Just found out that our Windows 2000 server (on dial-up with dynamic IP;
all the Microsoft patches are installed) got infected by a virus that
executes WinMailNaq.exe and WinbmBozal.exe.

As Google, Google Groups, NAI, Sophos etc. have nothing, zilch, nada
about this virus, I'd like to know what kind of virus this is and how I
can secure my system in the future?

Anatomy:

1. WinMailNaq.exe is 13.856 bytes, WinbmBozal.exe is 1.617.411 bytes.

2. The first one doesn't have any meaningful resources to look at, the
second one is wrapped in PackageForTheWeb, its VERSIONINFO resource is
as follows:

VALUE "Comments", "Commodore forever
\000"
VALUE "CompanyName", "Immortal warez
\000"
VALUE "FileDescription", "C
\000"
VALUE "InternalName", "stub32
\000"
VALUE "OriginalFilename", "stub32i.exe
\000"
VALUE "FileVersion", "1.2
\000"
VALUE "LegalCopyright", "
\000"
VALUE "ProductName", "Commodore Interceptor
\000"
VALUE "ProductVersion", "1.2
\000"

3. The virus seems to get downloaded over Internet Explorer (the MRU
list of IE in the registry keeps some info). IE has NOT been used to
browse on this machine, with the exception of going to
windowsupdate.microsoft.com.

4. The virus creates c:\windows and c:\winnt\system32, puts a bunch of
files in there and then installs FireDaemon as a service. It also
replaces svchost with a svchost.exe file of its own.

5. Here are the contents of c:\windows:

13.03.2003 04:15 6 ircnick
13.03.2003 04:12 23.644 nickpool
18.03.2003 07:21 971.080 cygwin1.dll
24.10.2003 19:00 40 drone3.dat
02.05.2003 23:39 284 gen.reg
24.10.2003 19:00 255 servers
22.10.2003 20:45 148.992 svchost.exe
30.03.2003 14:37 19.968 echo.exe
30.03.2003 14:38 32.256 FireDaemon.exe
15.07.2004 17:21 59.392 ncx99.exe
14.02.2003 21:33 289.280 tcl84.dll
13.03.2003 04:27 126.464 wget.exe
30.03.2003 14:38 0 identd
18.07.2003 10:55 10.240 void.exe
13.03.2003 05:02 874 ntsvc.xml
23.10.2003 07:45 0 core
23.10.2003 07:45 7 user
23.10.2003 07:45 9 nick
23.10.2003 07:45 4 port
23.10.2003 08:37 5 pid.drone
24.10.2003 00:00 586 drone2.dat~bak
24.10.2003 19:00 586 drone2.dat

6. Here are the contents of c:\winnt\system32:

21.05.03 15:45 <DIR> haha
10.07.00 13:06 90.112 admdll.dll
3.07.02 14:50 29.696 hidden32.exe
9.05.03 15:03 13 nick.txt
8.07.00 7:29 29.408 raddrv.dll
27.04.03 12:36 275.456 Rar.exe
9.05.03 15:03 1.006 rmtcfg.cfg
24.07.01 16:15 241.664 r_server.exe
28.04.03 13:51 692 update1.bat

7. Here are the contents of c:\winnt\system32\haha:

21.05.03 15:37 1.028 bot.xdcc
24.07.02 0:53 904.008 cygwin1.dll
18.02.03 15:55 81.920 FireDaemon.exe
14.05.03 10:05 496 rb.bat
24.04.03 17:04 10 Regadd.bat
14.05.03 10:05 473 regadd.reg
14.05.03 10:06 85 sb.bat
16.11.02 13:37 189 secure.bat
24.07.02 2:51 5.632 SecureNetbios.exe
13.05.03 12:07 845 SERV-U.INI
24.07.02 0:51 228.940 setup.exe
11.04.03 9:37 227 sys.txt
11.04.03 9:37 1.015.296 winmgnt.exe
13.05.03 12:08 1.253 wm.txt

8. When the virus executes (it installs itself in the AutoRun portion of
the registry), it connects to one of several IRC servers and maxes out
the upload on my DSL connection. It also sometimes maxes out the CPU
time (this is an oldish P200 MMX used as a net proxy).

9. I removed it as follows (don't know if that was sufficient):

9a. Hang up the dial-up connection
9b. Kill WinMailNaq.exe in the Task Manager
9c. Stop FireDaemon in the Windows 2000 Services.
9d. Rename c:\windows to c:\windows.not
9e. Rename c:\winnt to c:\winnt.not
9f. Remove all traces of FireDaemon, svchost, WinMailNaq, and WinbmBozal
from the registry.

