Hosting Provided By

Re: Backdoor.IRC.Flood.E & Backdoor.Dvldr

From: Roger A. Grimes <rogerg(at)cox.net>
Date: Fri Jun 20 2003 - 11:20:01 EDT

Ok, some other questions.

After you re-installed the OS, did you apply all necessary patches offline before you connected the box to the Internet? If not, trojan could get back in using a known exploit against the unpatched operating system and applications.

When the trojan is active, do you sign other signs that the trojan is real there (and not just a false-positive)? Is it opening ports? Run netstat -an with everthing that might be connecting to the Internet (email, IE, IM, etc.) closed and see if any ports are active and listening. If so, trace those ports back to the offending executable or server (use Foundstone's fport or some other type of port enumerator).

My gut instinct tells me you've got a false-positive if you don't see other signs. Of course, we still don't have enough info to confirm, yet.

Roger

*Roger A. Grimes, Computer Security Consultant
*CPA, MCSE (NT/2000), CNE (3/4), A+
*email: rogerg@cox.net
*cell: 757-615-3355
*Author of Malicious Mobile Code: Virus Protection for Windows by O'Reilly
*http://www.oreilly.com/catalog/malmobcode

Original Message ----- From: "Curt Snow" <csnow@westerlyhospital.org> To: <NC_Agent@kueppers-familie.de>; <focus-virus@securityfocus.com>; <mfossi@securityfocus.com> Sent: Friday, June 20, 2003 10:06 AM Subject: Re: Backdoor.IRC.Flood.E & Backdoor.Dvldr

Here's an update on what transpired, etc.

The machine was a Windows 2000 Professional PC.

Do you need help?

There was no file sharing software on this machine such as KaZaa, etc. and she doesn't use any chat groups or chat programs at all.

Her internet connection is via Dial-up

The user was logging in as Administrator, with no password (very dangerous thing to do!)

After becoming bogged down by the Backdoor stuff, she also got infected with a variant of the lovgate virus. This particular virus brought the machine to its knees. Very little would function correctly once it became infected with this one.

I cleaned the lovgate virus and did a backup of all of her critical data, then partitioned and formatted the drive.

The OS and apps were then reinstalled and the machine was setup with 2 user accounts. The Administrator account, which now has a strong password (something other than 123456 or "password"), and a user account for her, which is passworded and is a member of the Power Users group (on the local machine... the machine is not on a network).

She has been instructed as to how to login using her password and seemed to be OK with the fact that she has to actually login to the machine.

A software firewall has also been installed.

Do you need more help?

These steps should prevent all of this mayhem from happening again.

Passwords, especially for Administrator accounts, are critical to the security of these machines!

>>> NC Agent <NC_Agent@kueppers-familie.de> 06/20 12:01 PM >>> Hello,
Could you please give us some more information on the type of setup you are running :
What type of OS are you running?
Is the infected machine connected to a network? What level of internet connection does it operate? Do you have any security features enabled (apart from the virus scanner)? Do users chat over IRC, or use filesharing programs (Kazaa, WinMX etc) at all?
Having this information would help us get a better iodea of how the virii may be reinfecting.

Kindest of regards,

Hamish Stanaway

-= KoRe WoRkS =- Internet Security / Absolute Web Hosting Network Owner/Operator
Auckland
New Zealand

http://www.koreworks.com/http://www.webhosting.net.nz/http://www.buywebhosting.co.nz/





>From: "Curt Snow" 
>To: focus-virus@securityfocus.com, mfossi@securityfocus.com
>Subject: Backdoor.IRC.Flood.E & Backdoor.Dvldr
>Date: Wed, 04 Jun 2003 09:54:10 -0400
>MIME-Version: 1.0
>Received: from outgoing2.securityfocus.com ([205.206.231.26]) by
>mc2-f3.law16.hotmail.com with Microsoft SMTPSVC(5.0.2195.5600); Wed, 4 Jun
>2003 15:14:55 -0700
>Received: from lists.securityfocus.com (lists.securityfocus.com
>[205.206.231.19])by outgoing2.securityfocus.com (Postfix) with QMQPid
>E8A0C8F3A7; Wed,  4 Jun 2003 15:18:07 -0600 (MDT)
>Received: (qmail 4101 invoked from network); 4 Jun 2003 13:22:14 -0000
>X-Message-Info: JGTYoYF78jEHjJx36Oi8+Q1OJDRSDidP
>Mailing-List: contact focus-virus-help@securityfocus.com; run by ezmlm
>Precedence: bulk
>List-Id: 
>List-Post: 
>List-Help: 
>List-Unsubscribe: 
>List-Subscribe: 
>Delivered-To: mailing list focus-virus@securityfocus.com
>Delivered-To: moderator for focus-virus@securityfocus.com
>Message-Id: <
seddc1f1.013@westerlyhospital.org>
>X-Mailer: Novell GroupWise 5.2
>Return-Path:
>focus-virus-return-2109-koremeltdown=hotmail.com@securityfocus.com
>X-OriginalArrivalTime: 04 Jun 2003 22:14:55.0420 (UTC)
>FILETIME=[BA5FEFC0:01C32AE6]
>
>I have a user who has been "infected" with the above two Trojans. They have
>both been a real hassle to try to remove from her machine. I spent close to
>an hour a couple nights ago cleaning up the Backdoor.IRC.Flood.E Trojan,
>deleting any and all references to it in the file system and the registry,
>only to have it reappear again this morning.
>
>The Backdoor.Dvldr Trojan evades even being seen on the machine in the file
Can we help you? 
In addition to our free technical library, Pantek provides professional IT services to companies who utilize Open Source software:Learn more about Pantek's Technical Support offerings
Place an order for 24/7/365 Technical Support here
Learn more about Pantek, who we are, and what we do
Chat with a Live Operator
Related securityfocus.com Links
bugtraq
certification
focus-bsd
focus-ids
focus-ih
focus-linux
focus-ms
focus-sun
focus-unix-other
focus-virus
forensics
incidents
libnet
linux-secnews
ms-secnews
pen-test
secpapers
secprog
sectools
secureshell
security-basics
securityjobs
sf-news
vuln-dev
webappsec
Request more information about Pantek
>system or in the registry, yet Norton continues to detect it.
>
>I have followed all instructions on the Symantec web site for cleaning
>these up, but to no avail.
>
>My biggest question at this point is "where do these Trojans get in... what
>is the method of infection? And of course how can I eradicate these things
>without resorting to a complete format and rebuild?
>
>Any and all help would be appreciated.
>
>
>---------------------------------------------------------------------------
>---------------------------------------------------------------------------

-
>

STOP MORE SPAM with the new MSN 8 and get 2 months FREE* http://join.msn.com/?page=features/junkmail

Received on Fri Jun 20 13:24:32 2003

This message: [ Message body ]
Next message: j_holtslander(at)hotmail.com: "WMI.exe"
Previous message: Ozgur Savas: "Re: FW: New virus outbreak."
In reply to: Curt Snow: "Re: Backdoor.IRC.Flood.E & Backdoor.Dvldr"
In reply to Roger A. Grimes: "RE: Internet worm / definitions"

Contemporary messages sorted: [ By Date ] [ By Thread ] [ By Subject ] [ By Author ] [ By messages with attachments ]

This archive was generated by hypermail 2.1.8 : Wed Aug 23 2006 - 14:01:39 EDT