taskmngr.exe

Printable View

September 6th, 2002, 10:24 AM
mith

taskmngr.exe

Last night I was going to play some online game that uses a browser and java. Dunno why, I was curious to know which port it was using and if the connection was continuus or just to send the scores.

I started jammer 2.0, a nice firewall and analyzer I bought a few months ago. I hadn't started for a long time because I know have a little zyxel as a rounter and basic FW.

As soon as it started it asked me if taskmngr.exe was allowed to access internet... notice that it had the mirc icon. I said "allow once", but then got suspicious. I looked at my sidebar and noticed that the Taskmanger was NOT running. I opened it and noticed that the taskmanager is "taskmgr.exe".

I closed the other one and started searching on the internet. It turned out it's a trojan, it was going on IRC and maybe runnig DoS attacks!

I found a list of file and cleaned everything.

This is a good URL with some thoughts of other people:
http://www.newbie.org/help/messages/2553.html

I just read MS already released a public advisory.

The client was probably connecting to f0.ods.org (I found it in the ini files) and I think it was using port 6669 (jammer told me). Port 6669 was closed last night, when I checked, or at least unreachable. I got on port 6667 and joined a channel that was named in the ini files, but I couldn't find anyone.

Oh, BTW, I checked my firewall and noticed that I had set it to let anyone to reach my PC!!! How stupid!
September 6th, 2002, 01:51 PM
carbonlifeform

Man, I got two words for you concerning security: BE PARANOID.
If you don't know what it is and why it's connecting to the inter-
net, don't allow it. First find out what it is(google, etc.) and why
it's accessing the net.

Also: always use firewall, do frequent virus checks and check
for spyware.
September 6th, 2002, 08:39 PM
bArGuS_4_$

Sounds like that would not be a good thing to occur. You very well may have been hacked or Trojaned. Task Manager should not request a socket. It is used to schedule a program or task to run, and the program that is scheduled to run should be shown as initiating that connection.

99.9999% of the time if you are not 100% sure what the program is doing, Block it!!!! If you notice a loss of functionality after that point then investigate further... But nothing is wrong with "Controlled Paranoia"
September 6th, 2002, 08:54 PM
nebulus200

Something to keep in mind, one of the more common features of trojans is the ability for them to logon to IRC, and send a message to a channel announcing that it has successfully taken over the computer it is on and then the hacker can go in at their leisure and do whatever they want to do...

Assuming you have fully cleaned your computer (and I would look very very hard at every file), make sure you have
1) fully patched everything on your computer (windowsupdate is your friend)
2) obtained a good AV package with very recent antivirus (scan again)
3) boot up without outside network connectivity and then monitor your computer for attempts to access anything on the internet

if you see anything happen on part 3, take a harder look at antiviral software and consider finding a trojan removal program (look through archives, I have seen many suggestive threads)...

neb
September 6th, 2002, 09:05 PM
bArGuS_4_$

Not to be annoying or anything...may I recommend that if you suspect a trojan or unathorized internet access try a netstat -an see what is going on and who is holding the ports open. Research those ports on google or whatever is convient.

Also not just an AV should be investigated but maybe a desktop firewall or hardening of your box. Block any port or service that is not needed. You can also tell in netstat what sockets are open and to whom they are opened to. If you investigate the DNS records of those connections through PTR RR or somthing it should give you an idea of who or what is talkng to your box.

Be suspicious....
September 6th, 2002, 09:29 PM
t2k2

Trojan

I found another tool that will list the applications in use with what protocols and ports. It's pretty nifty. It's called fport and you can find it here .
September 6th, 2002, 09:45 PM
shads

carbonlifeform, I think that is the worst thing that I have ever heard. Where would we be today if everything we just threw away everything that we had no clue about? Hrmm, I couldn't count the numerous amounts of files I have opened and explored without being paranoid.. I think I have had to format 1 time in the 15 years of computing due to a virus/trojan, and it happened to be the monkey virus, a very annoying bugger.. :> Well, my suggestion, don't be paranoid, I say open it, if you get it, find out how to get rid of it. That sometimes is the best part.
September 6th, 2002, 09:52 PM
bArGuS_4_$

I suggest if your randomly going to open files...Due it on a test machine for which you have imaged so that if you get stuck you can reimage it. Also, make sure it is on a service network so that you can monitor it with an IDA or something else ....Also keep your testing off of your backbone!!!!

If you don't then get the tattoo on your forehead...Don't be that guy who experiments with 12 live viruses in his network....

