-
March 20th, 2004, 04:36 AM
#1
Junior Member
Possible new virus/trojan
We have been seeing some strange behavior on one of our computers. We first noticed that the computer was trying to send out several thousand emails in a very shot period of time. Thanks to our firewall rules they were blocked. We tracked down the computer, someones home laptop running WinXP they brought in without any antivirus on it . After scanning with up to date antivirus and trojan scanners and finding nothing, I started digging a little deeper and began finding some unusual things. First of all the computer was trying about every 3 seconds to contact Tiffany.fvngh.com with a source port of 3024 and a destination port of 53. BTW, this Tiffany server has an IRC server running on port 80 with well over a thousand clients connected to it... all in hidden rooms...??? Oh well, back to our computer. Port 3024 was bound to svchost.exe. SvcHost.exe was also bound to ports 123, 135, 1025, 1900, 2869, 3002, 3003, 3004, 3005, 3009 and 5000. The only two other processes that I could not account for was Wscript.exe (there was no scripts running that I could find) and SysWeb.exe.
Have any of you been seeing this behaviour? Any suggestions?
-
March 20th, 2004, 04:55 AM
#2
Member
Haven't seen this specifically, but it sure looks like it's a RAT or listening Trojan. It takes commands from those IRC channels (much like the other fools). The destination port of 53 is usually DNS, yes? This is a good tactic because most firewalls will let port 53 in/out unless explicitlly blocked..
Hmm...
SvcHost.exe is a good name to hide a nefarious service. It may be a modified version of BO2K or something else with source available, so maybe a Trojan or virus scanner wouldn't pick it up.
l00p
-
March 20th, 2004, 05:16 AM
#3
Yes! fire the person that brought in an unprotected laptop and connected it to your network.
the newer versions of the agobot worm take commands from irc servers. once contacted the operator can give commands to downdoad anything s/he pleases. mailserver a differant back door what ever. one of the commands its set to take is to remove itself. this way when av is (if ever) updated nothing will be found. at least for however long it takes to catolog all the different software the spammers are uploading to the victims boxen after they initially take control.
if i were you id tell them the laptop must be reformatted and reinstalled and nothing can be removed from it because of the extreame danger of this virus...just for spite!
PHATBOT....its the newest ver of the agobot. couldn't think of it before...long day. although its the latest many of them do the same but with the way this thing is spreading there's a good chance thats your baby
Bukhari:V3B48N826 “The Prophet said, ‘Isn’t the witness of a woman equal to half of that of a man?’ The women said, ‘Yes.’ He said, ‘This is because of the deficiency of a woman’s mind.’”
-
March 20th, 2004, 03:03 PM
#4
Member
Tedob1 - isn't PHATBOT a P2P based virus?
Even so, it would be good form to check if anyone in your company (mainly that person with the untrusted laptop) is using P2P services across your network. Big no-no.
l00p
-
March 20th, 2004, 04:37 PM
#5
Junior Member
We keep pretty close track of any P2P traffic at work. It is not allowed. What they do at home is another matter though. I did not see any signs of it on the laptop. I did several searches on various security sites as well as on the sites of various antivirus vendors and several Google searches. None of these searches came up with anything that matched more than one or two of the symptoms. That is why I am thinking that it might be new or a varient of an existing virus or trojan. I am going to try and do some more investigations on the laptop on Monday to see if I can get some more information.
-
March 20th, 2004, 10:21 PM
#6
"Tedob1 - isn't PHATBOT a P2P based virus?"
it initially spreads that way but infected computer scans for all the common vulns on the net then infects those they find. im not saying it is phatbot but one like it if updated virus scans didn't detect it then its probably gone and all that remains is the mailing software.
Bukhari:V3B48N826 “The Prophet said, ‘Isn’t the witness of a woman equal to half of that of a man?’ The women said, ‘Yes.’ He said, ‘This is because of the deficiency of a woman’s mind.’”
-
March 21st, 2004, 01:53 PM
#7
"svchost.exe" AND "SvcHost.exe"?????????????
If that is the case then I would say that the one with the capital letters is the imposter?
Try getting "HijackThis", run it and post the log. I am afraid you will have to search for it, as I don't know what sites are up these days..........they have been getting DoS attacks.
Good luck
-
March 21st, 2004, 03:46 PM
#8
http://209.133.47.200/~merijn/files/HijackThis.exe
hey nihil.. where you been ? AWOL ?
spywareinfo,merijn, and as of two days ago, tomcoyote's forum are back..
actually... merijn isn't quite back..
http://www.spywareinfo.com/~merijn/index.html
March 19, 2004:
Merijn.org will not be online again soon.
Mike Healan has gotten all the sites that have been attacked back up, but when he tried to put up merijn.org for a few hours, it was immediately flooded off the net again. The DDoS is attack still continuing. A mirror of my site will be kept online at http://www.spywareinfo.com/~merijn/.
However, the webserver running merijn.org is still online, even though the domain doesn't resolve to the IP of that server. You can reach it by adding 209.133.47.200 www.merijn.org to your hosts file.
Posting Permissions
- You may not post new threads
- You may not post replies
- You may not post attachments
- You may not edit your posts
-
Forum Rules
|
|