Snag: FireDaemon cannot be removed from all places in the registry
because the system prevents that.

OK, some of the above might be less-than-exact because I'm doing it all
from memory, but PLEASE someone tell me (a) what virus this is and (b)
how to prevent it from hitting the system again. (Yeah, I know, install
Linux. Looking at the files list, that might have been the ultimate
intention of those haxor dudes).

-mk

mk-nospam <(E-Mail Removed)> wrote in news:20031024143544.116$18
@news.newsreader.com:

> Just found out that our Windows 2000 server (on dial-up with dynamic
IP;
> all the Microsoft patches are installed) got infected by a virus that
> executes WinMailNaq.exe and WinbmBozal.exe.

What's does having all the patches installed have to do with anything? So
it was patched. It means nothing if one has not closed ports and
shutdown vulnerable services on a NT based O/S.

Did you *harden the O/S from being attacked. Was the machine setting out
on the Internet using an Admin account, just to name a couple of things?

Obviously, the worms were able to come in on open ports and services that
were running.

You indicate that you were on a dial-up connection. Was it assumed that
by being on a dial-up that the machine couldn't be attacked?

At this point, the machine has been compromised by a lot of stuff it
seems. How can you even trust the setup of the machine anymore?

Are you running without a FW on a vulnerable NT based O/S?

Duane

Duane Arnold wrote:
>
> What's does having all the patches installed have to do with
anything? So
> it was patched. It means nothing if one has not closed ports and
> shutdown vulnerable services on a NT based O/S.
>
> Did you *harden the O/S from being attacked. Was the machine setting out
> on the Internet using an Admin account, just to name a couple of things?
>
> Obviously, the worms were able to come in on open ports and services
that
> were running.
>
> You indicate that you were on a dial-up connection. Was it assumed that
> by being on a dial-up that the machine couldn't be attacked?
>
> At this point, the machine has been compromised by a lot of stuff it
> seems. How can you even trust the setup of the machine anymore?
>
> Are you running without a FW on a vulnerable NT based O/S?
>
> Duane
>
You are basically right, but:

1. This is just a proxy server running a SOCKS server and a mail server.
The machine is not used for anything else.

2. Both the SOCKS server and the mail server accept only connections on
the NIC that is hooked up to our LAN, not the card that connects to the
Internet.

3. All ports to the outside are closed, connections are only initiated
from our intranet. There is no ftp or web server running, the latest
RPC/DCOM fixes are installed, and thanks to grc.com, RPC is now
completely disabled. File/printer sharing is disabled on both the
internal and the net-visible NIC.

Help me understand: Why would I need a firewall software when the
machine does not listen on any inbound port? (OK, finger is open, gotta
investigate that).

-mk

> 1. This is just a proxy server running a SOCKS server and a mail
> server. The machine is not used for anything else.

I assumed that you had a connection to the Internet, since you mentioned
IE.
>
> 2. Both the SOCKS server and the mail server accept only connections
> on the NIC that is hooked up to our LAN, not the card that connects to
> the Internet.

The LAN side I find it even more vulnerable to attack from a machine
within the LAN, since most companies disregard protecting the machines on
the LAN side properly. In most cases, they just install the AV and leave
Windows workstations in their default vulnerable state. Most don't even
do the secuirty patches or SP(s), unless forced to do so.

>
> 3. All ports to the outside are closed, connections are only initiated
> from our intranet. There is no ftp or web server running, the latest
> RPC/DCOM fixes are installed, and thanks to grc.com, RPC is now
> completely disabled. File/printer sharing is disabled on both the
> internal and the net-visible NIC.

What's to say that a compromised workstation could not reach out and
attack machines on the LAN. So the services and ports on the machine were
closed to the Internet. But were they open to the Intranet?

>
> Help me understand: Why would I need a firewall software when the
> machine does not listen on any inbound port? (OK, finger is open,
> gotta investigate that).

I'll have to assume that since you're talking Intranet, Web services
were listening.

Well, I'll have to say that BlackIce server protection would be on that
server protecting it. Since it has Application Control using a baseline
method of inventorying every program element on the machine exe(s), dll
(s) ocx(s) etc. etc. Now, if the worm hit the server and tried to
execute, BI Application Control would have checked it against its program
inventory and stopped it notifying that a program was trying to execute
that was not in the inventory, giving one the chance to terminate the
execution.

Of course, nothing is 100% hack proof. One just does the best they can to
prevent it.

Duane

"mk-nospam" <(E-Mail Removed)> wrote:

> Just found out that our Windows 2000 server (on dial-up with dynamic IP;
> all the Microsoft patches are installed) got infected by a virus ...