Controlled Paranoia.....administer this!! Lol

That was my attempt at Humor... no offense intended
September 6th, 2002, 11:14 PM
Alex

Ok, There is an exploit in Windows where it searches for the program in the PATH, and in 90% of all systems its configured to look through C:\%SystemRoot% and then C:\%SystemRoot%/system32, So if there is a trojan-ed copy of taskmgr.exe in your C:\Windows or C:\WinNT folder that is the copy with the trojan....... The system32 copy is probably genuine, But run a scan on it anyway..

BUgTraq Advisory
I found a very similar virus to the one you are talking about and this one does not cary a damaging payload either here

Try the following virus scanners (they allow you to submit a single file online for scanning, I suggest you submit taskmgr.exe and any other copies of it)

http://av.rambler.ru/db/
http://www.dials.ru/english/www_av/home.htm

Good Luck!
September 7th, 2002, 12:13 AM
TechieChick

Shads, I understand your sense of adventure but you are a network admins nightmare. It's all fine and dandy to play with suspicious files on a standalone machine where there is no data being risked but if I found out an enduser was randomly opening files on a network I supported I'd have a fit and I would stop them by whatever means necessary.

Again, I understand wanting to understand viruses/trojans/worms etc I'm just advocating doing it sanely if nothing more but for the sake of the admins sanity. :D
September 9th, 2002, 01:45 AM
Ice Czar

I use Sysinternals TCPView (freeware) To monitor all TCP and UDP, its great in that it uses very few resources, will show connected or unconnected endpoints and resolved or unresolved addresses. Along with AnalogX's NetStat Live (freeware)

One of the better Port Lists Ive come accross

And Id highly recommend TDS-3 as a scanner ;)

I actually keep a zoo of all trojans I capture and can aquire, to test with, and havent managed to infect myself yet. (Without disabling most of my security)

Id also highly recommend a watcher for the watchers (all Freeware)
either FileChecker or NIS FileCheck as well as a registry protector like RegistryProt

For browser security Im currently experimenting with Naviscope an internal proxy (also freeware)

Since Ive listed so much of my security so far I might as well list the rest
NOD32
ZoneAlarm with VisualZone Report Utility (both Freeware)
WormGuard
Spyblocker
AdAware (freeware)
LADS (List Alternative Data Streams (for NTFS) (freeware)

And one peice of advice, always install security software in nondefault directories ;)
September 9th, 2002, 02:58 PM
bArGuS_4_$

I like everything but the Zoo.... Way to go..
September 9th, 2002, 07:00 PM
Ice Czar

My zoo is an isolated HDD and is very useful for testing, a habit I picked up from one of the moderators a Wilders Security Forums :p

I assure you once captured they never make it to the wild again ;)
September 9th, 2002, 08:54 PM
the_JinX

and how do you do it.. Ice Czar.

copy it to a floppy (from a *nix box) after download and then run it on your stand alone test windows box??

that's the only safe way I see...
September 10th, 2002, 12:06 AM
Ice Czar

Not exactly

They are aquired through downloads, that fail scans (positive IDs), or directly from sites on occasion (IE SubSeven). My "real" OS rarely sees the internet, I spend most of my time in my "test" OS trying out programs and configs, which if they prove useful and safe migrate.

My System configuration goes like this
200GB RAID5, without any OS loaded (no system partition)
3x selectable ( Romtec Trio IDE Switcher one at a time is selectable) 40GB HDDs (IDE 0 Master)
2x manually switched 40GB HDDs (IDE 1 Master) or the 2GB ZOO

When I test the security of a fresh OS config or new dezien, I select the appropriate HDD and OS and hookup the ZOO, and try to import the file or exe, its fun to see which program detects first, and which miss all together, since Ive got Ghosts and ISO backups Ive even gone as far as disabling security until the infection took, and then attempt repairs for practice, observe what they did (with a filechecker and comparitive system root. Generally even when I think Im successful I still wipe the drive and Image back). But I havent let any communication to the net take place (wouldnt want to reveal my IP)
I generally take my RAID and NIC offline when I try this, just to be safe. ;)
Im still learning about interogating a Trojan using TDS-3 and havent worked up the courage to actually do it yet.

With 400GB of usable storage and (currently) 8 or so OS installations (98\ME\W2K\XP) Im slowly learning about security by trial and error, my next phase will be setting up a network and playing with Linux (want to build a Bastille hardened firewall)

I collect Blackhat links and read how they compromise systems, as well as preventative measures to be had in the security forums and reading rooms (SANS) Right now though Im still boning up on W2K and XP Pro Group Policy security features and Intruder Detection schemes