Unknown virus/trojan attack

TheMSsForum.com: The Microsoft Software Forum

Hello all:

I think that one of our XP workstations has been compromised with some sort
of backdoor / trojan control that is NOT being detected by Symantec AVCE v
8.0 with the most current LiveUpdate defs. When users login, I can see a
window titled "update" that starts up in the bottom taskbar next to the
start button. If I click on it, I can freeze it for a few seconds, and one
time I was able to read additional windows titled with expletives, etc. I
have physically removed this machine from the network until it can be fixed.

I have looked for unknown programs in the registry key Run, but I don't see
anything unusual. This machine did have a virus named Hacktool that was
quarantined by SAVCE. I'm wondering if its payload was deployed, but the
tool is so new that it hasn't been identified as of yet. Any suggestions?

Thanks,

Chas Armstrong
Top

Re: Unknown virus/trojan attack by Susan

Susan
Mon Sep 01 11:21:45 CDT 2003

Fixing a workstation compromised with a trojan means you reformat.

Seriously. You cannot trust this machine anymore.

Chas Armstrong wrote:

> Hello all:
>
> I think that one of our XP workstations has been compromised with some sort
> of backdoor / trojan control that is NOT being detected by Symantec AVCE v
> 8.0 with the most current LiveUpdate defs. When users login, I can see a
> window titled "update" that starts up in the bottom taskbar next to the
> start button. If I click on it, I can freeze it for a few seconds, and one
> time I was able to read additional windows titled with expletives, etc. I
> have physically removed this machine from the network until it can be fixed.
>
> I have looked for unknown programs in the registry key Run, but I don't see
> anything unusual. This machine did have a virus named Hacktool that was
> quarantined by SAVCE. I'm wondering if its payload was deployed, but the
> tool is so new that it hasn't been identified as of yet. Any suggestions?
>
> Thanks,
>
> Chas Armstrong

--
"Don't lose sight of security. Security is a state of being, not a
state of budget. He with the most firewalls still does not win.
Put down that honeypot and keep up to date on your patches. Demand
better security from vendors and hold them responsible. Use what
you have, and make sure you know how to use it properly and effectively."
~ Rain Forest Puppy

http://www.wiretrip.net/rfp/txt/evolution.txt


Top

Re: Unknown virus/trojan attack by Les

Les
Mon Sep 01 11:54:46 CDT 2003

In article <OMfg1RJcDHA.1532@TK2MSFTNGP10.phx.gbl>,
usegroups@microsoft.com says...
> Hello all:
>
> I think that one of our XP workstations has been compromised with some sort
> of backdoor / trojan control that is NOT being detected by Symantec AVCE v
> 8.0 with the most current LiveUpdate defs. When users login, I can see a
> window titled "update" that starts up in the bottom taskbar next to the
> start button. If I click on it, I can freeze it for a few seconds, and one
> time I was able to read additional windows titled with expletives, etc. I
> have physically removed this machine from the network until it can be fixed.
>
> I have looked for unknown programs in the registry key Run, but I don't see
> anything unusual. This machine did have a virus named Hacktool that was
> quarantined by SAVCE. I'm wondering if its payload was deployed, but the
> tool is so new that it hasn't been identified as of yet. Any suggestions?
>
> Thanks,
>
> Chas Armstrong
>
>
>
Hacktool is not new, and its compliment of payload programs are not
necessarily viruses. They *are* valid executables that can wreak havoc.
The whole description of Hacktool eludes me right now, but you have to
do some sleuthing at this point to recover full functionality.

Look *closely* at the 'Run' registry key(s), and the Task Manager, and
especially at the system Services applet. Look in Services for anything
that is either not described, or described in all lowercase letters or
mispelled words, or for duplicate Service entries, like two DNS
services. Look in the Windows(or Winnt)\System32\wbem directory and
subfolders for anything created in the timeframe the trouble started,
specifically folders with names like "joe" or "tools"... you get the
idea.

*Really* scrutinize the processes visible in Task Manager. Use a working
XP box as a reference, and chase down every unique process/filename
showing on the broken box. Assume nothing.

If indeed Hacktool was able to execute (and it probably was), you *will*
find something wrong in the 'Run' registry key (don't assume anything...
check). The last one I fixed started (as they all do) with a small
executeable (probably in an email) that allowed tftp to open up a
channel whereby the crook was able to download 10Mb worth of Hacktool
programs, and the bastard basically *owned* the computer for about 3
months, undetected. The only thing that brought it to light for the
customer was when MSBlaster kept shutting down their computer and I
found Hacktool while I was fixing Blaster.

Hope this helps. Good hunting!

Les
Top