No -- it has been "owned" by a skiddie.

IOW, security was somewhere between mind-bogglingly lax and entirely
missing, as nearly all of these things are done through one of two
_ancient_ security holes or through trivial bruteforcing of the admin
accopunt password (usually with such simple things as a null pwd,
"admin", "qwerty", "asdfg", "12345", etc, etc -- few of the scripts
or other automatic tools that do these "break-ins" try more than one
or two hundred passwords).

> ... that
> executes WinMailNaq.exe and WinbmBozal.exe.

And what does a contemporary _and_ up to date virus scanner say you
have?? You see, file names are generally quite useless as diagnostic
aids -- for the kind of stuff you are talking about here, a simple one
or two line change in a batch file changes the names of these things...

> As Google, Google Groups, NAI, Sophos etc. have nothing, zilch, nada
> about this virus, I'd like to know what kind of virus this is and how I
> can secure my system in the future?

It's not a virus.

It is an IRC-managed FTP warez or pron bot. Your machine was owned
(most likely by a script or even an automated self-spreading bot agent
-- self-spreading has been the new feature du jour for these things
for the last year or so) and has had an FTP server setup (probably to
distribute pron or warez).

> Anatomy:
>
> 1. WinMailNaq.exe is 13.856 bytes, WinbmBozal.exe is 1.617.411 bytes.
>
> 2. The first one doesn't have any meaningful resources to look at, the
> second one is wrapped in PackageForTheWeb, its VERSIONINFO resource is
> as follows:
<<snip>>
> 3. The virus seems to get downloaded over Internet Explorer (the MRU
> list of IE in the registry keeps some info). IE has NOT been used to
> browse on this machine, with the exception of going to
> windowsupdate.microsoft.com.
>
> 4. The virus creates c:\windows and c:\winnt\system32, puts a bunch of
> files in there and then installs FireDaemon as a service. It also
> replaces svchost with a svchost.exe file of its own.

Really?? _Replaces_ svchost.exe??? I'm surprised your machine even
works then...

Or did you mean it has a file of its own _also named_ svchost.exe??

_Quite_ a different thing!

> 5. Here are the contents of c:\windows:
>
> 13.03.2003 04:15 6 ircnick
> 13.03.2003 04:12 23.644 nickpool

Probably both some kind of coinfig files used by some active component
of this hydra...

> 18.03.2003 07:21 971.080 cygwin1.dll

One or more of the .EXEs will have been built under Cygwin, so needs the
Cygwin runtime...

> 24.10.2003 19:00 40 drone3.dat
> 02.05.2003 23:39 284 gen.reg
> 24.10.2003 19:00 255 servers

More config, etc files...

> 22.10.2003 20:45 148.992 svchost.exe
> 30.03.2003 14:37 19.968 echo.exe
> 30.03.2003 14:38 32.256 FireDaemon.exe

Can't say for sure for the first two (svchost.exe may be a RAT/backdoor)
but the last is the FireDaemon FTP server.

> 15.07.2004 17:21 59.392 ncx99.exe

Backdoor-ed version of netcat -- any vaguely recent (say, since January
last year??) AV should detect that...

> 14.02.2003 21:33 289.280 tcl84.dll

??? (another Cygwin runtime??)

> 13.03.2003 04:27 126.464 wget.exe

Commandline HTTP/FTP file-grabbing client.

> 30.03.2003 14:38 0 identd
> 18.07.2003 10:55 10.240 void.exe

???

> 13.03.2003 05:02 874 ntsvc.xml
> 23.10.2003 07:45 0 core
> 23.10.2003 07:45 7 user
> 23.10.2003 07:45 9 nick
> 23.10.2003 07:45 4 port
> 23.10.2003 08:37 5 pid.drone
> 24.10.2003 00:00 586 drone2.dat~bak
> 24.10.2003 19:00 586 drone2.dat

More config, etc files.

This is all very standard stuff for such bot net agents...

> 6. Here are the contents of c:\winnt\system32:
>
> 21.05.03 15:45 <DIR> haha
> 10.07.00 13:06 90.112 admdll.dll

???

> 3.07.02 14:50 29.696 hidden32.exe

Process hider (?).

> 9.05.03 15:03 13 nick.txt

Config file.

> 8.07.00 7:29 29.408 raddrv.dll

???

> 27.04.03 12:36 275.456 Rar.exe

It downlaods something RAR-archived and needs to unpack it...

> 9.05.03 15:03 1.006 rmtcfg.cfg

Config file.

> 24.07.01 16:15 241.664 r_server.exe

??? (Another backdoor and/or DDoS agent?)

