
- Proxy server redirects HTTPS, SOCKS, GRE, TCP traffic