> 28.04.03 13:51 692 update1.bat

Guess... 8-)

> 7. Here are the contents of c:\winnt\system32\haha:
>
> 21.05.03 15:37 1.028 bot.xdcc
> 24.07.02 0:53 904.008 cygwin1.dll
> 18.02.03 15:55 81.920 FireDaemon.exe
> 14.05.03 10:05 496 rb.bat
> 24.04.03 17:04 10 Regadd.bat
> 14.05.03 10:05 473 regadd.reg
> 14.05.03 10:06 85 sb.bat
> 16.11.02 13:37 189 secure.bat
> 24.07.02 2:51 5.632 SecureNetbios.exe
> 13.05.03 12:07 845 SERV-U.INI
> 24.07.02 0:51 228.940 setup.exe
> 11.04.03 9:37 227 sys.txt
> 11.04.03 9:37 1.015.296 winmgnt.exe
> 13.05.03 12:08 1.253 wm.txt

Hmmmm -- much teh same stuff, but not.

Odds are you have been hit by two _separate_ bot net agents.

No wonder your DSL is choking...

> 8. When the virus executes (it installs itself in the AutoRun portion of
> the registry), it connects to one of several IRC servers and maxes out
> the upload on my DSL connection. It also sometimes maxes out the CPU
> time (this is an oldish P200 MMX used as a net proxy).

Well, that tends to be how IRC-controlled FTP bot nets work, yes...

> 9. I removed it as follows (don't know if that was sufficient):
>
> 9a. Hang up the dial-up connection
> 9b. Kill WinMailNaq.exe in the Task Manager
> 9c. Stop FireDaemon in the Windows 2000 Services.
> 9d. Rename c:\windows to c:\windows.not
> 9e. Rename c:\winnt to c:\winnt.not
> 9f. Remove all traces of FireDaemon, svchost, WinMailNaq, and WinbmBozal
> from the registry.

Hmmmmm -- including the "normal" occurrences of svchost.exe??

The ones that start normal, necessary processes??

> Snag: FireDaemon cannot be removed from all places in the registry
> because the system prevents that.

Prevents how??

Do you mean that when you delete the entries they re-appear, either a
few seconds later, or after the next restart?

> OK, some of the above might be less-than-exact because I'm doing it all
> from memory, but PLEASE someone tell me (a) what virus this is and (b)
> how to prevent it from hitting the system again. (Yeah, I know, install
> Linux. Looking at the files list, that might have been the ultimate
> intention of those haxor dudes).

Well, there are "kitsets" for constructing these things and they have
options, and if the person using them is especially clueful (very rare)
they can also be "extended" with features not found in the components
from the kitset. As you have removed all evidence of precisely what
this was (and thus also, how it worked) we quite likely will never be
able to answer your specific questions.


--
Nick FitzGerald

On 2003-10-24, mk-nospam <(E-Mail Removed)> wrote:
> Just found out that our Windows 2000 server (on dial-up with dynamic IP;
> all the Microsoft patches are installed) got infected by a virus that
> executes WinMailNaq.exe and WinbmBozal.exe.
>
> As Google, Google Groups, NAI, Sophos etc. have nothing, zilch, nada
> about this virus, I'd like to know what kind of virus this is and how I
> can secure my system in the future?
>
> Anatomy:
>
> 1. WinMailNaq.exe is 13.856 bytes, WinbmBozal.exe is 1.617.411 bytes.
>
> 2. The first one doesn't have any meaningful resources to look at, the
> second one is wrapped in PackageForTheWeb, its VERSIONINFO resource is
> as follows:
>
> VALUE "Comments", "Commodore forever
> \000"
> VALUE "CompanyName", "Immortal warez
> \000"
> VALUE "FileDescription", "C
> \000"
> VALUE "InternalName", "stub32
> \000"
> VALUE "OriginalFilename", "stub32i.exe
> \000"
> VALUE "FileVersion", "1.2
> \000"
> VALUE "LegalCopyright", "
> \000"
> VALUE "ProductName", "Commodore Interceptor
> \000"
> VALUE "ProductVersion", "1.2
> \000"
>
> 3. The virus seems to get downloaded over Internet Explorer (the MRU
> list of IE in the registry keeps some info). IE has NOT been used to
> browse on this machine, with the exception of going to
> windowsupdate.microsoft.com.
>
> 4. The virus creates c:\windows and c:\winnt\system32, puts a bunch of
> files in there and then installs FireDaemon as a service. It also
> replaces svchost with a svchost.exe file of its own.
>
> 5. Here are the contents of c:\windows:
>
> 13.03.2003 04:15 6 ircnick
> 13.03.2003 04:12 23.644 nickpool
> 18.03.2003 07:21 971.080 cygwin1.dll
> 24.10.2003 19:00 40 drone3.dat
> 02.05.2003 23:39 284 gen.reg
> 24.10.2003 19:00 255 servers
> 22.10.2003 20:45 148.992 svchost.exe
> 30.03.2003 14:37 19.968 echo.exe
> 30.03.2003 14:38 32.256 FireDaemon.exe
> 15.07.2004 17:21 59.392 ncx99.exe
> 14.02.2003 21:33 289.280 tcl84.dll
> 13.03.2003 04:27 126.464 wget.exe
> 30.03.2003 14:38 0 identd
> 18.07.2003 10:55 10.240 void.exe
> 13.03.2003 05:02 874 ntsvc.xml
> 23.10.2003 07:45 0 core
> 23.10.2003 07:45 7 user
> 23.10.2003 07:45 9 nick
> 23.10.2003 07:45 4 port
> 23.10.2003 08:37 5 pid.drone
> 24.10.2003 00:00 586 drone2.dat~bak
> 24.10.2003 19:00 586 drone2.dat
>
> 6. Here are the contents of c:\winnt\system32:
>
> 21.05.03 15:45 <DIR> haha
> 10.07.00 13:06 90.112 admdll.dll
> 3.07.02 14:50 29.696 hidden32.exe
> 9.05.03 15:03 13 nick.txt
> 8.07.00 7:29 29.408 raddrv.dll
> 27.04.03 12:36 275.456 Rar.exe
> 9.05.03 15:03 1.006 rmtcfg.cfg
> 24.07.01 16:15 241.664 r_server.exe
> 28.04.03 13:51 692 update1.bat
>
> 7. Here are the contents of c:\winnt\system32\haha:
>
> 21.05.03 15:37 1.028 bot.xdcc
> 24.07.02 0:53 904.008 cygwin1.dll
> 18.02.03 15:55 81.920 FireDaemon.exe
> 14.05.03 10:05 496 rb.bat
> 24.04.03 17:04 10 Regadd.bat
> 14.05.03 10:05 473 regadd.reg
> 14.05.03 10:06 85 sb.bat
> 16.11.02 13:37 189 secure.bat
> 24.07.02 2:51 5.632 SecureNetbios.exe
> 13.05.03 12:07 845 SERV-U.INI
> 24.07.02 0:51 228.940 setup.exe
> 11.04.03 9:37 227 sys.txt
> 11.04.03 9:37 1.015.296 winmgnt.exe
> 13.05.03 12:08 1.253 wm.txt
>
> 8. When the virus executes (it installs itself in the AutoRun portion of
> the registry), it connects to one of several IRC servers and maxes out
> the upload on my DSL connection. It also sometimes maxes out the CPU
> time (this is an oldish P200 MMX used as a net proxy).
>
> 9. I removed it as follows (don't know if that was sufficient):
>
> 9a. Hang up the dial-up connection
> 9b. Kill WinMailNaq.exe in the Task Manager
> 9c. Stop FireDaemon in the Windows 2000 Services.
> 9d. Rename c:\windows to c:\windows.not
> 9e. Rename c:\winnt to c:\winnt.not
> 9f. Remove all traces of FireDaemon, svchost, WinMailNaq, and WinbmBozal
> from the registry.
>
> Snag: FireDaemon cannot be removed from all places in the registry
> because the system prevents that.
>
> OK, some of the above might be less-than-exact because I'm doing it all
> from memory, but PLEASE someone tell me (a) what virus this is and (b)
> how to prevent it from hitting the system again. (Yeah, I know, install
> Linux. Looking at the files list, that might have been the ultimate
> intention of those haxor dudes).
>
> -mk
>

First of most you need a good anti-virii program, second you need to
keep it running all the time on the machine or from a remote host to
scan files on the selected computer, and third you say that it is
downloaded with IE <-- well most all viruses are because they are
DL'ed by user mishaps and misleading articles telling you the wrong
information. below follows some links that may help you out.

http://www.centralcommand.com/
http://www.slackware.com/
http://www.freebsd.com/

PS: I been on and using the net constantly for roughly 10 years now and
have never been infected by one virus to this day that i did not want
to get infected by/or infected my self with... To say the least its
the computer users fault for most all infections of a virus unless
your machine had been hacked.

--
This e-mail may be privileged and/or confidential, and the sender
does not waive any related rights and obligations. Any distribution, use
or copying of this e-mail or the information it contains by other than an
intended recipient is unauthorized. If you received this e-mail in error,
please advise me (by return e-mail or otherwise) immediately.